remcos | hxxps://docs[.]google[.]com/uc?export=download&id=1Pfa__kpg_oLasDz_3xXEkfJBhr5qPe1H

Resubmissions

18/04/2024, 06:27

240418-g75wsafa3x 10

18/04/2024, 06:22

240418-g4ynaseh5v 1

Analysis

max time kernel
129s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240412-es
resource tags

arch:x64arch:x86image:win10v2004-20240412-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18/04/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1Pfa__kpg_oLasDz_3xXEkfJBhr5qPe1H

Score

10^/10

remcos feliz persistence rat

Malware Config

Extracted

Family

remcos

Botnet

FELIZ

abril16.con-ip.com:7770

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QNIVJE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
4760	NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe
4324	NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SentinelOneIsCrap = "C:\\Users\\Admin\\Documents\\ChromeUpdate\\SentinelOne.exe"	NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4760	NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578952744658871"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4828	chrome.exe
4828	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4324	NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeRestorePrivilege	1200	7zG.exe
Token: 35	1200	7zG.exe
Token: SeSecurityPrivilege	1200	7zG.exe
Token: SeSecurityPrivilege	1200	7zG.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe
Token: SeShutdownPrivilege	4236	chrome.exe
Token: SeCreatePagefilePrivilege	4236	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
1200	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe
4236	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5104	OpenWith.exe
4324	NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 1520	4236	chrome.exe	83
PID 4236 wrote to memory of 1520	4236	chrome.exe	83
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 2336	4236	chrome.exe	85
PID 4236 wrote to memory of 1340	4236	chrome.exe	86
PID 4236 wrote to memory of 1340	4236	chrome.exe	86
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87
PID 4236 wrote to memory of 1640	4236	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/uc?export=download&id=1Pfa__kpg_oLasDz_3xXEkfJBhr5qPe1H
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c268ab58,0x7ff9c268ab68,0x7ff9c268ab78
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:2
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:8
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4392 --field-trial-handle=1868,i,1096172131488560668,8321704973847719274,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024\" -spe -an -ai#7zMap336:148:7zEvent24057
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1200

C:\Users\Admin\Downloads\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe
"C:\Users\Admin\Downloads\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:4760
- C:\Users\Admin\Downloads\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe
  "C:\Users\Admin\Downloads\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
200B

MD5
518e6463086cdcd77f6f0364107bfb8e

SHA1
c1eb88b7e9f5aeefa9dbae9a50e10fa70dc4935b

SHA256
c802a90a7668ee807c3c4eeb077d3a686aee4509687b093f41f8ffd095a25ecc

SHA512
cee68b2ee4f72381847b64e0f09641dfdc6905135001f751e5d86c927e2687db8504f2a083c73f47812a113a0815473410180e7fd5e39ff4616e94ca480a2de5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
090efd64b3bb9b24f26b2b8bf07ace0e

SHA1
06bb3915db5800e739f1580620821461981c0021

SHA256
dc20445493678ae8741560735f25426b850fb237b506b47dcde59473a46651d5

SHA512
eaa55269d99b7bf83f6f83ab28dec9162e15973fe80e90bd4194b51d621a430a24a116d1653b1548eaa408b8138e04e71a362dcb3d69617b0f92362317912648

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
10f6628bff9cf3377d0d5bad2b36baeb

SHA1
b9a7f4d3f03f9ee996a6140a2f89eae542c5b29c

SHA256
4b75ed59aa580feb54c517ff6500c97d7d89d7841f8497b10b471e7c5923ae0b

SHA512
edc530fd815200b6fdc3d6d5219bac2360f52d9712504b64fae92ec77ea55931d87e71de67dc50097920cb53b6975b9626a74b0dbb6ffd4347acecd87ddb12ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
14260e1ee1021f6e105489928b982869

SHA1
fe36c31cf6f784fd72475945dc480af1315d683d

SHA256
6cb6fa5f85ab5d305fbf51d67f2cd8962248d1ed9ba36143be041ab94953e244

SHA512
3b95a5bfb164dd4a7c7347483c06974c24d217a999f462f6d941db3e7531c001f9dd40c56b8781dfba8e7171b975017eb773d9a8c7afb0874e1f5d97d162af32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
68186d3fefa45fbddbad89bc51cd773e

SHA1
a32e71c1c6b66392341ffb380a41b1360d9c74af

SHA256
bb1bedb01651280ac46035f8a7446610aaefb41d653720f4e6571dc8fff97dd5

SHA512
8271aba560dc2d2dd278e19cad9d19628f5ea262a7480f5e137889e59206329ea48fb74e4e47f0588b7d5998b71a281f939e0f6871bba6e491eeab47f22714b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
9bdc00a84fd39d85c3c28a6049331a58

