Overview
overview
10Static
static
101 PROCESO...AL.exe
windows7-x64
1001 PROCESO...AL.exe
windows10-2004-x64
1001 PROCESO...c_.dll
windows7-x64
101 PROCESO...c_.dll
windows10-2004-x64
101 PROCESO...m_.dll
windows7-x64
101 PROCESO...m_.dll
windows10-2004-x64
101 PROCESO...t_.dll
windows7-x64
101 PROCESO...t_.dll
windows10-2004-x64
101 PROCESO...20.dll
windows7-x64
101 PROCESO...20.dll
windows10-2004-x64
101 PROCESO...20.dll
windows7-x64
101 PROCESO...20.dll
windows10-2004-x64
101 PROCESO...20.dll
windows7-x64
301 PROCESO...20.dll
windows10-2004-x64
3Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 09:03
Static task
static1
Behavioral task
behavioral1
Sample
01 PROCESO JUDICIAL EN SU CONTRA/01 PROCESO JUDICIAL.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
01 PROCESO JUDICIAL EN SU CONTRA/01 PROCESO JUDICIAL.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
01 PROCESO JUDICIAL EN SU CONTRA/madbasic_.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
01 PROCESO JUDICIAL EN SU CONTRA/madbasic_.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
01 PROCESO JUDICIAL EN SU CONTRA/maddisAsm_.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
01 PROCESO JUDICIAL EN SU CONTRA/maddisAsm_.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
01 PROCESO JUDICIAL EN SU CONTRA/madexcept_.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
01 PROCESO JUDICIAL EN SU CONTRA/madexcept_.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
01 PROCESO JUDICIAL EN SU CONTRA/rtl120.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
01 PROCESO JUDICIAL EN SU CONTRA/rtl120.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
01 PROCESO JUDICIAL EN SU CONTRA/vcl120.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
01 PROCESO JUDICIAL EN SU CONTRA/vcl120.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
01 PROCESO JUDICIAL EN SU CONTRA/vclx120.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
01 PROCESO JUDICIAL EN SU CONTRA/vclx120.dll
Resource
win10v2004-20240508-en
General
-
Target
01 PROCESO JUDICIAL EN SU CONTRA/01 PROCESO JUDICIAL.exe
-
Size
2.3MB
-
MD5
5d52ef45b6e5bf144307a84c2af1581b
-
SHA1
414a899ec327d4a9daa53983544245b209f25142
-
SHA256
26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
-
SHA512
458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
-
SSDEEP
49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K
Malware Config
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
POWERUP
powerup.dynuddns.net:6161
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
secure.exe
-
install_folder
%AppData%
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
01 PROCESO JUDICIAL.execmd.exedescription pid process target process PID 1728 set thread context of 2060 1728 01 PROCESO JUDICIAL.exe cmd.exe PID 2060 set thread context of 2720 2060 cmd.exe MSBuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\BMObeaconv1.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
01 PROCESO JUDICIAL.execmd.exeMSBuild.exepid process 1728 01 PROCESO JUDICIAL.exe 1728 01 PROCESO JUDICIAL.exe 2060 cmd.exe 2060 cmd.exe 2720 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
01 PROCESO JUDICIAL.execmd.exepid process 1728 01 PROCESO JUDICIAL.exe 2060 cmd.exe 2060 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2720 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 2720 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
01 PROCESO JUDICIAL.execmd.exedescription pid process target process PID 1728 wrote to memory of 2060 1728 01 PROCESO JUDICIAL.exe cmd.exe PID 1728 wrote to memory of 2060 1728 01 PROCESO JUDICIAL.exe cmd.exe PID 1728 wrote to memory of 2060 1728 01 PROCESO JUDICIAL.exe cmd.exe PID 1728 wrote to memory of 2060 1728 01 PROCESO JUDICIAL.exe cmd.exe PID 1728 wrote to memory of 2060 1728 01 PROCESO JUDICIAL.exe cmd.exe PID 2060 wrote to memory of 2720 2060 cmd.exe MSBuild.exe PID 2060 wrote to memory of 2720 2060 cmd.exe MSBuild.exe PID 2060 wrote to memory of 2720 2060 cmd.exe MSBuild.exe PID 2060 wrote to memory of 2720 2060 cmd.exe MSBuild.exe PID 2060 wrote to memory of 2720 2060 cmd.exe MSBuild.exe PID 2060 wrote to memory of 2720 2060 cmd.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe"C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD5976897b1c2c99e4599da94731e451e82
SHA11cb17922ac10ba6dd8f0124bdc99ce4f434f4b03
SHA256674c14ec99bd4ca47cb814d2cd4fba17b8b84aa0665caf39f41355b0c57d9f35
SHA51231d83e4249bb3fa35a5c4450fa2531c277317645e5676060aee43f932c11c683f7470715948d32c934c0d3ff2a59d5cd5ee1743d787ba10d38486b5700369744