Malware Analysis Report

2025-06-16 02:14

Sample ID 240124-yv4xdsgec8
Target 01 NOTIFICACION DEMANDA.REV
SHA256 3caa7e5f3acd124de99d931f6044a67868e716235463ac7d5d6bd6be69aa48b5
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3caa7e5f3acd124de99d931f6044a67868e716235463ac7d5d6bd6be69aa48b5

Threat Level: Known bad

The file 01 NOTIFICACION DEMANDA.REV was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 20:07

Signatures

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2220 wrote to memory of 2208 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win7-20231215-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win7-20231215-en

Max time kernel

120s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2164 set thread context of 2004 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2004 set thread context of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2004 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2004 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2004 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2004 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2004 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe

"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mono2024.kozow.com udp
US 45.32.161.144:2727 mono2024.kozow.com tcp

Files

memory/2164-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2164-1-0x00000000022A0000-0x00000000023AF000-memory.dmp

memory/2164-2-0x00000000748C0000-0x0000000074A34000-memory.dmp

memory/2164-3-0x0000000077370000-0x0000000077519000-memory.dmp

memory/2164-9-0x00000000748C0000-0x0000000074A34000-memory.dmp

memory/2164-10-0x00000000748C0000-0x0000000074A34000-memory.dmp

memory/2164-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2164-13-0x0000000050000000-0x0000000050116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1d77e6d4

MD5 1635888acdc1d546f5a345dc7293ba11
SHA1 af4701595b272e9b9a7b4348f77e58634f46f9ad
SHA256 979be2906ddaa3067b2fbb1096fc0080c8992c0984defe7f4adf59fc799029da
SHA512 81dbb71a873fc77d955839bd8a2c124012bd491d56c0d3f0bfa75e18f46d5f2f90d29377b3ef832e2cc5f826d120c1465167103e0e529468cb4e371dc3aed79c

memory/2164-17-0x00000000022A0000-0x00000000023AF000-memory.dmp

memory/2004-16-0x00000000748C0000-0x0000000074A34000-memory.dmp

memory/2164-14-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2004-18-0x0000000077370000-0x0000000077519000-memory.dmp

memory/2004-63-0x00000000748C0000-0x0000000074A34000-memory.dmp

memory/2004-64-0x00000000748C0000-0x0000000074A34000-memory.dmp

memory/2004-67-0x00000000748C0000-0x0000000074A34000-memory.dmp

memory/3000-66-0x00000000728F0000-0x0000000073952000-memory.dmp

memory/3000-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3000-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3000-70-0x0000000000080000-0x0000000000096000-memory.dmp

memory/3000-71-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/3000-72-0x0000000004860000-0x00000000048A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3239.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/3000-89-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/3000-90-0x0000000004860000-0x00000000048A0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win7-20231215-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

