Malware Analysis Report

2025-06-16 02:15

Sample ID 240122-wgq29sbfeq
Target 01 NOTIFICACION DEMANDA.REV
SHA256 6677437ae63257d73f77e7ee3d16bcec0e8ee6900ac72510bc203e4df2d8f334
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6677437ae63257d73f77e7ee3d16bcec0e8ee6900ac72510bc203e4df2d8f334

Threat Level: Known bad

The file 01 NOTIFICACION DEMANDA.REV was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 17:53

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4024 set thread context of 4244 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe C:\Windows\SysWOW64\cmd.exe
PID 4244 set thread context of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe

"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 poder.kozow.com udp
US 207.246.74.117:8000 poder.kozow.com tcp
US 8.8.8.8:53 117.74.246.207.in-addr.arpa udp

Files

memory/4024-0-0x0000000000740000-0x0000000000741000-memory.dmp

memory/4024-1-0x00000000027D0000-0x00000000028DF000-memory.dmp

memory/4024-2-0x0000000075060000-0x00000000751DB000-memory.dmp

memory/4024-3-0x00007FFE4AD50000-0x00007FFE4AF45000-memory.dmp

memory/4024-9-0x0000000075060000-0x00000000751DB000-memory.dmp

memory/4024-10-0x0000000075060000-0x00000000751DB000-memory.dmp

memory/4024-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4244-13-0x0000000075060000-0x00000000751DB000-memory.dmp

memory/4024-16-0x0000000050120000-0x000000005030D000-memory.dmp

memory/4024-15-0x0000000050000000-0x0000000050116000-memory.dmp

memory/4024-17-0x00000000027D0000-0x00000000028DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9c314050

MD5 dfa08207f02ddfe4570d3c34207fa29d
SHA1 8f3106ed9ba0144fd074d203cc4b3401f4ba3ede
SHA256 df1e71eb055c0ccce8e025e471a191ab75e48f50f6237abaf7d857349ffadcfc
SHA512 f913156f37472397dc51013c8830f5628623610a225f572cf437b90edb03b25580eb62aa7433d9432d0802cc135a94147685688e6bd7c7dde8fd4886853c2310

memory/4244-18-0x00007FFE4AD50000-0x00007FFE4AF45000-memory.dmp

memory/4244-20-0x0000000075060000-0x00000000751DB000-memory.dmp

memory/4244-21-0x0000000075060000-0x00000000751DB000-memory.dmp

memory/4244-23-0x0000000075060000-0x00000000751DB000-memory.dmp

memory/4788-24-0x00000000734F0000-0x0000000074744000-memory.dmp

memory/4788-27-0x0000000000710000-0x0000000000726000-memory.dmp

memory/4788-28-0x0000000072D40000-0x00000000734F0000-memory.dmp

memory/4788-29-0x0000000004D90000-0x0000000004DA0000-memory.dmp

memory/4788-30-0x0000000005550000-0x0000000005AF4000-memory.dmp

memory/4788-31-0x0000000005140000-0x00000000051D2000-memory.dmp

memory/4788-32-0x0000000005110000-0x000000000511A000-memory.dmp

memory/4788-35-0x00000000062A0000-0x000000000633C000-memory.dmp

memory/4788-36-0x0000000006340000-0x00000000063A6000-memory.dmp

memory/4788-37-0x0000000072D40000-0x00000000734F0000-memory.dmp

memory/4788-38-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5116 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5116 wrote to memory of 4248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

memory/4248-0-0x0000000002280000-0x000000000238F000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win7-20231215-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

