Analysis Overview
SHA256
6677437ae63257d73f77e7ee3d16bcec0e8ee6900ac72510bc203e4df2d8f334
Threat Level: Known bad
The file 01 NOTIFICACION DEMANDA.REV was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 17:53
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win10v2004-20231222-en
Max time kernel
90s
Max time network
148s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4024 set thread context of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4244 set thread context of 4788 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe
"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | poder.kozow.com | udp |
| US | 207.246.74.117:8000 | poder.kozow.com | tcp |
| US | 8.8.8.8:53 | 117.74.246.207.in-addr.arpa | udp |
Files
memory/4024-0-0x0000000000740000-0x0000000000741000-memory.dmp
memory/4024-1-0x00000000027D0000-0x00000000028DF000-memory.dmp
memory/4024-2-0x0000000075060000-0x00000000751DB000-memory.dmp
memory/4024-3-0x00007FFE4AD50000-0x00007FFE4AF45000-memory.dmp
memory/4024-9-0x0000000075060000-0x00000000751DB000-memory.dmp
memory/4024-10-0x0000000075060000-0x00000000751DB000-memory.dmp
memory/4024-12-0x0000000000400000-0x0000000000421000-memory.dmp
memory/4244-13-0x0000000075060000-0x00000000751DB000-memory.dmp
memory/4024-16-0x0000000050120000-0x000000005030D000-memory.dmp
memory/4024-15-0x0000000050000000-0x0000000050116000-memory.dmp
memory/4024-17-0x00000000027D0000-0x00000000028DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9c314050
| MD5 | dfa08207f02ddfe4570d3c34207fa29d |
| SHA1 | 8f3106ed9ba0144fd074d203cc4b3401f4ba3ede |
| SHA256 | df1e71eb055c0ccce8e025e471a191ab75e48f50f6237abaf7d857349ffadcfc |
| SHA512 | f913156f37472397dc51013c8830f5628623610a225f572cf437b90edb03b25580eb62aa7433d9432d0802cc135a94147685688e6bd7c7dde8fd4886853c2310 |
memory/4244-18-0x00007FFE4AD50000-0x00007FFE4AF45000-memory.dmp
memory/4244-20-0x0000000075060000-0x00000000751DB000-memory.dmp
memory/4244-21-0x0000000075060000-0x00000000751DB000-memory.dmp
memory/4244-23-0x0000000075060000-0x00000000751DB000-memory.dmp
memory/4788-24-0x00000000734F0000-0x0000000074744000-memory.dmp
memory/4788-27-0x0000000000710000-0x0000000000726000-memory.dmp
memory/4788-28-0x0000000072D40000-0x00000000734F0000-memory.dmp
memory/4788-29-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/4788-30-0x0000000005550000-0x0000000005AF4000-memory.dmp
memory/4788-31-0x0000000005140000-0x00000000051D2000-memory.dmp
memory/4788-32-0x0000000005110000-0x000000000511A000-memory.dmp
memory/4788-35-0x00000000062A0000-0x000000000633C000-memory.dmp
memory/4788-36-0x0000000006340000-0x00000000063A6000-memory.dmp
memory/4788-37-0x0000000072D40000-0x00000000734F0000-memory.dmp
memory/4788-38-0x0000000004D90000-0x0000000004DA0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 4248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5116 wrote to memory of 4248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5116 wrote to memory of 4248 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
Files
memory/4248-0-0x0000000002280000-0x000000000238F000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win7-20231215-en
Max time kernel
141s
Max time network
127s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"
Network
Files
memory/2060-5-0x000000013FCF0000-0x000000013FDE8000-memory.dmp