Network

N/A

Files

memory/2500-1-0x000007FEF72F0000-0x000007FEF7324000-memory.dmp

memory/2500-0-0x000000013F6A0000-0x000000013F798000-memory.dmp

memory/2500-2-0x000007FEF5950000-0x000007FEF5C04000-memory.dmp

memory/2500-3-0x000007FEFB040000-0x000007FEFB058000-memory.dmp

memory/2500-4-0x000007FEFAB70000-0x000007FEFAB87000-memory.dmp

memory/2500-5-0x000007FEF7340000-0x000007FEF7351000-memory.dmp

memory/2500-6-0x000007FEF6620000-0x000007FEF6637000-memory.dmp

memory/2500-7-0x000007FEF6600000-0x000007FEF6611000-memory.dmp

memory/2500-8-0x000007FEF65E0000-0x000007FEF65FD000-memory.dmp

memory/2500-9-0x000007FEF6140000-0x000007FEF6151000-memory.dmp

memory/2500-10-0x000007FEF48A0000-0x000007FEF594B000-memory.dmp

memory/2500-11-0x000007FEF46A0000-0x000007FEF48A0000-memory.dmp

memory/2500-12-0x000007FEF6050000-0x000007FEF608F000-memory.dmp

memory/2500-13-0x000007FEF6020000-0x000007FEF6041000-memory.dmp

memory/2500-14-0x000007FEF6000000-0x000007FEF6018000-memory.dmp

memory/2500-15-0x000007FEF5FE0000-0x000007FEF5FF1000-memory.dmp

memory/2500-17-0x000007FEF5FA0000-0x000007FEF5FB1000-memory.dmp

memory/2500-18-0x000007FEF5F80000-0x000007FEF5F9B000-memory.dmp

memory/2500-16-0x000007FEF5FC0000-0x000007FEF5FD1000-memory.dmp

memory/2500-19-0x000007FEF4680000-0x000007FEF4691000-memory.dmp

memory/2500-20-0x000007FEF4660000-0x000007FEF4678000-memory.dmp

memory/2500-21-0x000007FEF4630000-0x000007FEF4660000-memory.dmp

memory/2500-22-0x000007FEF45C0000-0x000007FEF4627000-memory.dmp

memory/2500-23-0x000007FEF4550000-0x000007FEF45BF000-memory.dmp

memory/2500-24-0x000007FEF4530000-0x000007FEF4541000-memory.dmp

memory/2500-25-0x000007FEF44D0000-0x000007FEF452C000-memory.dmp

memory/2500-26-0x000007FEF4470000-0x000007FEF44C6000-memory.dmp

memory/2500-27-0x000007FEF4440000-0x000007FEF4468000-memory.dmp

memory/2500-28-0x000007FEF4410000-0x000007FEF4434000-memory.dmp

memory/2500-29-0x000007FEF43F0000-0x000007FEF4407000-memory.dmp

memory/2500-30-0x000007FEF43C0000-0x000007FEF43E3000-memory.dmp

memory/2500-31-0x000007FEF43A0000-0x000007FEF43B1000-memory.dmp

memory/2500-32-0x000007FEF4380000-0x000007FEF4392000-memory.dmp

memory/2500-33-0x000007FEF4350000-0x000007FEF4371000-memory.dmp

memory/2500-34-0x000007FEF4330000-0x000007FEF4343000-memory.dmp

memory/2500-35-0x000007FEF4310000-0x000007FEF4322000-memory.dmp

memory/2500-37-0x000007FEF41A0000-0x000007FEF41CC000-memory.dmp

memory/2500-36-0x000007FEF41D0000-0x000007FEF430B000-memory.dmp

memory/2500-38-0x000007FEF3FE0000-0x000007FEF4192000-memory.dmp

memory/2500-39-0x000007FEF3FC0000-0x000007FEF3FD1000-memory.dmp

memory/2500-40-0x000007FEF3F20000-0x000007FEF3FB7000-memory.dmp

memory/2500-41-0x000007FEF3F00000-0x000007FEF3F12000-memory.dmp

memory/2500-42-0x000007FEF3CC0000-0x000007FEF3EF1000-memory.dmp

memory/2500-43-0x000007FEF3BA0000-0x000007FEF3CB2000-memory.dmp

memory/2500-44-0x000007FEF3B60000-0x000007FEF3B95000-memory.dmp

memory/2500-45-0x000007FEF3B30000-0x000007FEF3B55000-memory.dmp

memory/2500-46-0x000007FEF3B10000-0x000007FEF3B21000-memory.dmp

memory/2500-47-0x000007FEF3AA0000-0x000007FEF3B01000-memory.dmp

memory/2500-48-0x000007FEF3A80000-0x000007FEF3A91000-memory.dmp

memory/2500-49-0x000007FEF3A60000-0x000007FEF3A72000-memory.dmp

memory/2500-50-0x000007FEF3A40000-0x000007FEF3A53000-memory.dmp

memory/2500-51-0x000007FEF39A0000-0x000007FEF3A3F000-memory.dmp

memory/2500-52-0x000007FEF3980000-0x000007FEF3991000-memory.dmp

memory/2500-53-0x000007FEF3870000-0x000007FEF3972000-memory.dmp

memory/2500-54-0x000007FEF3850000-0x000007FEF3861000-memory.dmp

memory/2500-55-0x000007FEF3830000-0x000007FEF3841000-memory.dmp

memory/2500-56-0x000007FEF3810000-0x000007FEF3821000-memory.dmp

memory/2500-57-0x000007FEF37F0000-0x000007FEF3802000-memory.dmp

memory/2500-58-0x000007FEF37D0000-0x000007FEF37E8000-memory.dmp

memory/2500-60-0x000007FEF3780000-0x000007FEF37A9000-memory.dmp

memory/2500-59-0x000007FEF37B0000-0x000007FEF37C6000-memory.dmp

memory/2500-62-0x000007FEF3740000-0x000007FEF3751000-memory.dmp

memory/2500-61-0x000007FEF3760000-0x000007FEF3772000-memory.dmp

memory/2500-63-0x000007FEF3720000-0x000007FEF3731000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win10v2004-20231222-en

Max time kernel

142s

Max time network

149s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1156 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp

Files

memory/1048-0-0x00007FF6D6D30000-0x00007FF6D6E28000-memory.dmp

memory/1048-1-0x00007FFAC3040000-0x00007FFAC3074000-memory.dmp

memory/1048-2-0x00007FFAB3740000-0x00007FFAB39F4000-memory.dmp

memory/1048-7-0x00007FFAC2EA0000-0x00007FFAC2EB1000-memory.dmp

memory/1048-6-0x00007FFAC2EC0000-0x00007FFAC2ED7000-memory.dmp

memory/1048-5-0x00007FFAC2EE0000-0x00007FFAC2EF1000-memory.dmp

memory/1048-4-0x00007FFAC2F80000-0x00007FFAC2F97000-memory.dmp

memory/1048-9-0x00007FFAC2DD0000-0x00007FFAC2DE1000-memory.dmp

memory/1048-8-0x00007FFAC2DF0000-0x00007FFAC2E0D000-memory.dmp

memory/1048-11-0x00007FFAC2D90000-0x00007FFAC2DCF000-memory.dmp

memory/1048-10-0x00007FFAB3540000-0x00007FFAB3740000-memory.dmp

memory/1048-3-0x00007FFAC2FA0000-0x00007FFAC2FB8000-memory.dmp

memory/1048-12-0x00007FFAB2490000-0x00007FFAB353B000-memory.dmp

memory/1048-22-0x00007FFAC22D0000-0x00007FFAC2337000-memory.dmp

memory/1048-23-0x00007FFAB9650000-0x00007FFAB96BF000-memory.dmp

memory/1048-21-0x00007FFAC2990000-0x00007FFAC29C0000-memory.dmp

memory/1048-37-0x00007FFAB1D50000-0x00007FFAB1D7C000-memory.dmp

memory/1048-39-0x00007FFAB1B70000-0x00007FFAB1B81000-memory.dmp

memory/1048-38-0x00007FFAB1B90000-0x00007FFAB1D42000-memory.dmp

memory/1048-41-0x00007FFAB1AB0000-0x00007FFAB1AC2000-memory.dmp

memory/1048-43-0x00007FFAB1750000-0x00007FFAB1862000-memory.dmp

memory/1048-42-0x00007FFAB1870000-0x00007FFAB1AA1000-memory.dmp

memory/1048-40-0x00007FFAB1AD0000-0x00007FFAB1B67000-memory.dmp

memory/1048-53-0x00007FFAB14E0000-0x00007FFAB15E2000-memory.dmp

memory/1048-63-0x00007FFAB1390000-0x00007FFAB13A1000-memory.dmp

memory/1048-62-0x00007FFAB13B0000-0x00007FFAB13C1000-memory.dmp

memory/1048-61-0x00007FFAB13D0000-0x00007FFAB13E2000-memory.dmp

memory/1048-60-0x00007FFAB13F0000-0x00007FFAB1419000-memory.dmp

memory/1048-59-0x00007FFAB1420000-0x00007FFAB1436000-memory.dmp

memory/1048-58-0x00007FFAB1440000-0x00007FFAB1458000-memory.dmp

memory/1048-57-0x00007FFAB1460000-0x00007FFAB1472000-memory.dmp

memory/1048-56-0x00007FFAB1480000-0x00007FFAB1491000-memory.dmp