Network

N/A

Files

memory/2060-5-0x000000013FCF0000-0x000000013FDE8000-memory.dmp

memory/2060-6-0x000007FEF8030000-0x000007FEF8064000-memory.dmp

memory/2060-7-0x000007FEF6690000-0x000007FEF6944000-memory.dmp

memory/2060-8-0x000007FEFBE20000-0x000007FEFBE38000-memory.dmp

memory/2060-9-0x000007FEF8180000-0x000007FEF8197000-memory.dmp

memory/2060-10-0x000007FEF8080000-0x000007FEF8091000-memory.dmp

memory/2060-11-0x000007FEF7360000-0x000007FEF7377000-memory.dmp

memory/2060-12-0x000007FEF7340000-0x000007FEF7351000-memory.dmp

memory/2060-13-0x000007FEF7320000-0x000007FEF733D000-memory.dmp

memory/2060-14-0x000007FEF6E40000-0x000007FEF6E51000-memory.dmp

memory/2060-15-0x000007FEF6490000-0x000007FEF6690000-memory.dmp

memory/2060-17-0x000007FEF6D60000-0x000007FEF6D81000-memory.dmp

memory/2060-16-0x000007FEF6D90000-0x000007FEF6DCF000-memory.dmp

memory/2060-18-0x000007FEF53E0000-0x000007FEF648B000-memory.dmp

memory/2060-19-0x000007FEF6D40000-0x000007FEF6D58000-memory.dmp

memory/2060-20-0x000007FEF6D20000-0x000007FEF6D31000-memory.dmp

memory/2060-21-0x000007FEF6D00000-0x000007FEF6D11000-memory.dmp

memory/2060-23-0x000007FEF6CC0000-0x000007FEF6CDB000-memory.dmp

memory/2060-22-0x000007FEF6CE0000-0x000007FEF6CF1000-memory.dmp

memory/2060-24-0x000007FEF53C0000-0x000007FEF53D1000-memory.dmp

memory/2060-25-0x000007FEF53A0000-0x000007FEF53B8000-memory.dmp

memory/2060-26-0x000007FEF5370000-0x000007FEF53A0000-memory.dmp

memory/2060-27-0x000007FEF5300000-0x000007FEF5367000-memory.dmp

memory/2060-28-0x000007FEF5290000-0x000007FEF52FF000-memory.dmp

memory/2060-29-0x000007FEF5270000-0x000007FEF5281000-memory.dmp

memory/2060-30-0x000007FEF5210000-0x000007FEF526C000-memory.dmp

memory/2060-31-0x000007FEF51B0000-0x000007FEF5206000-memory.dmp

memory/2060-32-0x000007FEF5180000-0x000007FEF51A8000-memory.dmp

memory/2060-33-0x000007FEF5150000-0x000007FEF5174000-memory.dmp

memory/2060-34-0x000007FEF5130000-0x000007FEF5147000-memory.dmp

memory/2060-35-0x000007FEF5100000-0x000007FEF5123000-memory.dmp

memory/2060-36-0x000007FEF50E0000-0x000007FEF50F1000-memory.dmp

memory/2060-41-0x000007FEF4F10000-0x000007FEF504B000-memory.dmp

memory/2060-42-0x000007FEF4EE0000-0x000007FEF4F0C000-memory.dmp

memory/2060-40-0x000007FEF5050000-0x000007FEF5062000-memory.dmp

memory/2060-39-0x000007FEF5070000-0x000007FEF5083000-memory.dmp

memory/2060-38-0x000007FEF5090000-0x000007FEF50B1000-memory.dmp

memory/2060-43-0x000007FEF4D20000-0x000007FEF4ED2000-memory.dmp

memory/2060-37-0x000007FEF50C0000-0x000007FEF50D2000-memory.dmp

memory/2060-44-0x000007FEF4D00000-0x000007FEF4D11000-memory.dmp

memory/2060-45-0x000007FEF4C60000-0x000007FEF4CF7000-memory.dmp

memory/2060-46-0x000007FEF4C40000-0x000007FEF4C52000-memory.dmp

memory/2060-47-0x000007FEF4A00000-0x000007FEF4C31000-memory.dmp

memory/2060-48-0x000007FEF48E0000-0x000007FEF49F2000-memory.dmp

memory/2060-53-0x000007FEF47C0000-0x000007FEF47D1000-memory.dmp

memory/2060-56-0x000007FEF46E0000-0x000007FEF477F000-memory.dmp

memory/2060-55-0x000007FEF4780000-0x000007FEF4793000-memory.dmp

memory/2060-54-0x000007FEF47A0000-0x000007FEF47B2000-memory.dmp

memory/2060-57-0x000007FEF46C0000-0x000007FEF46D1000-memory.dmp

memory/2060-52-0x000007FEF47E0000-0x000007FEF4841000-memory.dmp

memory/2060-51-0x000007FEF4850000-0x000007FEF4861000-memory.dmp

memory/2060-50-0x000007FEF4870000-0x000007FEF4895000-memory.dmp

memory/2060-62-0x000007FEF4530000-0x000007FEF4542000-memory.dmp

memory/2060-61-0x000007FEF4550000-0x000007FEF4561000-memory.dmp

