remcos | hxxps://secure-web[.]cisco[.]com/1u_juZC0xW3O1Pw4vFDGs7oFLcmWn3InUM5-GxoywTMv2v48ccsxYkLJAj-YpkOPai8YB6RFENEewDP4yRcjjFviYSnLjBWS2YbqQMiXlZHg7oYRTnQ7Z267R3HSww-KFJjSJvHcYMOnFBDhW4iwihyMnrq0wdqAsjh-tu5UTChSpf2vWtDwVxW6zudZRnabQwUD7QlJTpXt254lsecIT8v1z4aVodkpPzc3sXGeh-8lcCjQGQb_GOtWWChGXKpGg8t-D3WSZZRyo4-NsRJK55lE3MiXMetoy6T_5s0CTQcvXhgzXbCjt1UM__YCH69CiKGAE719LQYoJypPtzHeGnjm1lcMlHuiZhFIj29hl9ILiNwgv-_WfuHgZAWra-b05On_hvwyOAQS4fbeAp3JPBbp7znFK-VzQ9_cB21jnn_E/https%3A%2F%2Fdocs[.]google[.]com%2Fuc%3Fexport%3Ddownload%26id%3D1ojop0zqMK98RZz7K5ZGPztGgnRRvhIYH

Analysis

max time kernel
289s
max time network
277s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://secure-web.cisco.com/1u_juZC0xW3O1Pw4vFDGs7oFLcmWn3InUM5-GxoywTMv2v48ccsxYkLJAj-YpkOPai8YB6RFENEewDP4yRcjjFviYSnLjBWS2YbqQMiXlZHg7oYRTnQ7Z267R3HSww-KFJjSJvHcYMOnFBDhW4iwihyMnrq0wdqAsjh-tu5UTChSpf2vWtDwVxW6zudZRnabQwUD7QlJTpXt254lsecIT8v1z4aVodkpPzc3sXGeh-8lcCjQGQb_GOtWWChGXKpGg8t-D3WSZZRyo4-NsRJK55lE3MiXMetoy6T_5s0CTQcvXhgzXbCjt1UM__YCH69CiKGAE719LQYoJypPtzHeGnjm1lcMlHuiZhFIj29hl9ILiNwgv-_WfuHgZAWra-b05On_hvwyOAQS4fbeAp3JPBbp7znFK-VzQ9_cB21jnn_E/https%3A%2F%2Fdocs.google.com%2Fuc%3Fexport%3Ddownload%26id%3D1ojop0zqMK98RZz7K5ZGPztGgnRRvhIYH

Score

10^/10

remcos campeon rat

Malware Config

Extracted

Family

remcos

Botnet

CAMPEON

millon777.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ECXMFE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 1 IoCs

pid	Process
3788	DERECHO PETICIÓN OFICIO No. 56700-32456.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3788 set thread context of 1312	3788	DERECHO PETICIÓN OFICIO No. 56700-32456.exe	127

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4832	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133435075479686739"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3696	chrome.exe
3696	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3696	chrome.exe
3696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe
Token: SeShutdownPrivilege	3696	chrome.exe
Token: SeCreatePagefilePrivilege	3696	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3360	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe
3696	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1312	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 3636	3696	chrome.exe	16
PID 3696 wrote to memory of 3636	3696	chrome.exe	16
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4400	3696	chrome.exe	90
PID 3696 wrote to memory of 4180	3696	chrome.exe	91
PID 3696 wrote to memory of 4180	3696	chrome.exe	91
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92
PID 3696 wrote to memory of 4016	3696	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://secure-web.cisco.com/1u_juZC0xW3O1Pw4vFDGs7oFLcmWn3InUM5-GxoywTMv2v48ccsxYkLJAj-YpkOPai8YB6RFENEewDP4yRcjjFviYSnLjBWS2YbqQMiXlZHg7oYRTnQ7Z267R3HSww-KFJjSJvHcYMOnFBDhW4iwihyMnrq0wdqAsjh-tu5UTChSpf2vWtDwVxW6zudZRnabQwUD7QlJTpXt254lsecIT8v1z4aVodkpPzc3sXGeh-8lcCjQGQb_GOtWWChGXKpGg8t-D3WSZZRyo4-NsRJK55lE3MiXMetoy6T_5s0CTQcvXhgzXbCjt1UM__YCH69CiKGAE719LQYoJypPtzHeGnjm1lcMlHuiZhFIj29hl9ILiNwgv-_WfuHgZAWra-b05On_hvwyOAQS4fbeAp3JPBbp7znFK-VzQ9_cB21jnn_E/https%3A%2F%2Fdocs.google.com%2Fuc%3Fexport%3Ddownload%26id%3D1ojop0zqMK98RZz7K5ZGPztGgnRRvhIYH
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdd1309758,0x7ffdd1309768,0x7ffdd1309778
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3320 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4540 --field-trial-handle=1912,i,18218892840921799313,7869457298841970324,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5080

