Malware Analysis Report

2025-06-16 02:15

Sample ID 240124-pzfwpaaegq
Target 01 NOTIFICACION DEMANDA.REV
SHA256 3caa7e5f3acd124de99d931f6044a67868e716235463ac7d5d6bd6be69aa48b5
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3caa7e5f3acd124de99d931f6044a67868e716235463ac7d5d6bd6be69aa48b5

Threat Level: Known bad

The file 01 NOTIFICACION DEMANDA.REV was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 12:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 12:45

Reported

2024-01-24 12:48

Platform

win7-20231215-en

Max time kernel

149s

Max time network

149s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1364 set thread context of 2028 N/A C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2028 set thread context of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2488 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2488 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1364 wrote to memory of 2028 N/A C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2028 N/A C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2028 N/A C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2028 N/A C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2028 N/A C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2028 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe

"C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mono2024.kozow.com udp
US 45.32.161.144:2727 mono2024.kozow.com tcp

Files

C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe

MD5 a2d70fbab5181a509369d96b682fc641
SHA1 22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA256 8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512 219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\vcl120.bpl

MD5 df684bd24b9960648777eeb9afec86fd
SHA1 27afb649f506f2bbdbc24be3b98537d16e611e44
SHA256 f8f1feb8fd8f9e1121cd9c18af0dc68dee97e6217b08e5b4e33a0ab6863f247a
SHA512 b13314b33f10322918a425873d9338d1c9551adc9c0caf94d532e3bcd86237a224aa62c663dab88dd2561748e0862df6e5a6e608e9d0a542d0f8215613f6ed17

C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\vcl120.bpl

MD5 12d1ad41daeadcac4ff9335e7de438be
SHA1 950cdd8e143167eefc75070f8f31bab4cbc19858
SHA256 4661add2632c304b82d6c1140f6037663e58b077dd42ba36fcdf4e10d082f08a
SHA512 70503e980905065d036260188db677521d8b884485962c8a34567b5edcc11720ebe77adcac0608b69530f7ba247f05c1ec345a2e0117ff622e2329a3cd3aaad9

\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\rtl120.bpl

MD5 7bafa5953bb05ddd2c0ae92eb80cf6ea
SHA1 8eed04748bddf54f707aa5988670f647c5d745a9
SHA256 37c4ea59b22485d7c46aa64356d85821601c972c01f778ecc201b79ca5a9ba66
SHA512 5e3813e885ec60977333670384f39f309689ca7a6ec0d98b03efbe88da86b0e7f731933628171fd1510f407a150b175359ebe845a335222a78bef3980e477fa2

C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\rtl120.bpl

MD5 adf82ed333fb5567f8097c7235b0e17f
SHA1 e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256 d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA512 2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

memory/1364-45-0x00000000024A0000-0x00000000025AF000-memory.dmp

\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\Register.dll

MD5 dd001e7a2f751f6c9e8c40e23307d102
SHA1 22fdeab3d891334e2e27d970b3a5680d45cb3371
SHA256 e2b66236119bfea1571f423a721b1c4495b2363a0af83b8ec2ea728b4fdd7d7a
SHA512 ee9591e952028aab264ed6fa51369bb5c8d7aee4eaf735fd2f78b4559e2d07791d4d9777478d93be9de8952fa70105d9c431a48d380eebe637138fa188d7aae7

C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\fascinator.psd

MD5 41ed9f6378365fa37addbe5503911712
SHA1 8ef5324560d71fd78ec08bd6c7c15d8285f573ae
SHA256 43f2fb19d5d22b02465b8147d4dfff119bbdfa81feac91403827c2aa71c11175
SHA512 5c157a826c1373fc127ea521e515a382dd425aa586590dd15ada3e48f2542e2f425be504081305b2addec5e0470bda876cd0b522fb09ac0e1effb91ceb80dbc5

C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\breakage.ogg

MD5 25ceb30a246b5e35393c3014a8458610
SHA1 30d174a20e735cd86458be23017a5e09ce46e85d
SHA256 23df8661729e5cd150bc5821f3a3d57d918332c4e34cca70eec6495fcb5582d1
SHA512 fe80bd336b87818c0e4091ad5d8c0c2a3ec167840072ead2c7533b20318360bc85b71d5b943973fb11018889e06c51042e0ecf7fe903f08487597e93970338ba

memory/1364-42-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1364-48-0x0000000074B00000-0x0000000074C74000-memory.dmp

memory/1364-49-0x0000000077770000-0x0000000077919000-memory.dmp

memory/1364-55-0x0000000074B00000-0x0000000074C74000-memory.dmp

memory/1364-56-0x0000000074B00000-0x0000000074C74000-memory.dmp

memory/1364-58-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2028-61-0x0000000074B00000-0x0000000074C74000-memory.dmp

memory/1364-63-0x00000000024A0000-0x00000000025AF000-memory.dmp

memory/1364-62-0x0000000050120000-0x000000005030D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a5b503fc

MD5 e9eed48f6c877fb405f0483f628aa1b2
SHA1 9a41ef5a964b8c6a35429b697f58ccc8f7808f72
SHA256 98a3969387d13b20a2c54391cb855648a609294679b5a586d9cd28216211c49d
SHA512 7dae7d57cc42299ff256eef7776964e872ed84f8799eb173b47e5a09bc03e3065411f185db468cae37c93814968072ffb34e8df000fc0b629110ac852436334a

memory/1364-59-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2028-64-0x0000000077770000-0x0000000077919000-memory.dmp

memory/2028-90-0x0000000074B00000-0x0000000074C74000-memory.dmp

memory/2028-91-0x0000000074B00000-0x0000000074C74000-memory.dmp

memory/2028-94-0x0000000074B00000-0x0000000074C74000-memory.dmp

memory/584-93-0x0000000072CF0000-0x0000000073D52000-memory.dmp

memory/584-96-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/584-95-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/584-98-0x00000000741A0000-0x000000007488E000-memory.dmp

memory/584-97-0x0000000000400000-0x0000000000416000-memory.dmp

memory/584-99-0x0000000004750000-0x0000000004790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFB23.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/584-116-0x00000000741A0000-0x000000007488E000-memory.dmp

memory/584-117-0x0000000004750000-0x0000000004790000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 12:45

Reported

2024-01-24 12:48

Platform

win10v2004-20231215-en

Max time kernel

133s

Max time network

152s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2168 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A