memory/2060-68-0x000007FEF4460000-0x000007FEF4471000-memory.dmp

memory/2060-67-0x000007FEF4480000-0x000007FEF4491000-memory.dmp

memory/2060-66-0x000007FEF44A0000-0x000007FEF44B2000-memory.dmp

memory/2060-65-0x000007FEF44C0000-0x000007FEF44E9000-memory.dmp

memory/2060-64-0x000007FEF44F0000-0x000007FEF4506000-memory.dmp

memory/2060-63-0x000007FEF4510000-0x000007FEF4528000-memory.dmp

memory/2060-60-0x000007FEF4570000-0x000007FEF4581000-memory.dmp

memory/2060-59-0x000007FEF4590000-0x000007FEF45A1000-memory.dmp

memory/2060-58-0x000007FEF45B0000-0x000007FEF46B2000-memory.dmp

memory/2060-49-0x000007FEF48A0000-0x000007FEF48D5000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win7-20231215-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2204 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

148s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 764 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 764 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win7-20231129-en

Max time kernel

121s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1848 set thread context of 1856 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe C:\Windows\SysWOW64\cmd.exe
PID 1856 set thread context of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1856 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1856 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1856 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1856 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1856 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe

"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA....exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 poder.kozow.com udp
US 207.246.74.117:8000 poder.kozow.com tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/1848-0-0x00000000032C0000-0x00000000033CF000-memory.dmp

memory/1848-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1848-2-0x00000000742B0000-0x0000000074424000-memory.dmp

memory/1848-3-0x0000000076D60000-0x0000000076F09000-memory.dmp

memory/1848-9-0x00000000742B0000-0x0000000074424000-memory.dmp

memory/1848-10-0x00000000742B0000-0x0000000074424000-memory.dmp

memory/1848-12-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8614539c

MD5 995b49f0996d84652be839a87a453dcf
SHA1 4c164e4063e4498c3a0d49700f4e0eb6e8fee50f
SHA256 01af61f2f961afb77b844821142a9f0d0984038afa6c71f423d216ea79962b5d
SHA512 7e5b28a6c7751c67a1442267925ae99ddb6375808507e13bf2c4ffd3d3887bef7799723ffc40ee76f49d2549b81e46ea73d4a039a7ee217d610cce6ad64f7bff

memory/1856-14-0x00000000742B0000-0x0000000074424000-memory.dmp

memory/1848-15-0x0000000050000000-0x0000000050116000-memory.dmp

memory/1848-16-0x0000000050120000-0x000000005030D000-memory.dmp

memory/1848-17-0x00000000032C0000-0x00000000033CF000-memory.dmp

memory/1856-18-0x0000000076D60000-0x0000000076F09000-memory.dmp

memory/1856-63-0x00000000742B0000-0x0000000074424000-memory.dmp

memory/1856-64-0x00000000742B0000-0x0000000074424000-memory.dmp

memory/1856-67-0x00000000742B0000-0x0000000074424000-memory.dmp

memory/2588-66-0x00000000722E0000-0x0000000073342000-memory.dmp

memory/2588-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2588-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2588-70-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2588-71-0x0000000073990000-0x000000007407E000-memory.dmp

memory/2588-72-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

memory/2588-85-0x0000000073990000-0x000000007407E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