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap9122:140:7zEvent31942
1⤵
- Suspicious use of FindShellTrayWindow
PID:3360

C:\Users\Admin\Downloads\DERECHO PETICIÓN OFICIO No. 56700-32456.exe
"C:\Users\Admin\Downloads\DERECHO PETICIÓN OFICIO No. 56700-32456.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  PID:832
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\Downloads\DERECHO PETICIÓN OFICIO No. 56700-32456.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
132B

MD5
5040257912ea366453bc0ed6af996cd1

SHA1
2b8660dec4dfa1368ff9c1ef913913b38e8e980a

SHA256
be719339beed6424f297d4c9b885a40707551b833d49b2ccc231f1036659574d

SHA512
f19e52ae04fc86d27cb9dc277284f80b0774828b040560fbe268771efd2630b2ad0aa915796a1a55b8fd7ab4b03adb99eaf8c886514b1065e2f9dcb1b357129c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bdefb0054b1b2d8df5ce73c03999b850

SHA1
7c4897f86e670b29385b12118fad1071781e042a

SHA256
716d48c4f82bfc857d37c966712f7956fd402fab6f238bd906a43b2bb8242c5f

SHA512
616ae64ef38a74bef330485feca0705e7a787c2f1ca115cc10197884f1e9029d2fbcc5d27e4d95d72f1d1d98b8abdf0fcfc3b5ec749d663bd6ea6a6e16076843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e54eea3d5713ef926571fcd69db3321f

SHA1
4ceb18ffbb1a19e50292b06a19793552f5ab76f1

SHA256
b5621ad768c8a50479cb23fab44eb2d7f69cce8dce020252289413d48e375529

SHA512
2bced425f65672d16a95414900e16d75ad2ff6d9b5411c90c18fd59f3b73ad7966ecdabaf26e5c8dcc7e708dd2880a78288fd503dadaa65f6fc7ee0c935b3c81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
11401d2c6eac1dda5a532a54f6503cdd

SHA1
20ff0208623ba47ca1c420a8eb4c5caa1345f487

SHA256
da1dacd727b0eaf84759efa27c8f56cb0cca854c798d72f967e2580c4808488f

SHA512
a9d49b69aa2b0b976080848fbfde0a3aedf5048a9bf8c5b6401160d8585147e5896b4e7d0638ead732f09db3cc0e5fa20752a0a53d1b469a6788365cd7b873ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d7a73a0e-fdab-4598-9972-20f23b7a5f6b.tmp

Filesize
539B

MD5
e0f75be05a8bea2824e22be4bf24f7f0

SHA1
5a3e4b4b7ee7c761b766e609e039dc10b429d636

SHA256
ef552d4f1013535b45ef3dbc360bdbc3e2cd05e76f6e8fd21064d1d8dd9cdb8c

SHA512
618f1034a9fd568f9ee207dfdd3cca1dbaeb56f77b411f6eab3fbbb2d06fbbdb858c97391722cea77e4bbd6332ab7e07ac9fb6fe7e860e54f98faf98b933fe75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bcd417784072c243c58b858a5be2b665

