Analysis Overview
SHA256
3caa7e5f3acd124de99d931f6044a67868e716235463ac7d5d6bd6be69aa48b5
Threat Level: Known bad
The file 01 NOTIFICACION DEMANDA.REV was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 20:07
Signatures
Analysis: behavioral9
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win7-20231215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2220 wrote to memory of 2208 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win7-20231215-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2508 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2508 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2508 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2508 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2508 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2508 wrote to memory of 2632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win7-20231215-en
Max time kernel
120s
Max time network
154s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2164 set thread context of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2004 set thread context of 3000 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe
"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mono2024.kozow.com | udp |
| US | 45.32.161.144:2727 | mono2024.kozow.com | tcp |
Files
memory/2164-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2164-1-0x00000000022A0000-0x00000000023AF000-memory.dmp
memory/2164-2-0x00000000748C0000-0x0000000074A34000-memory.dmp
memory/2164-3-0x0000000077370000-0x0000000077519000-memory.dmp
memory/2164-9-0x00000000748C0000-0x0000000074A34000-memory.dmp
memory/2164-10-0x00000000748C0000-0x0000000074A34000-memory.dmp
memory/2164-12-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2164-13-0x0000000050000000-0x0000000050116000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1d77e6d4
| MD5 | 1635888acdc1d546f5a345dc7293ba11 |
| SHA1 | af4701595b272e9b9a7b4348f77e58634f46f9ad |
| SHA256 | 979be2906ddaa3067b2fbb1096fc0080c8992c0984defe7f4adf59fc799029da |
| SHA512 | 81dbb71a873fc77d955839bd8a2c124012bd491d56c0d3f0bfa75e18f46d5f2f90d29377b3ef832e2cc5f826d120c1465167103e0e529468cb4e371dc3aed79c |
memory/2164-17-0x00000000022A0000-0x00000000023AF000-memory.dmp
memory/2004-16-0x00000000748C0000-0x0000000074A34000-memory.dmp
memory/2164-14-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2004-18-0x0000000077370000-0x0000000077519000-memory.dmp
memory/2004-63-0x00000000748C0000-0x0000000074A34000-memory.dmp
memory/2004-64-0x00000000748C0000-0x0000000074A34000-memory.dmp
memory/2004-67-0x00000000748C0000-0x0000000074A34000-memory.dmp
memory/3000-66-0x00000000728F0000-0x0000000073952000-memory.dmp
memory/3000-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3000-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3000-70-0x0000000000080000-0x0000000000096000-memory.dmp
memory/3000-71-0x0000000073FA0000-0x000000007468E000-memory.dmp
memory/3000-72-0x0000000004860000-0x00000000048A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3239.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/3000-89-0x0000000073FA0000-0x000000007468E000-memory.dmp
memory/3000-90-0x0000000004860000-0x00000000048A0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win7-20231215-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"
Network
Files
memory/2500-1-0x000007FEF72F0000-0x000007FEF7324000-memory.dmp
memory/2500-0-0x000000013F6A0000-0x000000013F798000-memory.dmp
memory/2500-2-0x000007FEF5950000-0x000007FEF5C04000-memory.dmp