memory/1048-55-0x00007FFAB14A0000-0x00007FFAB14B1000-memory.dmp

memory/1048-54-0x00007FFAB14C0000-0x00007FFAB14D1000-memory.dmp

memory/1048-52-0x00007FFAB15F0000-0x00007FFAB1601000-memory.dmp

memory/1048-51-0x00007FFAB1610000-0x00007FFAB16AF000-memory.dmp

memory/1048-50-0x00007FFAB16B0000-0x00007FFAB16C3000-memory.dmp

memory/1048-49-0x00007FFAB16D0000-0x00007FFAB16E2000-memory.dmp

memory/1048-48-0x00007FFAB16F0000-0x00007FFAB1701000-memory.dmp

memory/1048-47-0x00007FFAC2BD0000-0x00007FFAC2C31000-memory.dmp

memory/1048-46-0x00007FFAC2C40000-0x00007FFAC2C51000-memory.dmp

memory/1048-45-0x00007FFAC2C60000-0x00007FFAC2C85000-memory.dmp

memory/1048-44-0x00007FFAB1710000-0x00007FFAB1745000-memory.dmp

memory/1048-36-0x00007FFAB1D80000-0x00007FFAB1EBB000-memory.dmp

memory/1048-35-0x00007FFAB1EC0000-0x00007FFAB1ED2000-memory.dmp

memory/1048-34-0x00007FFAB1EE0000-0x00007FFAB1EF3000-memory.dmp

memory/1048-33-0x00007FFAB1F00000-0x00007FFAB1F21000-memory.dmp

memory/1048-32-0x00007FFAB1F30000-0x00007FFAB1F42000-memory.dmp

memory/1048-31-0x00007FFAB4130000-0x00007FFAB4141000-memory.dmp

memory/1048-30-0x00007FFAB1F50000-0x00007FFAB1F73000-memory.dmp

memory/1048-29-0x00007FFAC2290000-0x00007FFAC22A7000-memory.dmp

memory/1048-28-0x00007FFAB1F80000-0x00007FFAB1FA4000-memory.dmp

memory/1048-27-0x00007FFABEF00000-0x00007FFABEF28000-memory.dmp

memory/1048-26-0x00007FFAB1FB0000-0x00007FFAB2006000-memory.dmp

memory/1048-25-0x00007FFAB2430000-0x00007FFAB248C000-memory.dmp

memory/1048-24-0x00007FFAC22B0000-0x00007FFAC22C1000-memory.dmp

memory/1048-20-0x00007FFAC29C0000-0x00007FFAC29D8000-memory.dmp

memory/1048-19-0x00007FFAC29E0000-0x00007FFAC29F1000-memory.dmp

memory/1048-18-0x00007FFAC2A80000-0x00007FFAC2A9B000-memory.dmp

memory/1048-17-0x00007FFAC2AA0000-0x00007FFAC2AB1000-memory.dmp

memory/1048-16-0x00007FFAC2AC0000-0x00007FFAC2AD1000-memory.dmp

memory/1048-15-0x00007FFAC2AE0000-0x00007FFAC2AF1000-memory.dmp

memory/1048-14-0x00007FFAC2B00000-0x00007FFAC2B18000-memory.dmp

memory/1048-13-0x00007FFAC2D60000-0x00007FFAC2D81000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win7-20231215-en