SHA1
dc4eb191caa45b5a7ecb8a81fd8a4489a690749e

SHA256
57f435f6a015da71f3df8154c4995095907852f0117f9858bf1f499f8cd128d3

SHA512
ab07b3020caece574ea7587cacb2b9465393da4f4d79bbc0c8b24114fff5d4221688574f01bc9a269395cfadc84f1b850b867a46d7135ca27fb8b5dbd106b40d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
2d0cdf474cd53e574bc037971dae0432

SHA1
9af946acbdc1fa4f7c36a4aa6e3dc3bf4cc32293

SHA256
5242b6937ddf1e0d17c47fe8a289ca972f1afe554b19cd3a1b6cdc63654823a4

SHA512
866ea0ea9ea9b29aecc9ad7c81c1c32014ce81f089310d94d2bcbcb579e2f07b2e088502b6bfe54dbf2126b4bedac701ef22e7d567d0e6f67524820d64b17308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
b949839010c008dd28fb1305bd60ab85

SHA1
4399da5dfa75b52d213867bd6a177dfcd44774a2

SHA256
8d122e44d9b1d60c9fbdf05de011120eddfc915554819c28999817d7c1e1616f

SHA512
c9a22f49a8f7cf37f7ee1cc3778fa98706b5f4016bfbc48585247dc2e2c75b608bcf310127784b0933f9959619dee7e1a4bd524f84d023c32d9bbf2af6ee9a9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
292KB

MD5
f50b7f17a226d225363b037507869af7

SHA1
a1175fe35e35caf4413a934641775b323501256b

SHA256
6edc47eda9e72c98afac0ab71877f8f98fab98a1f1ffd43ec3a629782e4975dc

SHA512
0c8e82e4bda0de0e5de7217e976cfcbe8081148ccc33f4f95b6baf82d3a7e1cd7c3475e153a845d506ba7fc9f23b8a160cbc2b8e268393c95c08f5e5a3cd46bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
931fc8a4f0b54a56d5c03a6f92cc8727

SHA1
724b6e842a240f4db390cbd2d2a3dd9ae1434a12

SHA256
48f4d9aaacc40c97eb8a97a0a81a0d0b669377a698cbf5d0c34a9093e3ef053c

SHA512
d623a3d887d82e1de96a45133ffab3fca8ab45cb3a0a5154fd38da488c86a533840eaaad167ce8d1f277e6354d0c57b1ceed1ede2200cf943faca0547316525c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e714.TMP

Filesize
99KB

MD5
6905df3f10113e5b2a58d3c07f9a897f

SHA1
b96712441f1cb58ce99ce46b035263c02fa5aa27

SHA256
983093bec28ea0e99bb4c83265876d4ec16a30693f12ebf31d4ef8f468c8d097

SHA512
a9b5c1ba48748ca4d38eaf42bee06f67dcc24ed798c9ea17d5459b9eba868fbf927ed00608a54664e82f76962465073222370eb2ace7487d74f23f5d201e0cb7

Download Submit
C:\Users\Admin\Downloads\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024.tar.crdownload

Filesize
2.0MB

MD5
14e97c831d3eb18a5fe6a708e7b70d0f

SHA1
634cfebdabf6fe48ceb2701728055fcf8f3794fe

SHA256
43599f53d07c79582db46154043054eeb2b447602b71a6501d8db203783febe7

SHA512
7819e277acb5bd4e98af1ddd0ae4e82bd6259df1b797853fb8ba7f260d9d3051d58bede5d5df49ed8e1035f353ca364861ee4ad8be5aa040928cfb45a8716787

Download Submit
C:\Users\Admin\Downloads\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024\NOTIFICACIÓN DEL FALLO; RAD.7653890012-2024..exe

Filesize
5.6MB

MD5
f9b72e996ccc1c986f2468db04b4a400

SHA1
3e14d328e245b47d461cec8d0638089d078f084e

SHA256
5bd63bb82d4fd00638c75bff15500e8c4a9b08dff87d092a1c3933726a2f834e

SHA512
c24bac019024583c5db59dde31fc4ea2f098597c3eb1353fc2c8640bab889d6bc06dc72e6146124444798ec82e9c80d2e70eca0c4e6399c5fc625d8a3233084b

Download Submit
memory/4324-122-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-111-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4324-114-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-116-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-118-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-119-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-171-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-121-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-123-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-170-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-165-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4324-164-0x00000000009A0000-0x0000000000A22000-memory.dmp

Filesize
520KB

Download
memory/4760-109-0x0000000000400000-0x0000000000998000-memory.dmp

Filesize
5.6MB

Download
memory/4760-110-0x0000000000400000-0x0000000000998000-memory.dmp

Filesize
5.6MB

Download
memory/4760-108-0x0000000000400000-0x0000000000998000-memory.dmp

Filesize
5.6MB

Download
memory/4760-115-0x0000000000400000-0x0000000000998000-memory.dmp

Filesize
5.6MB

Download
memory/4760-107-0x0000000000400000-0x0000000000998000-memory.dmp

Filesize
5.6MB

Download