memory/2500-3-0x000007FEFB040000-0x000007FEFB058000-memory.dmp
memory/2500-4-0x000007FEFAB70000-0x000007FEFAB87000-memory.dmp
memory/2500-5-0x000007FEF7340000-0x000007FEF7351000-memory.dmp
memory/2500-6-0x000007FEF6620000-0x000007FEF6637000-memory.dmp
memory/2500-7-0x000007FEF6600000-0x000007FEF6611000-memory.dmp
memory/2500-8-0x000007FEF65E0000-0x000007FEF65FD000-memory.dmp
memory/2500-9-0x000007FEF6140000-0x000007FEF6151000-memory.dmp
memory/2500-10-0x000007FEF48A0000-0x000007FEF594B000-memory.dmp
memory/2500-11-0x000007FEF46A0000-0x000007FEF48A0000-memory.dmp
memory/2500-12-0x000007FEF6050000-0x000007FEF608F000-memory.dmp
memory/2500-13-0x000007FEF6020000-0x000007FEF6041000-memory.dmp
memory/2500-14-0x000007FEF6000000-0x000007FEF6018000-memory.dmp
memory/2500-15-0x000007FEF5FE0000-0x000007FEF5FF1000-memory.dmp
memory/2500-17-0x000007FEF5FA0000-0x000007FEF5FB1000-memory.dmp
memory/2500-18-0x000007FEF5F80000-0x000007FEF5F9B000-memory.dmp
memory/2500-16-0x000007FEF5FC0000-0x000007FEF5FD1000-memory.dmp
memory/2500-19-0x000007FEF4680000-0x000007FEF4691000-memory.dmp
memory/2500-20-0x000007FEF4660000-0x000007FEF4678000-memory.dmp
memory/2500-21-0x000007FEF4630000-0x000007FEF4660000-memory.dmp
memory/2500-22-0x000007FEF45C0000-0x000007FEF4627000-memory.dmp
memory/2500-23-0x000007FEF4550000-0x000007FEF45BF000-memory.dmp
memory/2500-24-0x000007FEF4530000-0x000007FEF4541000-memory.dmp
memory/2500-25-0x000007FEF44D0000-0x000007FEF452C000-memory.dmp
memory/2500-26-0x000007FEF4470000-0x000007FEF44C6000-memory.dmp
memory/2500-27-0x000007FEF4440000-0x000007FEF4468000-memory.dmp
memory/2500-28-0x000007FEF4410000-0x000007FEF4434000-memory.dmp
memory/2500-29-0x000007FEF43F0000-0x000007FEF4407000-memory.dmp
memory/2500-30-0x000007FEF43C0000-0x000007FEF43E3000-memory.dmp
memory/2500-31-0x000007FEF43A0000-0x000007FEF43B1000-memory.dmp
memory/2500-32-0x000007FEF4380000-0x000007FEF4392000-memory.dmp
memory/2500-33-0x000007FEF4350000-0x000007FEF4371000-memory.dmp
memory/2500-34-0x000007FEF4330000-0x000007FEF4343000-memory.dmp
memory/2500-35-0x000007FEF4310000-0x000007FEF4322000-memory.dmp
memory/2500-37-0x000007FEF41A0000-0x000007FEF41CC000-memory.dmp
memory/2500-36-0x000007FEF41D0000-0x000007FEF430B000-memory.dmp
memory/2500-38-0x000007FEF3FE0000-0x000007FEF4192000-memory.dmp
memory/2500-39-0x000007FEF3FC0000-0x000007FEF3FD1000-memory.dmp
memory/2500-40-0x000007FEF3F20000-0x000007FEF3FB7000-memory.dmp
memory/2500-41-0x000007FEF3F00000-0x000007FEF3F12000-memory.dmp
memory/2500-42-0x000007FEF3CC0000-0x000007FEF3EF1000-memory.dmp
memory/2500-43-0x000007FEF3BA0000-0x000007FEF3CB2000-memory.dmp
memory/2500-44-0x000007FEF3B60000-0x000007FEF3B95000-memory.dmp
memory/2500-45-0x000007FEF3B30000-0x000007FEF3B55000-memory.dmp
memory/2500-46-0x000007FEF3B10000-0x000007FEF3B21000-memory.dmp
memory/2500-47-0x000007FEF3AA0000-0x000007FEF3B01000-memory.dmp
memory/2500-48-0x000007FEF3A80000-0x000007FEF3A91000-memory.dmp
memory/2500-49-0x000007FEF3A60000-0x000007FEF3A72000-memory.dmp
memory/2500-50-0x000007FEF3A40000-0x000007FEF3A53000-memory.dmp
memory/2500-51-0x000007FEF39A0000-0x000007FEF3A3F000-memory.dmp
memory/2500-52-0x000007FEF3980000-0x000007FEF3991000-memory.dmp
memory/2500-53-0x000007FEF3870000-0x000007FEF3972000-memory.dmp
memory/2500-54-0x000007FEF3850000-0x000007FEF3861000-memory.dmp
memory/2500-55-0x000007FEF3830000-0x000007FEF3841000-memory.dmp
memory/2500-56-0x000007FEF3810000-0x000007FEF3821000-memory.dmp
memory/2500-57-0x000007FEF37F0000-0x000007FEF3802000-memory.dmp
memory/2500-58-0x000007FEF37D0000-0x000007FEF37E8000-memory.dmp
memory/2500-60-0x000007FEF3780000-0x000007FEF37A9000-memory.dmp
memory/2500-59-0x000007FEF37B0000-0x000007FEF37C6000-memory.dmp
memory/2500-62-0x000007FEF3740000-0x000007FEF3751000-memory.dmp
memory/2500-61-0x000007FEF3760000-0x000007FEF3772000-memory.dmp
memory/2500-63-0x000007FEF3720000-0x000007FEF3731000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win10v2004-20231222-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1156 wrote to memory of 1048 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 1156 wrote to memory of 1048 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\breakage.ogg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
Files
memory/1048-0-0x00007FF6D6D30000-0x00007FF6D6E28000-memory.dmp
memory/1048-1-0x00007FFAC3040000-0x00007FFAC3074000-memory.dmp
memory/1048-2-0x00007FFAB3740000-0x00007FFAB39F4000-memory.dmp
memory/1048-7-0x00007FFAC2EA0000-0x00007FFAC2EB1000-memory.dmp
memory/1048-6-0x00007FFAC2EC0000-0x00007FFAC2ED7000-memory.dmp
memory/1048-5-0x00007FFAC2EE0000-0x00007FFAC2EF1000-memory.dmp
memory/1048-4-0x00007FFAC2F80000-0x00007FFAC2F97000-memory.dmp
memory/1048-9-0x00007FFAC2DD0000-0x00007FFAC2DE1000-memory.dmp
memory/1048-8-0x00007FFAC2DF0000-0x00007FFAC2E0D000-memory.dmp
memory/1048-11-0x00007FFAC2D90000-0x00007FFAC2DCF000-memory.dmp
memory/1048-10-0x00007FFAB3540000-0x00007FFAB3740000-memory.dmp
memory/1048-3-0x00007FFAC2FA0000-0x00007FFAC2FB8000-memory.dmp
memory/1048-12-0x00007FFAB2490000-0x00007FFAB353B000-memory.dmp
memory/1048-22-0x00007FFAC22D0000-0x00007FFAC2337000-memory.dmp
memory/1048-23-0x00007FFAB9650000-0x00007FFAB96BF000-memory.dmp
memory/1048-21-0x00007FFAC2990000-0x00007FFAC29C0000-memory.dmp
memory/1048-37-0x00007FFAB1D50000-0x00007FFAB1D7C000-memory.dmp
memory/1048-39-0x00007FFAB1B70000-0x00007FFAB1B81000-memory.dmp
memory/1048-38-0x00007FFAB1B90000-0x00007FFAB1D42000-memory.dmp
memory/1048-41-0x00007FFAB1AB0000-0x00007FFAB1AC2000-memory.dmp
memory/1048-43-0x00007FFAB1750000-0x00007FFAB1862000-memory.dmp
memory/1048-42-0x00007FFAB1870000-0x00007FFAB1AA1000-memory.dmp
memory/1048-40-0x00007FFAB1AD0000-0x00007FFAB1B67000-memory.dmp
memory/1048-53-0x00007FFAB14E0000-0x00007FFAB15E2000-memory.dmp
memory/1048-63-0x00007FFAB1390000-0x00007FFAB13A1000-memory.dmp
memory/1048-62-0x00007FFAB13B0000-0x00007FFAB13C1000-memory.dmp
memory/1048-61-0x00007FFAB13D0000-0x00007FFAB13E2000-memory.dmp
memory/1048-60-0x00007FFAB13F0000-0x00007FFAB1419000-memory.dmp
memory/1048-59-0x00007FFAB1420000-0x00007FFAB1436000-memory.dmp
memory/1048-58-0x00007FFAB1440000-0x00007FFAB1458000-memory.dmp
memory/1048-57-0x00007FFAB1460000-0x00007FFAB1472000-memory.dmp
memory/1048-56-0x00007FFAB1480000-0x00007FFAB1491000-memory.dmp
memory/1048-55-0x00007FFAB14A0000-0x00007FFAB14B1000-memory.dmp
memory/1048-54-0x00007FFAB14C0000-0x00007FFAB14D1000-memory.dmp
memory/1048-52-0x00007FFAB15F0000-0x00007FFAB1601000-memory.dmp
memory/1048-51-0x00007FFAB1610000-0x00007FFAB16AF000-memory.dmp
memory/1048-50-0x00007FFAB16B0000-0x00007FFAB16C3000-memory.dmp
memory/1048-49-0x00007FFAB16D0000-0x00007FFAB16E2000-memory.dmp
memory/1048-48-0x00007FFAB16F0000-0x00007FFAB1701000-memory.dmp
memory/1048-47-0x00007FFAC2BD0000-0x00007FFAC2C31000-memory.dmp
memory/1048-46-0x00007FFAC2C40000-0x00007FFAC2C51000-memory.dmp
memory/1048-45-0x00007FFAC2C60000-0x00007FFAC2C85000-memory.dmp
memory/1048-44-0x00007FFAB1710000-0x00007FFAB1745000-memory.dmp
memory/1048-36-0x00007FFAB1D80000-0x00007FFAB1EBB000-memory.dmp
memory/1048-35-0x00007FFAB1EC0000-0x00007FFAB1ED2000-memory.dmp
