Analysis Overview
SHA256
94630838f483aeb0ea5255d20136f07430295dfbe6ada99c811543cd65c2103d
Threat Level: Known bad
The file LITIGALCAL20231108.rar was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-15 19:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-15 19:49
Reported
2023-11-15 19:51
Platform
win7-20231023-en
Max time kernel
122s
Max time network
153s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zjpelav = "C:\\Users\\Admin\\AppData\\Roaming\\Zjpelav.exe" | C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2136 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe
"C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sebastianzapatadns.con-ip.com | udp |
| CO | 181.131.216.141:4040 | sebastianzapatadns.con-ip.com | tcp |
Files
memory/2136-0-0x0000000000130000-0x00000000001AC000-memory.dmp
memory/2136-1-0x0000000074640000-0x0000000074D2E000-memory.dmp
memory/2136-2-0x0000000000270000-0x00000000002BA000-memory.dmp
memory/2136-3-0x0000000004940000-0x0000000004980000-memory.dmp
memory/2136-4-0x0000000000670000-0x00000000006A2000-memory.dmp
memory/2136-5-0x0000000001EF0000-0x0000000001F20000-memory.dmp
memory/2136-6-0x0000000004880000-0x00000000048CC000-memory.dmp
memory/2136-7-0x0000000074640000-0x0000000074D2E000-memory.dmp
memory/2136-8-0x0000000004940000-0x0000000004980000-memory.dmp
memory/3068-10-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3068-11-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3068-12-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3068-13-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3068-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3068-16-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2136-18-0x0000000074640000-0x0000000074D2E000-memory.dmp
memory/3068-19-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3068-21-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3068-22-0x00000000745C0000-0x0000000074CAE000-memory.dmp
memory/3068-23-0x00000000006B0000-0x00000000006F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabDB73.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/3068-40-0x00000000745C0000-0x0000000074CAE000-memory.dmp
memory/3068-41-0x00000000006B0000-0x00000000006F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-15 19:49
Reported
2023-11-15 19:51
Platform
win10v2004-20231023-en
Max time kernel
137s
Max time network
153s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zjpelav = "C:\\Users\\Admin\\AppData\\Roaming\\Zjpelav.exe" | C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2760 set thread context of 3772 | N/A | C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe
"C:\Users\Admin\AppData\Local\Temp\LITIGALCAL20231108.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.113.22.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.254.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evergonzalezdominio.con-ip.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| CO | 181.131.216.141:4040 | evergonzalezdominio.con-ip.com | tcp |
| US | 8.8.8.8:53 | 141.216.131.181.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/2760-0-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/2760-1-0x00000000002A0000-0x000000000031C000-memory.dmp
memory/2760-2-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
memory/2760-3-0x00000000053E0000-0x000000000542A000-memory.dmp
memory/2760-4-0x0000000002810000-0x0000000002842000-memory.dmp
memory/2760-5-0x0000000005530000-0x0000000005560000-memory.dmp
memory/2760-6-0x0000000005560000-0x00000000055AC000-memory.dmp
memory/2760-7-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/2760-8-0x0000000004EE0000-0x0000000004EF0000-memory.dmp
memory/2760-9-0x0000000005B60000-0x0000000006104000-memory.dmp
memory/3772-11-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2760-14-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3772-13-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3772-15-0x0000000005170000-0x0000000005180000-memory.dmp
memory/3772-18-0x00000000059E0000-0x0000000005A7C000-memory.dmp
memory/3772-19-0x0000000005AF0000-0x0000000005B56000-memory.dmp
memory/3772-20-0x0000000074F00000-0x00000000756B0000-memory.dmp
memory/3772-21-0x0000000005170000-0x0000000005180000-memory.dmp