Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/01/2024, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
01 NOTIFICACION DEMANDA.7z
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
01 NOTIFICACION DEMANDA.7z
Resource
win10v2004-20231215-en
General
-
Target
01 NOTIFICACION DEMANDA.7z
-
Size
1.8MB
-
MD5
498acf51d16a7172a9a58ba29c66d706
-
SHA1
244616a8aee45f52c461da8e7d9cf495c88645db
-
SHA256
3caa7e5f3acd124de99d931f6044a67868e716235463ac7d5d6bd6be69aa48b5
-
SHA512
e2a59b5aea09cb571b4b5c6b3b6e03536f8c334c108653b0ba388e0a1bc0d0ae7ea430a9968d8cc2b7e31771cb2bf6813e8dac5a782988e1d4874d82df911f3c
-
SSDEEP
24576:Riyl5SoUORKhKgz2Sm/mye6IhA/xb9czSBoz/P2qzyyHilMpQ0dv0omvRcSEDthJ:YFhbzO+ye6II0uBgRGyHf2W9PicJTgU
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
mono2024.kozow.com:2727
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/memory/584-97-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat behavioral1/memory/584-99-0x0000000004750000-0x0000000004790000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1364 01 NOTIFICACION DEMANDA .....exe -
Loads dropped DLL 3 IoCs
pid Process 1364 01 NOTIFICACION DEMANDA .....exe 1364 01 NOTIFICACION DEMANDA .....exe 1364 01 NOTIFICACION DEMANDA .....exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1364 set thread context of 2028 1364 01 NOTIFICACION DEMANDA .....exe 36 PID 2028 set thread context of 584 2028 cmd.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1364 01 NOTIFICACION DEMANDA .....exe 1364 01 NOTIFICACION DEMANDA .....exe 2028 cmd.exe 2028 cmd.exe 584 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2196 7zFM.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1364 01 NOTIFICACION DEMANDA .....exe 2028 cmd.exe 2028 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2196 7zFM.exe Token: 35 2196 7zFM.exe Token: SeSecurityPrivilege 2196 7zFM.exe Token: SeDebugPrivilege 584 MSBuild.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2196 7zFM.exe 2196 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 584 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2196 2488 cmd.exe 29 PID 2488 wrote to memory of 2196 2488 cmd.exe 29 PID 2488 wrote to memory of 2196 2488 cmd.exe 29 PID 1364 wrote to memory of 2028 1364 01 NOTIFICACION DEMANDA .....exe 36 PID 1364 wrote to memory of 2028 1364 01 NOTIFICACION DEMANDA .....exe 36 PID 1364 wrote to memory of 2028 1364 01 NOTIFICACION DEMANDA .....exe 36 PID 1364 wrote to memory of 2028 1364 01 NOTIFICACION DEMANDA .....exe 36 PID 1364 wrote to memory of 2028 1364 01 NOTIFICACION DEMANDA .....exe 36 PID 2028 wrote to memory of 584 2028 cmd.exe 38 PID 2028 wrote to memory of 584 2028 cmd.exe 38 PID 2028 wrote to memory of 584 2028 cmd.exe 38 PID 2028 wrote to memory of 584 2028 cmd.exe 38 PID 2028 wrote to memory of 584 2028 cmd.exe 38 PID 2028 wrote to memory of 584 2028 cmd.exe 38
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2196
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1088
-
C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
741KB
MD5e9eed48f6c877fb405f0483f628aa1b2
SHA19a41ef5a964b8c6a35429b697f58ccc8f7808f72
SHA25698a3969387d13b20a2c54391cb855648a609294679b5a586d9cd28216211c49d
SHA5127dae7d57cc42299ff256eef7776964e872ed84f8799eb173b47e5a09bc03e3065411f185db468cae37c93814968072ffb34e8df000fc0b629110ac852436334a
-
Filesize
135KB
MD5a2d70fbab5181a509369d96b682fc641
SHA122afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA2568aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
Filesize
91KB
MD525ceb30a246b5e35393c3014a8458610
SHA130d174a20e735cd86458be23017a5e09ce46e85d
SHA25623df8661729e5cd150bc5821f3a3d57d918332c4e34cca70eec6495fcb5582d1
SHA512fe80bd336b87818c0e4091ad5d8c0c2a3ec167840072ead2c7533b20318360bc85b71d5b943973fb11018889e06c51042e0ecf7fe903f08487597e93970338ba
-
Filesize
517KB
MD541ed9f6378365fa37addbe5503911712
SHA18ef5324560d71fd78ec08bd6c7c15d8285f573ae
SHA25643f2fb19d5d22b02465b8147d4dfff119bbdfa81feac91403827c2aa71c11175
SHA5125c157a826c1373fc127ea521e515a382dd425aa586590dd15ada3e48f2542e2f425be504081305b2addec5e0470bda876cd0b522fb09ac0e1effb91ceb80dbc5
-
Filesize
1.1MB
MD5adf82ed333fb5567f8097c7235b0e17f
SHA1e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA5122253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92
-
Filesize
1.1MB
MD512d1ad41daeadcac4ff9335e7de438be
SHA1950cdd8e143167eefc75070f8f31bab4cbc19858
SHA2564661add2632c304b82d6c1140f6037663e58b077dd42ba36fcdf4e10d082f08a
SHA51270503e980905065d036260188db677521d8b884485962c8a34567b5edcc11720ebe77adcac0608b69530f7ba247f05c1ec345a2e0117ff622e2329a3cd3aaad9
-
Filesize
1.0MB
MD5dd001e7a2f751f6c9e8c40e23307d102
SHA122fdeab3d891334e2e27d970b3a5680d45cb3371
SHA256e2b66236119bfea1571f423a721b1c4495b2363a0af83b8ec2ea728b4fdd7d7a
SHA512ee9591e952028aab264ed6fa51369bb5c8d7aee4eaf735fd2f78b4559e2d07791d4d9777478d93be9de8952fa70105d9c431a48d380eebe637138fa188d7aae7
-
Filesize
832KB
MD57bafa5953bb05ddd2c0ae92eb80cf6ea
SHA18eed04748bddf54f707aa5988670f647c5d745a9
SHA25637c4ea59b22485d7c46aa64356d85821601c972c01f778ecc201b79ca5a9ba66
SHA5125e3813e885ec60977333670384f39f309689ca7a6ec0d98b03efbe88da86b0e7f731933628171fd1510f407a150b175359ebe845a335222a78bef3980e477fa2
-
Filesize
469KB
MD5df684bd24b9960648777eeb9afec86fd
SHA127afb649f506f2bbdbc24be3b98537d16e611e44
SHA256f8f1feb8fd8f9e1121cd9c18af0dc68dee97e6217b08e5b4e33a0ab6863f247a
SHA512b13314b33f10322918a425873d9338d1c9551adc9c0caf94d532e3bcd86237a224aa62c663dab88dd2561748e0862df6e5a6e608e9d0a542d0f8215613f6ed17