Analysis Overview
SHA256
3caa7e5f3acd124de99d931f6044a67868e716235463ac7d5d6bd6be69aa48b5
Threat Level: Known bad
The file 01 NOTIFICACION DEMANDA.REV was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 12:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 12:45
Reported
2024-01-24 12:48
Platform
win7-20231215-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1364 set thread context of 2028 | N/A | C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2028 set thread context of 584 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe
"C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mono2024.kozow.com | udp |
| US | 45.32.161.144:2727 | mono2024.kozow.com | tcp |
Files
C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe
| MD5 | a2d70fbab5181a509369d96b682fc641 |
| SHA1 | 22afcdc180400c4d2b9e5a6db2b8a26bff54dd38 |
| SHA256 | 8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473 |
| SHA512 | 219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83 |
\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\vcl120.bpl
| MD5 | df684bd24b9960648777eeb9afec86fd |
| SHA1 | 27afb649f506f2bbdbc24be3b98537d16e611e44 |
| SHA256 | f8f1feb8fd8f9e1121cd9c18af0dc68dee97e6217b08e5b4e33a0ab6863f247a |
| SHA512 | b13314b33f10322918a425873d9338d1c9551adc9c0caf94d532e3bcd86237a224aa62c663dab88dd2561748e0862df6e5a6e608e9d0a542d0f8215613f6ed17 |
C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\vcl120.bpl
| MD5 | 12d1ad41daeadcac4ff9335e7de438be |
| SHA1 | 950cdd8e143167eefc75070f8f31bab4cbc19858 |
| SHA256 | 4661add2632c304b82d6c1140f6037663e58b077dd42ba36fcdf4e10d082f08a |
| SHA512 | 70503e980905065d036260188db677521d8b884485962c8a34567b5edcc11720ebe77adcac0608b69530f7ba247f05c1ec345a2e0117ff622e2329a3cd3aaad9 |
\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\rtl120.bpl
| MD5 | 7bafa5953bb05ddd2c0ae92eb80cf6ea |
| SHA1 | 8eed04748bddf54f707aa5988670f647c5d745a9 |
| SHA256 | 37c4ea59b22485d7c46aa64356d85821601c972c01f778ecc201b79ca5a9ba66 |
| SHA512 | 5e3813e885ec60977333670384f39f309689ca7a6ec0d98b03efbe88da86b0e7f731933628171fd1510f407a150b175359ebe845a335222a78bef3980e477fa2 |
C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\rtl120.bpl
| MD5 | adf82ed333fb5567f8097c7235b0e17f |
| SHA1 | e6ccaf016fc45edcdadeb40da64c207ddb33859f |
| SHA256 | d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50 |
| SHA512 | 2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92 |
memory/1364-45-0x00000000024A0000-0x00000000025AF000-memory.dmp
\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\Register.dll
| MD5 | dd001e7a2f751f6c9e8c40e23307d102 |
| SHA1 | 22fdeab3d891334e2e27d970b3a5680d45cb3371 |
| SHA256 | e2b66236119bfea1571f423a721b1c4495b2363a0af83b8ec2ea728b4fdd7d7a |
| SHA512 | ee9591e952028aab264ed6fa51369bb5c8d7aee4eaf735fd2f78b4559e2d07791d4d9777478d93be9de8952fa70105d9c431a48d380eebe637138fa188d7aae7 |
C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\fascinator.psd
| MD5 | 41ed9f6378365fa37addbe5503911712 |
| SHA1 | 8ef5324560d71fd78ec08bd6c7c15d8285f573ae |
| SHA256 | 43f2fb19d5d22b02465b8147d4dfff119bbdfa81feac91403827c2aa71c11175 |
| SHA512 | 5c157a826c1373fc127ea521e515a382dd425aa586590dd15ada3e48f2542e2f425be504081305b2addec5e0470bda876cd0b522fb09ac0e1effb91ceb80dbc5 |
C:\Users\Admin\Downloads\01 NOTIFICACION DEMANDA\breakage.ogg
| MD5 | 25ceb30a246b5e35393c3014a8458610 |
| SHA1 | 30d174a20e735cd86458be23017a5e09ce46e85d |
| SHA256 | 23df8661729e5cd150bc5821f3a3d57d918332c4e34cca70eec6495fcb5582d1 |
| SHA512 | fe80bd336b87818c0e4091ad5d8c0c2a3ec167840072ead2c7533b20318360bc85b71d5b943973fb11018889e06c51042e0ecf7fe903f08487597e93970338ba |
memory/1364-42-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1364-48-0x0000000074B00000-0x0000000074C74000-memory.dmp
memory/1364-49-0x0000000077770000-0x0000000077919000-memory.dmp
memory/1364-55-0x0000000074B00000-0x0000000074C74000-memory.dmp
memory/1364-56-0x0000000074B00000-0x0000000074C74000-memory.dmp
memory/1364-58-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2028-61-0x0000000074B00000-0x0000000074C74000-memory.dmp
memory/1364-63-0x00000000024A0000-0x00000000025AF000-memory.dmp
memory/1364-62-0x0000000050120000-0x000000005030D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a5b503fc
| MD5 | e9eed48f6c877fb405f0483f628aa1b2 |
| SHA1 | 9a41ef5a964b8c6a35429b697f58ccc8f7808f72 |
| SHA256 | 98a3969387d13b20a2c54391cb855648a609294679b5a586d9cd28216211c49d |
| SHA512 | 7dae7d57cc42299ff256eef7776964e872ed84f8799eb173b47e5a09bc03e3065411f185db468cae37c93814968072ffb34e8df000fc0b629110ac852436334a |
memory/1364-59-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2028-64-0x0000000077770000-0x0000000077919000-memory.dmp
memory/2028-90-0x0000000074B00000-0x0000000074C74000-memory.dmp
memory/2028-91-0x0000000074B00000-0x0000000074C74000-memory.dmp
memory/2028-94-0x0000000074B00000-0x0000000074C74000-memory.dmp
memory/584-93-0x0000000072CF0000-0x0000000073D52000-memory.dmp
memory/584-96-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/584-95-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/584-98-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/584-97-0x0000000000400000-0x0000000000416000-memory.dmp
memory/584-99-0x0000000004750000-0x0000000004790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFB23.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/584-116-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/584-117-0x0000000004750000-0x0000000004790000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 12:45
Reported
2024-01-24 12:48
Platform
win10v2004-20231215-en
Max time kernel
133s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 756 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2168 wrote to memory of 756 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA.7z"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |