Overview
overview
10Static
static
101 NOTIFIC......exe
windows7-x64
1001 NOTIFIC......exe
windows10-2004-x64
1001 NOTIFIC...er.dll
windows7-x64
101 NOTIFIC...er.dll
windows10-2004-x64
101 NOTIFIC...ge.ogg
windows7-x64
101 NOTIFIC...ge.ogg
windows10-2004-x64
701 NOTIFIC...or.psd
windows7-x64
301 NOTIFIC...or.psd
windows10-2004-x64
301 NOTIFIC...20.dll
windows7-x64
101 NOTIFIC...20.dll
windows10-2004-x64
101 NOTIFIC...20.dll
windows7-x64
101 NOTIFIC...20.dll
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22/01/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA....exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA....exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
01 NOTIFICACION DEMANDA/Register.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
01 NOTIFICACION DEMANDA/Register.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
01 NOTIFICACION DEMANDA/breakage.ogg
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
01 NOTIFICACION DEMANDA/breakage.ogg
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
01 NOTIFICACION DEMANDA/fascinator.psd
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
01 NOTIFICACION DEMANDA/fascinator.psd
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
01 NOTIFICACION DEMANDA/rtl120.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
01 NOTIFICACION DEMANDA/rtl120.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
01 NOTIFICACION DEMANDA/vcl120.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
01 NOTIFICACION DEMANDA/vcl120.dll
Resource
win10v2004-20231215-en
General
-
Target
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA....exe
-
Size
135KB
-
MD5
a2d70fbab5181a509369d96b682fc641
-
SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
-
SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
-
SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
SSDEEP
1536:URLRDTAC1CMoR1CqabJWt7AQFYMGhw1ScCD28v2Vv428fmvxOuw03h9VC:URdV1CMoiqadTQFBGhw1ED28+94hGw
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
poder.kozow.com:8000
AsyncMutex_Default
-
delay
3
-
install
false
-
install_file
poder.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2588-70-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1848 set thread context of 1856 1848 01 NOTIFICACION DEMANDA....exe 28 PID 1856 set thread context of 2588 1856 cmd.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1848 01 NOTIFICACION DEMANDA....exe 1848 01 NOTIFICACION DEMANDA....exe 1856 cmd.exe 1856 cmd.exe 2588 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1848 01 NOTIFICACION DEMANDA....exe 1856 cmd.exe 1856 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2588 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2588 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1856 1848 01 NOTIFICACION DEMANDA....exe 28 PID 1848 wrote to memory of 1856 1848 01 NOTIFICACION DEMANDA....exe 28 PID 1848 wrote to memory of 1856 1848 01 NOTIFICACION DEMANDA....exe 28 PID 1848 wrote to memory of 1856 1848 01 NOTIFICACION DEMANDA....exe 28 PID 1848 wrote to memory of 1856 1848 01 NOTIFICACION DEMANDA....exe 28 PID 1856 wrote to memory of 2588 1856 cmd.exe 30 PID 1856 wrote to memory of 2588 1856 cmd.exe 30 PID 1856 wrote to memory of 2588 1856 cmd.exe 30 PID 1856 wrote to memory of 2588 1856 cmd.exe 30 PID 1856 wrote to memory of 2588 1856 cmd.exe 30 PID 1856 wrote to memory of 2588 1856 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741KB
MD5995b49f0996d84652be839a87a453dcf
SHA14c164e4063e4498c3a0d49700f4e0eb6e8fee50f
SHA25601af61f2f961afb77b844821142a9f0d0984038afa6c71f423d216ea79962b5d
SHA5127e5b28a6c7751c67a1442267925ae99ddb6375808507e13bf2c4ffd3d3887bef7799723ffc40ee76f49d2549b81e46ea73d4a039a7ee217d610cce6ad64f7bff