memory/2060-6-0x000007FEF8030000-0x000007FEF8064000-memory.dmp
memory/2060-7-0x000007FEF6690000-0x000007FEF6944000-memory.dmp
memory/2060-8-0x000007FEFBE20000-0x000007FEFBE38000-memory.dmp
memory/2060-9-0x000007FEF8180000-0x000007FEF8197000-memory.dmp
memory/2060-10-0x000007FEF8080000-0x000007FEF8091000-memory.dmp
memory/2060-11-0x000007FEF7360000-0x000007FEF7377000-memory.dmp
memory/2060-12-0x000007FEF7340000-0x000007FEF7351000-memory.dmp
memory/2060-13-0x000007FEF7320000-0x000007FEF733D000-memory.dmp
memory/2060-14-0x000007FEF6E40000-0x000007FEF6E51000-memory.dmp
memory/2060-15-0x000007FEF6490000-0x000007FEF6690000-memory.dmp
memory/2060-17-0x000007FEF6D60000-0x000007FEF6D81000-memory.dmp
memory/2060-16-0x000007FEF6D90000-0x000007FEF6DCF000-memory.dmp
memory/2060-18-0x000007FEF53E0000-0x000007FEF648B000-memory.dmp
memory/2060-19-0x000007FEF6D40000-0x000007FEF6D58000-memory.dmp
memory/2060-20-0x000007FEF6D20000-0x000007FEF6D31000-memory.dmp
memory/2060-21-0x000007FEF6D00000-0x000007FEF6D11000-memory.dmp
memory/2060-23-0x000007FEF6CC0000-0x000007FEF6CDB000-memory.dmp
memory/2060-22-0x000007FEF6CE0000-0x000007FEF6CF1000-memory.dmp
memory/2060-24-0x000007FEF53C0000-0x000007FEF53D1000-memory.dmp
memory/2060-25-0x000007FEF53A0000-0x000007FEF53B8000-memory.dmp
memory/2060-26-0x000007FEF5370000-0x000007FEF53A0000-memory.dmp
memory/2060-27-0x000007FEF5300000-0x000007FEF5367000-memory.dmp
memory/2060-28-0x000007FEF5290000-0x000007FEF52FF000-memory.dmp
memory/2060-29-0x000007FEF5270000-0x000007FEF5281000-memory.dmp
memory/2060-30-0x000007FEF5210000-0x000007FEF526C000-memory.dmp
memory/2060-31-0x000007FEF51B0000-0x000007FEF5206000-memory.dmp
memory/2060-32-0x000007FEF5180000-0x000007FEF51A8000-memory.dmp
memory/2060-33-0x000007FEF5150000-0x000007FEF5174000-memory.dmp
memory/2060-34-0x000007FEF5130000-0x000007FEF5147000-memory.dmp
memory/2060-35-0x000007FEF5100000-0x000007FEF5123000-memory.dmp
memory/2060-36-0x000007FEF50E0000-0x000007FEF50F1000-memory.dmp
memory/2060-41-0x000007FEF4F10000-0x000007FEF504B000-memory.dmp
memory/2060-42-0x000007FEF4EE0000-0x000007FEF4F0C000-memory.dmp
memory/2060-40-0x000007FEF5050000-0x000007FEF5062000-memory.dmp
memory/2060-39-0x000007FEF5070000-0x000007FEF5083000-memory.dmp
memory/2060-38-0x000007FEF5090000-0x000007FEF50B1000-memory.dmp
memory/2060-43-0x000007FEF4D20000-0x000007FEF4ED2000-memory.dmp
memory/2060-37-0x000007FEF50C0000-0x000007FEF50D2000-memory.dmp
memory/2060-44-0x000007FEF4D00000-0x000007FEF4D11000-memory.dmp
memory/2060-45-0x000007FEF4C60000-0x000007FEF4CF7000-memory.dmp
memory/2060-46-0x000007FEF4C40000-0x000007FEF4C52000-memory.dmp
memory/2060-47-0x000007FEF4A00000-0x000007FEF4C31000-memory.dmp
memory/2060-48-0x000007FEF48E0000-0x000007FEF49F2000-memory.dmp
memory/2060-53-0x000007FEF47C0000-0x000007FEF47D1000-memory.dmp
memory/2060-56-0x000007FEF46E0000-0x000007FEF477F000-memory.dmp
memory/2060-55-0x000007FEF4780000-0x000007FEF4793000-memory.dmp
memory/2060-54-0x000007FEF47A0000-0x000007FEF47B2000-memory.dmp
memory/2060-57-0x000007FEF46C0000-0x000007FEF46D1000-memory.dmp
memory/2060-52-0x000007FEF47E0000-0x000007FEF4841000-memory.dmp
memory/2060-51-0x000007FEF4850000-0x000007FEF4861000-memory.dmp
memory/2060-50-0x000007FEF4870000-0x000007FEF4895000-memory.dmp
memory/2060-62-0x000007FEF4530000-0x000007FEF4542000-memory.dmp