Network

N/A

Files

memory/3048-0-0x00000000002A0000-0x00000000003AF000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

154s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 4472 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2044-5-0x00007FF6AEBE0000-0x00007FF6AECD8000-memory.dmp

memory/2044-6-0x00007FFD3C310000-0x00007FFD3C344000-memory.dmp

memory/2044-7-0x00007FFD2D360000-0x00007FFD2D614000-memory.dmp

memory/2044-8-0x00007FFD3C6E0000-0x00007FFD3C6F8000-memory.dmp

memory/2044-9-0x00007FFD3C250000-0x00007FFD3C267000-memory.dmp

memory/2044-10-0x00007FFD3C230000-0x00007FFD3C241000-memory.dmp

memory/2044-11-0x00007FFD3C210000-0x00007FFD3C227000-memory.dmp

memory/2044-12-0x00007FFD3C1F0000-0x00007FFD3C201000-memory.dmp

memory/2044-13-0x00007FFD3C1D0000-0x00007FFD3C1ED000-memory.dmp

memory/2044-14-0x00007FFD3C1B0000-0x00007FFD3C1C1000-memory.dmp

memory/2044-15-0x00007FFD2CFA0000-0x00007FFD2D1A0000-memory.dmp

memory/2044-16-0x00007FFD2BEF0000-0x00007FFD2CF9B000-memory.dmp

memory/2044-17-0x00007FFD3BB10000-0x00007FFD3BB4F000-memory.dmp

memory/2044-18-0x00007FFD3BAE0000-0x00007FFD3BB01000-memory.dmp

memory/2044-19-0x00007FFD3BAC0000-0x00007FFD3BAD8000-memory.dmp

memory/2044-20-0x00007FFD3BAA0000-0x00007FFD3BAB1000-memory.dmp

memory/2044-22-0x00007FFD37110000-0x00007FFD37121000-memory.dmp

memory/2044-21-0x00007FFD3A990000-0x00007FFD3A9A1000-memory.dmp

memory/2044-23-0x00007FFD370F0000-0x00007FFD3710B000-memory.dmp

memory/2044-24-0x00007FFD33020000-0x00007FFD33031000-memory.dmp

memory/2044-27-0x00007FFD2BA60000-0x00007FFD2BAC7000-memory.dmp

memory/2044-29-0x00007FFD2DC30000-0x00007FFD2DC41000-memory.dmp

memory/2044-39-0x00007FFD2B7F0000-0x00007FFD2B803000-memory.dmp

memory/2044-40-0x00007FFD2B7D0000-0x00007FFD2B7E2000-memory.dmp

memory/2044-38-0x00007FFD2B810000-0x00007FFD2B831000-memory.dmp

memory/2044-37-0x00007FFD2B840000-0x00007FFD2B852000-memory.dmp

memory/2044-36-0x00007FFD2B860000-0x00007FFD2B871000-memory.dmp

memory/2044-35-0x00007FFD2B880000-0x00007FFD2B8A3000-memory.dmp

memory/2044-41-0x00007FFD2B690000-0x00007FFD2B7CB000-memory.dmp

memory/2044-34-0x00007FFD2B8B0000-0x00007FFD2B8C7000-memory.dmp

memory/2044-33-0x00007FFD2B8D0000-0x00007FFD2B8F4000-memory.dmp

memory/2044-32-0x00007FFD2B900000-0x00007FFD2B928000-memory.dmp

memory/2044-42-0x00007FFD2B660000-0x00007FFD2B68C000-memory.dmp

memory/2044-46-0x00007FFD2B3C0000-0x00007FFD2B3D2000-memory.dmp

memory/2044-45-0x00007FFD2B3E0000-0x00007FFD2B477000-memory.dmp

memory/2044-44-0x00007FFD2B480000-0x00007FFD2B491000-memory.dmp

memory/2044-47-0x00007FFD2B180000-0x00007FFD2B3B1000-memory.dmp

memory/2044-43-0x00007FFD2B4A0000-0x00007FFD2B652000-memory.dmp

