Overview
overview
10Static
static
101 NOTIFIC......exe
windows7-x64
1001 NOTIFIC......exe
windows10-2004-x64
1001 NOTIFIC...er.dll
windows7-x64
101 NOTIFIC...er.dll
windows10-2004-x64
101 NOTIFIC...ge.ogg
windows7-x64
101 NOTIFIC...ge.ogg
windows10-2004-x64
701 NOTIFIC...or.psd
windows7-x64
301 NOTIFIC...or.psd
windows10-2004-x64
301 NOTIFIC...20.dll
windows7-x64
101 NOTIFIC...20.dll
windows10-2004-x64
101 NOTIFIC...20.dll
windows7-x64
101 NOTIFIC...20.dll
windows10-2004-x64
1Analysis
-
max time kernel
90s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA....exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA....exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
01 NOTIFICACION DEMANDA/Register.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
01 NOTIFICACION DEMANDA/Register.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
01 NOTIFICACION DEMANDA/breakage.ogg
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
01 NOTIFICACION DEMANDA/breakage.ogg
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
01 NOTIFICACION DEMANDA/fascinator.psd
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
01 NOTIFICACION DEMANDA/fascinator.psd
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
01 NOTIFICACION DEMANDA/rtl120.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
01 NOTIFICACION DEMANDA/rtl120.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
01 NOTIFICACION DEMANDA/vcl120.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
01 NOTIFICACION DEMANDA/vcl120.dll
Resource
win10v2004-20231215-en
General
-
Target
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA....exe
-
Size
135KB
-
MD5
a2d70fbab5181a509369d96b682fc641
-
SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
-
SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
-
SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
SSDEEP
1536:URLRDTAC1CMoR1CqabJWt7AQFYMGhw1ScCD28v2Vv428fmvxOuw03h9VC:URdV1CMoiqadTQFBGhw1ED28+94hGw
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
poder.kozow.com:8000
AsyncMutex_Default
-
delay
3
-
install
false
-
install_file
poder.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4788-27-0x0000000000710000-0x0000000000726000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4024 set thread context of 4244 4024 01 NOTIFICACION DEMANDA....exe 88 PID 4244 set thread context of 4788 4244 cmd.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4024 01 NOTIFICACION DEMANDA....exe 4024 01 NOTIFICACION DEMANDA....exe 4244 cmd.exe 4244 cmd.exe 4788 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4024 01 NOTIFICACION DEMANDA....exe 4244 cmd.exe 4244 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4788 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4788 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4024 wrote to memory of 4244 4024 01 NOTIFICACION DEMANDA....exe 88 PID 4024 wrote to memory of 4244 4024 01 NOTIFICACION DEMANDA....exe 88 PID 4024 wrote to memory of 4244 4024 01 NOTIFICACION DEMANDA....exe 88 PID 4024 wrote to memory of 4244 4024 01 NOTIFICACION DEMANDA....exe 88 PID 4244 wrote to memory of 4788 4244 cmd.exe 98 PID 4244 wrote to memory of 4788 4244 cmd.exe 98 PID 4244 wrote to memory of 4788 4244 cmd.exe 98 PID 4244 wrote to memory of 4788 4244 cmd.exe 98 PID 4244 wrote to memory of 4788 4244 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4788
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741KB
MD5dfa08207f02ddfe4570d3c34207fa29d
SHA18f3106ed9ba0144fd074d203cc4b3401f4ba3ede
SHA256df1e71eb055c0ccce8e025e471a191ab75e48f50f6237abaf7d857349ffadcfc
SHA512f913156f37472397dc51013c8830f5628623610a225f572cf437b90edb03b25580eb62aa7433d9432d0802cc135a94147685688e6bd7c7dde8fd4886853c2310