memory/2060-61-0x000007FEF4550000-0x000007FEF4561000-memory.dmp
memory/2060-68-0x000007FEF4460000-0x000007FEF4471000-memory.dmp
memory/2060-67-0x000007FEF4480000-0x000007FEF4491000-memory.dmp
memory/2060-66-0x000007FEF44A0000-0x000007FEF44B2000-memory.dmp
memory/2060-65-0x000007FEF44C0000-0x000007FEF44E9000-memory.dmp
memory/2060-64-0x000007FEF44F0000-0x000007FEF4506000-memory.dmp
memory/2060-63-0x000007FEF4510000-0x000007FEF4528000-memory.dmp
memory/2060-60-0x000007FEF4570000-0x000007FEF4581000-memory.dmp
memory/2060-59-0x000007FEF4590000-0x000007FEF45A1000-memory.dmp
memory/2060-58-0x000007FEF45B0000-0x000007FEF46B2000-memory.dmp
memory/2060-49-0x000007FEF48A0000-0x000007FEF48D5000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win7-20231215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 356 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 356 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 356 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 356 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 356 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 356 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 356 wrote to memory of 2496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win7-20231215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2204 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2204 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2204 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2204 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2204 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2204 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2204 wrote to memory of 1720 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 764 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 764 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 764 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win7-20231129-en
Max time kernel
121s
Max time network
146s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1848 set thread context of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1856 set thread context of 2588 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe
"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | poder.kozow.com | udp |
| US | 207.246.74.117:8000 | poder.kozow.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
memory/1848-0-0x00000000032C0000-0x00000000033CF000-memory.dmp
memory/1848-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1848-2-0x00000000742B0000-0x0000000074424000-memory.dmp
memory/1848-3-0x0000000076D60000-0x0000000076F09000-memory.dmp
memory/1848-9-0x00000000742B0000-0x0000000074424000-memory.dmp
memory/1848-10-0x00000000742B0000-0x0000000074424000-memory.dmp
memory/1848-12-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8614539c
| MD5 | 995b49f0996d84652be839a87a453dcf |
| SHA1 | 4c164e4063e4498c3a0d49700f4e0eb6e8fee50f |
| SHA256 | 01af61f2f961afb77b844821142a9f0d0984038afa6c71f423d216ea79962b5d |
| SHA512 | 7e5b28a6c7751c67a1442267925ae99ddb6375808507e13bf2c4ffd3d3887bef7799723ffc40ee76f49d2549b81e46ea73d4a039a7ee217d610cce6ad64f7bff |
memory/1856-14-0x00000000742B0000-0x0000000074424000-memory.dmp
memory/1848-15-0x0000000050000000-0x0000000050116000-memory.dmp
memory/1848-16-0x0000000050120000-0x000000005030D000-memory.dmp
memory/1848-17-0x00000000032C0000-0x00000000033CF000-memory.dmp