memory/1048-34-0x00007FFAB1EE0000-0x00007FFAB1EF3000-memory.dmp
memory/1048-33-0x00007FFAB1F00000-0x00007FFAB1F21000-memory.dmp
memory/1048-32-0x00007FFAB1F30000-0x00007FFAB1F42000-memory.dmp
memory/1048-31-0x00007FFAB4130000-0x00007FFAB4141000-memory.dmp
memory/1048-30-0x00007FFAB1F50000-0x00007FFAB1F73000-memory.dmp
memory/1048-29-0x00007FFAC2290000-0x00007FFAC22A7000-memory.dmp
memory/1048-28-0x00007FFAB1F80000-0x00007FFAB1FA4000-memory.dmp
memory/1048-27-0x00007FFABEF00000-0x00007FFABEF28000-memory.dmp
memory/1048-26-0x00007FFAB1FB0000-0x00007FFAB2006000-memory.dmp
memory/1048-25-0x00007FFAB2430000-0x00007FFAB248C000-memory.dmp
memory/1048-24-0x00007FFAC22B0000-0x00007FFAC22C1000-memory.dmp
memory/1048-20-0x00007FFAC29C0000-0x00007FFAC29D8000-memory.dmp
memory/1048-19-0x00007FFAC29E0000-0x00007FFAC29F1000-memory.dmp
memory/1048-18-0x00007FFAC2A80000-0x00007FFAC2A9B000-memory.dmp
memory/1048-17-0x00007FFAC2AA0000-0x00007FFAC2AB1000-memory.dmp
memory/1048-16-0x00007FFAC2AC0000-0x00007FFAC2AD1000-memory.dmp
memory/1048-15-0x00007FFAC2AE0000-0x00007FFAC2AF1000-memory.dmp
memory/1048-14-0x00007FFAC2B00000-0x00007FFAC2B18000-memory.dmp
memory/1048-13-0x00007FFAC2D60000-0x00007FFAC2D81000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win7-20231215-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.psd | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\.psd\ = "psd_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\psd_auto_file | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2420 wrote to memory of 3020 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2420 wrote to memory of 3020 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2420 wrote to memory of 3020 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3020 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3020 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3020 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 3020 wrote to memory of 3004 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 93f6901245355a211b34ab8427cc1971 |
| SHA1 | bd203414d5637a1d0297755dcbf11f667bcf27a4 |
| SHA256 | 0b85e944fb5d82f05e91e2d5ddb71eab4696179c765ec48b96396f76526e7125 |
| SHA512 | 969bcc0dcd2dc0d0199d239b2c315d6be0e6da1378ff1cf77d996159177d3290fb179c0c55b618b78ede7d4d96ab55568d6906d0096b6073904991055eb59705 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\fascinator.psd"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win10v2004-20231222-en
Max time kernel
92s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4984 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4984 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4984 wrote to memory of 1952 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\rtl120.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win10v2004-20231215-en
Max time kernel
137s
Max time network
157s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4444 wrote to memory of 1572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4444 wrote to memory of 1572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4444 wrote to memory of 1572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\vcl120.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win10v2004-20231222-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3076 set thread context of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2020 set thread context of 2120 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe
"C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\01 NOTIFICACION DEMANDA .....exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mono2024.kozow.com | udp |
| US | 45.32.161.144:2727 | mono2024.kozow.com | tcp |
| US | 8.8.8.8:53 | 144.161.32.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/3076-0-0x00000000021E0000-0x00000000021E1000-memory.dmp
memory/3076-1-0x0000000002850000-0x000000000295F000-memory.dmp
memory/3076-2-0x00000000754E0000-0x000000007565B000-memory.dmp
memory/3076-3-0x00007FFA2D250000-0x00007FFA2D445000-memory.dmp
memory/3076-9-0x00000000754E0000-0x000000007565B000-memory.dmp
memory/3076-10-0x00000000754E0000-0x000000007565B000-memory.dmp
memory/3076-12-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3076-16-0x0000000050120000-0x000000005030D000-memory.dmp
memory/3076-15-0x0000000050000000-0x0000000050116000-memory.dmp
memory/3076-17-0x0000000002850000-0x000000000295F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bb8742d2
| MD5 | ec1433d676873ba4bcab866c4efdb807 |
| SHA1 | 9e0b70dc35177a576d8028a4f6be483f4216f63e |
| SHA256 | 0260f501c0682fb2bb5778d98f8b785dcdac1dc5cf0d223796cdcd7893fb2738 |
| SHA512 | dd921dd33a1d47807940741d90058e283404e6afe27c8685fcd45f02fc85aa247fa808bbaa8ea40b4dad666e8fb0193eb776ee2d41cc45d5a21aef5259962423 |
memory/2020-13-0x00000000754E0000-0x000000007565B000-memory.dmp
memory/2020-18-0x00007FFA2D250000-0x00007FFA2D445000-memory.dmp
memory/2020-20-0x00000000754E0000-0x000000007565B000-memory.dmp
memory/2020-21-0x00000000754E0000-0x000000007565B000-memory.dmp
memory/2020-24-0x00000000754E0000-0x000000007565B000-memory.dmp
memory/2120-23-0x0000000073970000-0x0000000074BC4000-memory.dmp
memory/2120-27-0x0000000001010000-0x0000000001026000-memory.dmp
memory/2120-28-0x00000000731C0000-0x0000000073970000-memory.dmp
memory/2120-29-0x0000000003000000-0x0000000003010000-memory.dmp
memory/2120-30-0x0000000005DD0000-0x0000000006374000-memory.dmp
memory/2120-31-0x0000000005A10000-0x0000000005AA2000-memory.dmp
memory/2120-32-0x0000000005A00000-0x0000000005A0A000-memory.dmp
memory/2120-35-0x0000000006BA0000-0x0000000006C3C000-memory.dmp
memory/2120-36-0x0000000006C40000-0x0000000006CA6000-memory.dmp
memory/2120-37-0x00000000731C0000-0x0000000073970000-memory.dmp
memory/2120-38-0x0000000003000000-0x0000000003010000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win7-20231215-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 2504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2232 wrote to memory of 2504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2232 wrote to memory of 2504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2232 wrote to memory of 2504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2232 wrote to memory of 2504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2232 wrote to memory of 2504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2232 wrote to memory of 2504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1
Network
Files
memory/2504-0-0x0000000001EB0000-0x0000000001FBF000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-01-24 20:07
Reported
2024-01-24 20:10
Platform
win10v2004-20231215-en
Max time kernel
138s
Max time network
143s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5008 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5008 wrote to memory of 4740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 NOTIFICACION DEMANDA\Register.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/4740-0-0x0000000002180000-0x000000000228F000-memory.dmp
memory/4740-1-0x0000000002180000-0x000000000228F000-memory.dmp