SHA1
83c69146e32a74d7d9d03c6f25b8092bd208ec48

SHA256
2408acb86b1ec694b90e1f156669235b612ad312870dbe7121143ea02b1d07d3

SHA512
6bfae9f96594c2872675015820af05e5c5726449e088d64d0fe2f05f5cb9c37e43c349b8d584c6ff670a11721f07e07d3b8d269f992ea249fb03bb2f99acb7f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b68739ba0d7a4ce3f781575aa2a25c01

SHA1
3111b2991c3bb453e946b2f17a3d4e3a484e9ff5

SHA256
95b6b5a86de0c52049c55f2e5127e221d8e5fbd0aaf14efb857840ce495dbbc2

SHA512
8713a97ff6ce4c05afb2a01fbe0121be09d5a50e35a92303f5f207c331a920d0476dbb1f2b05aa40bef7d9dd4155d0a0129cd1156f8b86e71d51dbb5c71c48a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
f12592d6373808853ce8749b79ba6a4b

SHA1
bda7da91aa5e1ddbf9d855887861f01c2798012f

SHA256
887d17f8af7da7ad6ba8f10bf8765c20e2d4bdf4fb58ed55a14db816b96ec074

SHA512
9aacf4c0812c725e21900d158f47ff65d0fc5d48e8df4942b991f09d45013584bc1d56b3ae836f0b2b60a0f5d4922dd40844c4e9dc190aa07e24e0457e573345

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\DERECHO PETICIÓN OFICIO No. 56700-32456.exe

Filesize
1100.0MB

MD5
8ee9e3281cc9731179f97b5ac4b7dd47

SHA1
febadcbedcd87600488033c7aca8176e9cde1054

SHA256
d1ea9fb46fcf54976e8ffda4fcf498968eb913e79e0681d1bdcb3fae0e4f06d7

SHA512
31fbe8b090dcd381a2a31d63a7d8669bb1e46c6aaa3258da9f9ea0959e82f1056b324a4b0df24167c9d7e5e1d3d1a7ea086532d13d708bbe184d8e8e193162e4

Download Submit
C:\Users\Admin\Downloads\DERECHO PETICIÓN OFICIO No. 56700-32456.exe

Filesize
1100.0MB

MD5
8ee9e3281cc9731179f97b5ac4b7dd47

SHA1
febadcbedcd87600488033c7aca8176e9cde1054

SHA256
d1ea9fb46fcf54976e8ffda4fcf498968eb913e79e0681d1bdcb3fae0e4f06d7

SHA512
31fbe8b090dcd381a2a31d63a7d8669bb1e46c6aaa3258da9f9ea0959e82f1056b324a4b0df24167c9d7e5e1d3d1a7ea086532d13d708bbe184d8e8e193162e4

Download Submit
C:\Users\Admin\Downloads\DERECHO PETICIÓN OFICIO No. 56700-32456.tar

Filesize
1.3MB

MD5
f301ef40e29b35fb1e2716fe6050ba8d

SHA1
c9a664c62256992af612a34113b7927563a3ba06

SHA256
c7cd7c4fa83f6bde4aa89b7a26f5a5535f5a21c98f8a6593324cb6cde31ad7d7

SHA512
a82f47ff654c575d409d6224c404e0ab5e2337dedd74ce991b077ad43fc2473e1c3f882d6c22c83548b12ff243475e404cb02044a42e840d1c04096c7a15d111

Download Submit
C:\Users\Admin\Downloads\DERECHO PETICIÓN OFICIO No. 56700-32456.tar.crdownload

Filesize
1.3MB

MD5
f301ef40e29b35fb1e2716fe6050ba8d

SHA1
c9a664c62256992af612a34113b7927563a3ba06

SHA256
c7cd7c4fa83f6bde4aa89b7a26f5a5535f5a21c98f8a6593324cb6cde31ad7d7

SHA512
a82f47ff654c575d409d6224c404e0ab5e2337dedd74ce991b077ad43fc2473e1c3f882d6c22c83548b12ff243475e404cb02044a42e840d1c04096c7a15d111

Download Submit
memory/1312-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-122-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-145-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1312-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-92-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3788-93-0x0000000000930000-0x00000000009BE000-memory.dmp

Filesize
568KB

Download
memory/3788-103-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3788-94-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download