Overview
overview
10Static
static
101 NOTIFIC......exe
windows7-x64
1001 NOTIFIC......exe
windows10-2004-x64
1001 NOTIFIC...er.dll
windows7-x64
101 NOTIFIC...er.dll
windows10-2004-x64
101 NOTIFIC...ge.ogg
windows7-x64
101 NOTIFIC...ge.ogg
windows10-2004-x64
701 NOTIFIC...or.psd
windows7-x64
301 NOTIFIC...or.psd
windows10-2004-x64
301 NOTIFIC...20.dll
windows7-x64
101 NOTIFIC...20.dll
windows10-2004-x64
101 NOTIFIC...20.dll
windows7-x64
101 NOTIFIC...20.dll
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/01/2024, 20:07
Static task
static1
Behavioral task
behavioral1
Sample
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA .....exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA .....exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
01 NOTIFICACION DEMANDA/Register.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
01 NOTIFICACION DEMANDA/Register.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
01 NOTIFICACION DEMANDA/breakage.ogg
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
01 NOTIFICACION DEMANDA/breakage.ogg
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
01 NOTIFICACION DEMANDA/fascinator.psd
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
01 NOTIFICACION DEMANDA/fascinator.psd
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
01 NOTIFICACION DEMANDA/rtl120.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
01 NOTIFICACION DEMANDA/rtl120.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
01 NOTIFICACION DEMANDA/vcl120.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
01 NOTIFICACION DEMANDA/vcl120.dll
Resource
win10v2004-20231215-en
General
-
Target
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA .....exe
-
Size
135KB
-
MD5
a2d70fbab5181a509369d96b682fc641
-
SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
-
SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
-
SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
SSDEEP
1536:URLRDTAC1CMoR1CqabJWt7AQFYMGhw1ScCD28v2Vv428fmvxOuw03h9VC:URdV1CMoiqadTQFBGhw1ED28+94hGw
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
mono2024.kozow.com:2727
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/memory/3000-70-0x0000000000080000-0x0000000000096000-memory.dmp asyncrat behavioral1/memory/3000-72-0x0000000004860000-0x00000000048A0000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2164 set thread context of 2004 2164 01 NOTIFICACION DEMANDA .....exe 28 PID 2004 set thread context of 3000 2004 cmd.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2164 01 NOTIFICACION DEMANDA .....exe 2164 01 NOTIFICACION DEMANDA .....exe 2004 cmd.exe 2004 cmd.exe 3000 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2164 01 NOTIFICACION DEMANDA .....exe 2004 cmd.exe 2004 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3000 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3000 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2004 2164 01 NOTIFICACION DEMANDA .....exe 28 PID 2164 wrote to memory of 2004 2164 01 NOTIFICACION DEMANDA .....exe 28 PID 2164 wrote to memory of 2004 2164 01 NOTIFICACION DEMANDA .....exe 28 PID 2164 wrote to memory of 2004 2164 01 NOTIFICACION DEMANDA .....exe 28 PID 2164 wrote to memory of 2004 2164 01 NOTIFICACION DEMANDA .....exe 28 PID 2004 wrote to memory of 3000 2004 cmd.exe 32 PID 2004 wrote to memory of 3000 2004 cmd.exe 32 PID 2004 wrote to memory of 3000 2004 cmd.exe 32 PID 2004 wrote to memory of 3000 2004 cmd.exe 32 PID 2004 wrote to memory of 3000 2004 cmd.exe 32 PID 2004 wrote to memory of 3000 2004 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741KB
MD51635888acdc1d546f5a345dc7293ba11
SHA1af4701595b272e9b9a7b4348f77e58634f46f9ad
SHA256979be2906ddaa3067b2fbb1096fc0080c8992c0984defe7f4adf59fc799029da
SHA51281dbb71a873fc77d955839bd8a2c124012bd491d56c0d3f0bfa75e18f46d5f2f90d29377b3ef832e2cc5f826d120c1465167103e0e529468cb4e371dc3aed79c
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d