memory/1856-18-0x0000000076D60000-0x0000000076F09000-memory.dmp
memory/1856-63-0x00000000742B0000-0x0000000074424000-memory.dmp
memory/1856-64-0x00000000742B0000-0x0000000074424000-memory.dmp
memory/1856-67-0x00000000742B0000-0x0000000074424000-memory.dmp
memory/2588-66-0x00000000722E0000-0x0000000073342000-memory.dmp
memory/2588-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2588-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2588-70-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2588-71-0x0000000073990000-0x000000007407E000-memory.dmp
memory/2588-72-0x0000000004AB0000-0x0000000004AF0000-memory.dmp
memory/2588-85-0x0000000073990000-0x000000007407E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win7-20231215-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1
Network
Files
memory/3048-0-0x00000000002A0000-0x00000000003AF000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4472 wrote to memory of 2044 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 4472 wrote to memory of 2044 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2044-5-0x00007FF6AEBE0000-0x00007FF6AECD8000-memory.dmp
memory/2044-6-0x00007FFD3C310000-0x00007FFD3C344000-memory.dmp
memory/2044-7-0x00007FFD2D360000-0x00007FFD2D614000-memory.dmp
memory/2044-8-0x00007FFD3C6E0000-0x00007FFD3C6F8000-memory.dmp
memory/2044-9-0x00007FFD3C250000-0x00007FFD3C267000-memory.dmp
memory/2044-10-0x00007FFD3C230000-0x00007FFD3C241000-memory.dmp
memory/2044-11-0x00007FFD3C210000-0x00007FFD3C227000-memory.dmp
memory/2044-12-0x00007FFD3C1F0000-0x00007FFD3C201000-memory.dmp
memory/2044-13-0x00007FFD3C1D0000-0x00007FFD3C1ED000-memory.dmp
memory/2044-14-0x00007FFD3C1B0000-0x00007FFD3C1C1000-memory.dmp
memory/2044-15-0x00007FFD2CFA0000-0x00007FFD2D1A0000-memory.dmp
memory/2044-16-0x00007FFD2BEF0000-0x00007FFD2CF9B000-memory.dmp
memory/2044-17-0x00007FFD3BB10000-0x00007FFD3BB4F000-memory.dmp
memory/2044-18-0x00007FFD3BAE0000-0x00007FFD3BB01000-memory.dmp
memory/2044-19-0x00007FFD3BAC0000-0x00007FFD3BAD8000-memory.dmp
memory/2044-20-0x00007FFD3BAA0000-0x00007FFD3BAB1000-memory.dmp
memory/2044-22-0x00007FFD37110000-0x00007FFD37121000-memory.dmp
memory/2044-21-0x00007FFD3A990000-0x00007FFD3A9A1000-memory.dmp
memory/2044-23-0x00007FFD370F0000-0x00007FFD3710B000-memory.dmp
memory/2044-24-0x00007FFD33020000-0x00007FFD33031000-memory.dmp
memory/2044-27-0x00007FFD2BA60000-0x00007FFD2BAC7000-memory.dmp
memory/2044-29-0x00007FFD2DC30000-0x00007FFD2DC41000-memory.dmp
memory/2044-39-0x00007FFD2B7F0000-0x00007FFD2B803000-memory.dmp
memory/2044-40-0x00007FFD2B7D0000-0x00007FFD2B7E2000-memory.dmp
memory/2044-38-0x00007FFD2B810000-0x00007FFD2B831000-memory.dmp
memory/2044-37-0x00007FFD2B840000-0x00007FFD2B852000-memory.dmp
memory/2044-36-0x00007FFD2B860000-0x00007FFD2B871000-memory.dmp
memory/2044-35-0x00007FFD2B880000-0x00007FFD2B8A3000-memory.dmp
memory/2044-41-0x00007FFD2B690000-0x00007FFD2B7CB000-memory.dmp
memory/2044-34-0x00007FFD2B8B0000-0x00007FFD2B8C7000-memory.dmp
memory/2044-33-0x00007FFD2B8D0000-0x00007FFD2B8F4000-memory.dmp
memory/2044-32-0x00007FFD2B900000-0x00007FFD2B928000-memory.dmp
memory/2044-42-0x00007FFD2B660000-0x00007FFD2B68C000-memory.dmp
memory/2044-46-0x00007FFD2B3C0000-0x00007FFD2B3D2000-memory.dmp
memory/2044-45-0x00007FFD2B3E0000-0x00007FFD2B477000-memory.dmp
