Analysis Overview
SHA256
786693fc79ddbb27763dd3512b6b5356d013f91ef2e445bbaadc9dd284806ba4
Threat Level: Known bad
The file 25052024_0903_01 PROCESO JUDICIAL EN SU CONTRA.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 09:03
Signatures
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1708 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1708 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1708 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1708 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1708 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1708 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1708 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\maddisAsm_.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\maddisAsm_.dll",#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2580 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2580 wrote to memory of 1512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\rtl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\rtl120.dll",#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win7-20240508-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
AsyncRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1728 set thread context of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2060 set thread context of 2720 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\BMObeaconv1.job | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe
"C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | powerup.dynuddns.net | udp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
Files
memory/1728-0-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/1728-1-0x00000000778D0000-0x0000000077A79000-memory.dmp
memory/1728-10-0x0000000074D82000-0x0000000074D84000-memory.dmp
memory/1728-11-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/1728-12-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/1728-14-0x0000000000400000-0x0000000000698000-memory.dmp
memory/1728-20-0x0000000050310000-0x0000000050349000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b0b12ff7
| MD5 | 976897b1c2c99e4599da94731e451e82 |
| SHA1 | 1cb17922ac10ba6dd8f0124bdc99ce4f434f4b03 |
| SHA256 | 674c14ec99bd4ca47cb814d2cd4fba17b8b84aa0665caf39f41355b0c57d9f35 |
| SHA512 | 31d83e4249bb3fa35a5c4450fa2531c277317645e5676060aee43f932c11c683f7470715948d32c934c0d3ff2a59d5cd5ee1743d787ba10d38486b5700369744 |
memory/2060-21-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/1728-19-0x0000000057800000-0x0000000057812000-memory.dmp
memory/1728-18-0x0000000050120000-0x000000005030D000-memory.dmp
memory/1728-17-0x0000000057000000-0x000000005703F000-memory.dmp
memory/1728-16-0x0000000059800000-0x000000005986E000-memory.dmp
memory/1728-15-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2060-23-0x00000000778D0000-0x0000000077A79000-memory.dmp
memory/2060-68-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/2060-74-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/2060-77-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/2060-78-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/2060-81-0x0000000074D70000-0x0000000074EE4000-memory.dmp
memory/2720-83-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2720-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2720-80-0x0000000072CB0000-0x0000000073D12000-memory.dmp
memory/2720-84-0x0000000000080000-0x0000000000096000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1712 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1712 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\madexcept_.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\madexcept_.dll",#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
105s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2600 wrote to memory of 5144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2600 wrote to memory of 5144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2600 wrote to memory of 5144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\madexcept_.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\madexcept_.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
105s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4912 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4912 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4912 wrote to memory of 2124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\vclx120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\vclx120.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2124 -ip 2124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 676
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2124-0-0x0000000050310000-0x0000000050349000-memory.dmp
memory/2124-2-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2124-1-0x0000000050000000-0x0000000050116000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
AsyncRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 548 set thread context of 5104 | N/A | C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5104 set thread context of 4716 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\BMObeaconv1.job | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe
"C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | powerup.dynuddns.net | udp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
| US | 207.246.64.185:6161 | powerup.dynuddns.net | tcp |
Files
memory/548-0-0x0000000074390000-0x000000007450B000-memory.dmp
memory/548-1-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp
memory/548-10-0x00000000743A2000-0x00000000743A4000-memory.dmp
memory/548-11-0x0000000074390000-0x000000007450B000-memory.dmp
memory/548-12-0x0000000074390000-0x000000007450B000-memory.dmp
memory/548-20-0x0000000050310000-0x0000000050349000-memory.dmp
memory/5104-21-0x0000000074390000-0x000000007450B000-memory.dmp
memory/548-19-0x0000000050120000-0x000000005030D000-memory.dmp
memory/548-18-0x0000000057800000-0x0000000057812000-memory.dmp
memory/548-17-0x0000000057000000-0x000000005703F000-memory.dmp
memory/548-16-0x0000000059800000-0x000000005986E000-memory.dmp
memory/548-15-0x0000000050000000-0x0000000050116000-memory.dmp
memory/548-14-0x0000000000400000-0x0000000000698000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8cea2507
| MD5 | cdfb92edb86c38a0f4264f56484b9bde |
| SHA1 | f130fd69fdc54425cf29b5cb16b1e3bab7e04f96 |
| SHA256 | c45751c2a8cd57dcbe378311c9a489004aa14f3e8b1f1f7dcd96a88ff523c987 |
| SHA512 | 831c628de8f5dd446476458d623d9ec0f90445e992edd10dc2e5bcf887b3285c994c3368ff14c30a2c47c300bf0bbd6619ef44bfcb64729eb7d89e0e6fd1b217 |
memory/5104-23-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp
memory/5104-25-0x0000000074390000-0x000000007450B000-memory.dmp
memory/5104-27-0x0000000074390000-0x000000007450B000-memory.dmp
memory/5104-29-0x0000000074390000-0x000000007450B000-memory.dmp
memory/5104-30-0x0000000074390000-0x000000007450B000-memory.dmp
memory/5104-33-0x0000000074390000-0x000000007450B000-memory.dmp
memory/4716-32-0x0000000072E30000-0x0000000074084000-memory.dmp
memory/4716-36-0x000000007268E000-0x000000007268F000-memory.dmp
memory/4716-37-0x0000000001210000-0x0000000001226000-memory.dmp
memory/4716-38-0x0000000072680000-0x0000000072E30000-memory.dmp
memory/4716-39-0x0000000005EA0000-0x0000000006444000-memory.dmp
memory/4716-40-0x0000000005AD0000-0x0000000005B62000-memory.dmp
memory/4716-41-0x0000000005AC0000-0x0000000005ACA000-memory.dmp
memory/4716-42-0x000000007268E000-0x000000007268F000-memory.dmp
memory/4716-43-0x0000000072680000-0x0000000072E30000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1564 wrote to memory of 4420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1564 wrote to memory of 4420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1564 wrote to memory of 4420 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\madbasic_.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\madbasic_.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2880 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2880 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2880 wrote to memory of 2040 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\maddisAsm_.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\maddisAsm_.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win10v2004-20240426-en
Max time kernel
132s
Max time network
102s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3108 wrote to memory of 4444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3108 wrote to memory of 4444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3108 wrote to memory of 4444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\vcl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\vcl120.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win7-20240508-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\vclx120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\vclx120.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 268
Network
Files
memory/1732-0-0x0000000050310000-0x0000000050349000-memory.dmp
memory/1732-1-0x0000000050000000-0x0000000050116000-memory.dmp
memory/1732-2-0x0000000050120000-0x000000005030D000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2880 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2880 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2880 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2880 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2880 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2880 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2880 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\madbasic_.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\madbasic_.dll",#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1080 wrote to memory of 2140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1080 wrote to memory of 2140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1080 wrote to memory of 2140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\rtl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\rtl120.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-25 09:03
Reported
2024-05-25 09:05
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2196 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2196 wrote to memory of 2792 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\vcl120.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\vcl120.dll",#1