Max time kernel

120s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.psd C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.psd\ = "psd_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 93f6901245355a211b34ab8427cc1971
SHA1 bd203414d5637a1d0297755dcbf11f667bcf27a4
SHA256 0b85e944fb5d82f05e91e2d5ddb71eab4696179c765ec48b96396f76526e7125
SHA512 969bcc0dcd2dc0d0199d239b2c315d6be0e6da1378ff1cf77d996159177d3290fb179c0c55b618b78ede7d4d96ab55568d6906d0096b6073904991055eb59705

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

120s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4984 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4984 wrote to memory of 1952 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4444 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4444 wrote to memory of 1572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win10v2004-20231222-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3076 set thread context of 2020 N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe C:\Windows\SysWOW64\cmd.exe
PID 2020 set thread context of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe

"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mono2024.kozow.com udp
US 45.32.161.144:2727 mono2024.kozow.com tcp
US 8.8.8.8:53 144.161.32.45.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/3076-0-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/3076-1-0x0000000002850000-0x000000000295F000-memory.dmp

memory/3076-2-0x00000000754E0000-0x000000007565B000-memory.dmp

memory/3076-3-0x00007FFA2D250000-0x00007FFA2D445000-memory.dmp

memory/3076-9-0x00000000754E0000-0x000000007565B000-memory.dmp

memory/3076-10-0x00000000754E0000-0x000000007565B000-memory.dmp

memory/3076-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3076-16-0x0000000050120000-0x000000005030D000-memory.dmp

memory/3076-15-0x0000000050000000-0x0000000050116000-memory.dmp

memory/3076-17-0x0000000002850000-0x000000000295F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb8742d2

MD5 ec1433d676873ba4bcab866c4efdb807
SHA1 9e0b70dc35177a576d8028a4f6be483f4216f63e
SHA256 0260f501c0682fb2bb5778d98f8b785dcdac1dc5cf0d223796cdcd7893fb2738
SHA512 dd921dd33a1d47807940741d90058e283404e6afe27c8685fcd45f02fc85aa247fa808bbaa8ea40b4dad666e8fb0193eb776ee2d41cc45d5a21aef5259962423

memory/2020-13-0x00000000754E0000-0x000000007565B000-memory.dmp

memory/2020-18-0x00007FFA2D250000-0x00007FFA2D445000-memory.dmp

memory/2020-20-0x00000000754E0000-0x000000007565B000-memory.dmp

memory/2020-21-0x00000000754E0000-0x000000007565B000-memory.dmp

memory/2020-24-0x00000000754E0000-0x000000007565B000-memory.dmp

memory/2120-23-0x0000000073970000-0x0000000074BC4000-memory.dmp

memory/2120-27-0x0000000001010000-0x0000000001026000-memory.dmp

memory/2120-28-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/2120-29-0x0000000003000000-0x0000000003010000-memory.dmp

memory/2120-30-0x0000000005DD0000-0x0000000006374000-memory.dmp

memory/2120-31-0x0000000005A10000-0x0000000005AA2000-memory.dmp

memory/2120-32-0x0000000005A00000-0x0000000005A0A000-memory.dmp

memory/2120-35-0x0000000006BA0000-0x0000000006C3C000-memory.dmp

memory/2120-36-0x0000000006C40000-0x0000000006CA6000-memory.dmp

memory/2120-37-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/2120-38-0x0000000003000000-0x0000000003010000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

Network

N/A

Files

memory/2504-0-0x0000000001EB0000-0x0000000001FBF000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-24 20:07

Reported

2024-01-24 20:10

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

143s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5008 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5008 wrote to memory of 4740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4740-0-0x0000000002180000-0x000000000228F000-memory.dmp

memory/4740-1-0x0000000002180000-0x000000000228F000-memory.dmp