memory/2044-48-0x00007FFD2B020000-0x00007FFD2B132000-memory.dmp

memory/2044-49-0x00007FFD2AF70000-0x00007FFD2AFA5000-memory.dmp

memory/2044-50-0x00007FFD2AF40000-0x00007FFD2AF65000-memory.dmp

memory/2044-51-0x00007FFD2AF20000-0x00007FFD2AF31000-memory.dmp

memory/2044-31-0x00007FFD2B930000-0x00007FFD2B986000-memory.dmp

memory/2044-30-0x00007FFD2B990000-0x00007FFD2B9EC000-memory.dmp

memory/2044-28-0x00007FFD2B9F0000-0x00007FFD2BA5F000-memory.dmp

memory/2044-26-0x00007FFD2DC50000-0x00007FFD2DC80000-memory.dmp

memory/2044-25-0x00007FFD2DC80000-0x00007FFD2DC98000-memory.dmp

memory/2044-52-0x00007FFD2AEB0000-0x00007FFD2AF11000-memory.dmp

memory/2044-53-0x00007FFD2AE90000-0x00007FFD2AEA1000-memory.dmp

memory/2044-54-0x00007FFD2AE70000-0x00007FFD2AE82000-memory.dmp

memory/2044-55-0x00007FFD2AE50000-0x00007FFD2AE63000-memory.dmp

memory/2044-56-0x00007FFD2ADB0000-0x00007FFD2AE4F000-memory.dmp

memory/2044-58-0x00007FFD2AC80000-0x00007FFD2AD82000-memory.dmp

memory/2044-57-0x00007FFD2AD90000-0x00007FFD2ADA1000-memory.dmp

memory/2044-59-0x00007FFD2AC60000-0x00007FFD2AC71000-memory.dmp

memory/2044-60-0x00007FFD2AC40000-0x00007FFD2AC51000-memory.dmp

memory/2044-68-0x00007FFD2AB30000-0x00007FFD2AB41000-memory.dmp

memory/2044-67-0x00007FFD2AB50000-0x00007FFD2AB61000-memory.dmp

memory/2044-66-0x00007FFD2AB70000-0x00007FFD2AB82000-memory.dmp

memory/2044-65-0x00007FFD2AB90000-0x00007FFD2ABB9000-memory.dmp

memory/2044-64-0x00007FFD2ABC0000-0x00007FFD2ABD6000-memory.dmp

memory/2044-63-0x00007FFD2ABE0000-0x00007FFD2ABF8000-memory.dmp

memory/2044-62-0x00007FFD2AC00000-0x00007FFD2AC12000-memory.dmp

memory/2044-61-0x00007FFD2AC20000-0x00007FFD2AC31000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.psd C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.psd\ = "psd_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\psd_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 2c4e6e2e7bce9e4d9e33bc3b836e3e19
SHA1 f7f0522eb755a59d6511fb57e73e54da95d9f8ae
SHA256 357b79ca06656b2d515adbb9507b0b8c6c67ede7a30735ba077b4bb7c5a2ab09
SHA512 6a0a5b9d56241620c089b8d17c1cc9e44890eb1370751a406791c41d3cb2c5f9d876f7d6a6498f665a7146a1bbe711d992ed84be186292726c9f194e4fbbbb42

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

153s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-22 17:53

Reported

2024-01-22 17:56

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

146s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 4768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 4768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 4768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A