memory/2044-44-0x00007FFD2B480000-0x00007FFD2B491000-memory.dmp
memory/2044-47-0x00007FFD2B180000-0x00007FFD2B3B1000-memory.dmp
memory/2044-43-0x00007FFD2B4A0000-0x00007FFD2B652000-memory.dmp
memory/2044-48-0x00007FFD2B020000-0x00007FFD2B132000-memory.dmp
memory/2044-49-0x00007FFD2AF70000-0x00007FFD2AFA5000-memory.dmp
memory/2044-50-0x00007FFD2AF40000-0x00007FFD2AF65000-memory.dmp
memory/2044-51-0x00007FFD2AF20000-0x00007FFD2AF31000-memory.dmp
memory/2044-31-0x00007FFD2B930000-0x00007FFD2B986000-memory.dmp
memory/2044-30-0x00007FFD2B990000-0x00007FFD2B9EC000-memory.dmp
memory/2044-28-0x00007FFD2B9F0000-0x00007FFD2BA5F000-memory.dmp
memory/2044-26-0x00007FFD2DC50000-0x00007FFD2DC80000-memory.dmp
memory/2044-25-0x00007FFD2DC80000-0x00007FFD2DC98000-memory.dmp
memory/2044-52-0x00007FFD2AEB0000-0x00007FFD2AF11000-memory.dmp
memory/2044-53-0x00007FFD2AE90000-0x00007FFD2AEA1000-memory.dmp
memory/2044-54-0x00007FFD2AE70000-0x00007FFD2AE82000-memory.dmp
memory/2044-55-0x00007FFD2AE50000-0x00007FFD2AE63000-memory.dmp
memory/2044-56-0x00007FFD2ADB0000-0x00007FFD2AE4F000-memory.dmp
memory/2044-58-0x00007FFD2AC80000-0x00007FFD2AD82000-memory.dmp
memory/2044-57-0x00007FFD2AD90000-0x00007FFD2ADA1000-memory.dmp
memory/2044-59-0x00007FFD2AC60000-0x00007FFD2AC71000-memory.dmp
memory/2044-60-0x00007FFD2AC40000-0x00007FFD2AC51000-memory.dmp
memory/2044-68-0x00007FFD2AB30000-0x00007FFD2AB41000-memory.dmp
memory/2044-67-0x00007FFD2AB50000-0x00007FFD2AB61000-memory.dmp
memory/2044-66-0x00007FFD2AB70000-0x00007FFD2AB82000-memory.dmp
memory/2044-65-0x00007FFD2AB90000-0x00007FFD2ABB9000-memory.dmp
memory/2044-64-0x00007FFD2ABC0000-0x00007FFD2ABD6000-memory.dmp
memory/2044-63-0x00007FFD2ABE0000-0x00007FFD2ABF8000-memory.dmp
memory/2044-62-0x00007FFD2AC00000-0x00007FFD2AC12000-memory.dmp
memory/2044-61-0x00007FFD2AC20000-0x00007FFD2AC31000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win7-20231215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.psd | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.psd\ = "psd_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1808 wrote to memory of 2112 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1808 wrote to memory of 2112 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1808 wrote to memory of 2112 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2112 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2112 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2112 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2112 wrote to memory of 2836 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 2c4e6e2e7bce9e4d9e33bc3b836e3e19 |
| SHA1 | f7f0522eb755a59d6511fb57e73e54da95d9f8ae |
| SHA256 | 357b79ca06656b2d515adbb9507b0b8c6c67ede7a30735ba077b4bb7c5a2ab09 |
| SHA512 | 6a0a5b9d56241620c089b8d17c1cc9e44890eb1370751a406791c41d3cb2c5f9d876f7d6a6498f665a7146a1bbe711d992ed84be186292726c9f194e4fbbbb42 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-01-22 17:53
Reported
2024-01-22 17:56
Platform
win10v2004-20231215-en
Max time kernel
139s
Max time network
146s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5104 wrote to memory of 4768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5104 wrote to memory of 4768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5104 wrote to memory of 4768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |