Overview
overview
10Static
static
101 PROCESO...AL.exe
windows7-x64
1001 PROCESO...AL.exe
windows10-2004-x64
1001 PROCESO...c_.dll
windows7-x64
101 PROCESO...c_.dll
windows10-2004-x64
101 PROCESO...m_.dll
windows7-x64
101 PROCESO...m_.dll
windows10-2004-x64
101 PROCESO...t_.dll
windows7-x64
101 PROCESO...t_.dll
windows10-2004-x64
101 PROCESO...20.dll
windows7-x64
101 PROCESO...20.dll
windows10-2004-x64
101 PROCESO...20.dll
windows7-x64
101 PROCESO...20.dll
windows10-2004-x64
101 PROCESO...20.dll
windows7-x64
301 PROCESO...20.dll
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 09:03
Static task
static1
Behavioral task
behavioral1
Sample
01 PROCESO JUDICIAL EN SU CONTRA/01 PROCESO JUDICIAL.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
01 PROCESO JUDICIAL EN SU CONTRA/01 PROCESO JUDICIAL.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
01 PROCESO JUDICIAL EN SU CONTRA/madbasic_.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
01 PROCESO JUDICIAL EN SU CONTRA/madbasic_.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
01 PROCESO JUDICIAL EN SU CONTRA/maddisAsm_.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
01 PROCESO JUDICIAL EN SU CONTRA/maddisAsm_.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
01 PROCESO JUDICIAL EN SU CONTRA/madexcept_.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
01 PROCESO JUDICIAL EN SU CONTRA/madexcept_.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
01 PROCESO JUDICIAL EN SU CONTRA/rtl120.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
01 PROCESO JUDICIAL EN SU CONTRA/rtl120.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
01 PROCESO JUDICIAL EN SU CONTRA/vcl120.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
01 PROCESO JUDICIAL EN SU CONTRA/vcl120.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
01 PROCESO JUDICIAL EN SU CONTRA/vclx120.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
01 PROCESO JUDICIAL EN SU CONTRA/vclx120.dll
Resource
win10v2004-20240508-en
General
-
Target
01 PROCESO JUDICIAL EN SU CONTRA/01 PROCESO JUDICIAL.exe
-
Size
2.3MB
-
MD5
5d52ef45b6e5bf144307a84c2af1581b
-
SHA1
414a899ec327d4a9daa53983544245b209f25142
-
SHA256
26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
-
SHA512
458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
-
SSDEEP
49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K
Malware Config
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
POWERUP
powerup.dynuddns.net:6161
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
secure.exe
-
install_folder
%AppData%
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
01 PROCESO JUDICIAL.execmd.exedescription pid process target process PID 548 set thread context of 5104 548 01 PROCESO JUDICIAL.exe cmd.exe PID 5104 set thread context of 4716 5104 cmd.exe MSBuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\BMObeaconv1.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
01 PROCESO JUDICIAL.execmd.exeMSBuild.exepid process 548 01 PROCESO JUDICIAL.exe 548 01 PROCESO JUDICIAL.exe 5104 cmd.exe 5104 cmd.exe 4716 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
01 PROCESO JUDICIAL.execmd.exepid process 548 01 PROCESO JUDICIAL.exe 5104 cmd.exe 5104 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 4716 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 4716 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
01 PROCESO JUDICIAL.execmd.exedescription pid process target process PID 548 wrote to memory of 5104 548 01 PROCESO JUDICIAL.exe cmd.exe PID 548 wrote to memory of 5104 548 01 PROCESO JUDICIAL.exe cmd.exe PID 548 wrote to memory of 5104 548 01 PROCESO JUDICIAL.exe cmd.exe PID 548 wrote to memory of 5104 548 01 PROCESO JUDICIAL.exe cmd.exe PID 5104 wrote to memory of 4716 5104 cmd.exe MSBuild.exe PID 5104 wrote to memory of 4716 5104 cmd.exe MSBuild.exe PID 5104 wrote to memory of 4716 5104 cmd.exe MSBuild.exe PID 5104 wrote to memory of 4716 5104 cmd.exe MSBuild.exe PID 5104 wrote to memory of 4716 5104 cmd.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe"C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD5cdfb92edb86c38a0f4264f56484b9bde
SHA1f130fd69fdc54425cf29b5cb16b1e3bab7e04f96
SHA256c45751c2a8cd57dcbe378311c9a489004aa14f3e8b1f1f7dcd96a88ff523c987
SHA512831c628de8f5dd446476458d623d9ec0f90445e992edd10dc2e5bcf887b3285c994c3368ff14c30a2c47c300bf0bbd6619ef44bfcb64729eb7d89e0e6fd1b217