Overview
overview
10Static
static
101 NOTIFIC......exe
windows7-x64
1001 NOTIFIC......exe
windows10-2004-x64
1001 NOTIFIC...er.dll
windows7-x64
101 NOTIFIC...er.dll
windows10-2004-x64
101 NOTIFIC...ge.ogg
windows7-x64
101 NOTIFIC...ge.ogg
windows10-2004-x64
701 NOTIFIC...or.psd
windows7-x64
301 NOTIFIC...or.psd
windows10-2004-x64
301 NOTIFIC...20.dll
windows7-x64
101 NOTIFIC...20.dll
windows10-2004-x64
101 NOTIFIC...20.dll
windows7-x64
101 NOTIFIC...20.dll
windows10-2004-x64
1Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2024, 20:07
Static task
static1
Behavioral task
behavioral1
Sample
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA .....exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA .....exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
01 NOTIFICACION DEMANDA/Register.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
01 NOTIFICACION DEMANDA/Register.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
01 NOTIFICACION DEMANDA/breakage.ogg
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
01 NOTIFICACION DEMANDA/breakage.ogg
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
01 NOTIFICACION DEMANDA/fascinator.psd
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
01 NOTIFICACION DEMANDA/fascinator.psd
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
01 NOTIFICACION DEMANDA/rtl120.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
01 NOTIFICACION DEMANDA/rtl120.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
01 NOTIFICACION DEMANDA/vcl120.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
01 NOTIFICACION DEMANDA/vcl120.dll
Resource
win10v2004-20231215-en
General
-
Target
01 NOTIFICACION DEMANDA/01 NOTIFICACION DEMANDA .....exe
-
Size
135KB
-
MD5
a2d70fbab5181a509369d96b682fc641
-
SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
-
SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
-
SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
SSDEEP
1536:URLRDTAC1CMoR1CqabJWt7AQFYMGhw1ScCD28v2Vv428fmvxOuw03h9VC:URdV1CMoiqadTQFBGhw1ED28+94hGw
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
mono2024.kozow.com:2727
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2120-27-0x0000000001010000-0x0000000001026000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3076 set thread context of 2020 3076 01 NOTIFICACION DEMANDA .....exe 88 PID 2020 set thread context of 2120 2020 cmd.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3076 01 NOTIFICACION DEMANDA .....exe 3076 01 NOTIFICACION DEMANDA .....exe 2020 cmd.exe 2020 cmd.exe 2120 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3076 01 NOTIFICACION DEMANDA .....exe 2020 cmd.exe 2020 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2120 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2120 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3076 wrote to memory of 2020 3076 01 NOTIFICACION DEMANDA .....exe 88 PID 3076 wrote to memory of 2020 3076 01 NOTIFICACION DEMANDA .....exe 88 PID 3076 wrote to memory of 2020 3076 01 NOTIFICACION DEMANDA .....exe 88 PID 3076 wrote to memory of 2020 3076 01 NOTIFICACION DEMANDA .....exe 88 PID 2020 wrote to memory of 2120 2020 cmd.exe 99 PID 2020 wrote to memory of 2120 2020 cmd.exe 99 PID 2020 wrote to memory of 2120 2020 cmd.exe 99 PID 2020 wrote to memory of 2120 2020 cmd.exe 99 PID 2020 wrote to memory of 2120 2020 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741KB
MD5ec1433d676873ba4bcab866c4efdb807
SHA19e0b70dc35177a576d8028a4f6be483f4216f63e
SHA2560260f501c0682fb2bb5778d98f8b785dcdac1dc5cf0d223796cdcd7893fb2738
SHA512dd921dd33a1d47807940741d90058e283404e6afe27c8685fcd45f02fc85aa247fa808bbaa8ea40b4dad666e8fb0193eb776ee2d41cc45d5a21aef5259962423