asyncrat | hxxps://docs[.]google[.]com/uc?export=download&id=111IURIV45bsrkUdYePPPURs5b5RJmOdy

Analysis

max time kernel
121s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=111IURIV45bsrkUdYePPPURs5b5RJmOdy

Score

10^/10

asyncrat bendiciones max persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

BENDICIONES MAX

cascadas2024.casacam.net:8007

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 3 IoCs

pid	Process
3436	Formato_Juridico_PROC_N°_427291771..exe
5788	Formato_Juridico_PROC_N°_427291771..exe
5872	Formato_Juridico_PROC_N°_427291771..exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abcuodater = "C:\\Users\\Admin\\Documents\\unaReversa\\unaVersia.exe"	Formato_Juridico_PROC_N°_427291771..exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abcuodater = "C:\\Users\\Admin\\Documents\\unaReversa\\unaVersia.exe"	Formato_Juridico_PROC_N°_427291771..exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abcuodater = "C:\\Users\\Admin\\Documents\\unaReversa\\unaVersia.exe"	Formato_Juridico_PROC_N°_427291771..exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 5832	3436	Formato_Juridico_PROC_N°_427291771..exe	130
PID 5788 set thread context of 2436	5788	Formato_Juridico_PROC_N°_427291771..exe	132
PID 5872 set thread context of 5880	5872	Formato_Juridico_PROC_N°_427291771..exe	133

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1956	msedge.exe
1956	msedge.exe
4488	msedge.exe
4488	msedge.exe
4144	msedge.exe
4144	msedge.exe
1920	identity_helper.exe
1920	identity_helper.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe
1428	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	5852	7zFM.exe
Token: 35	5852	7zFM.exe
Token: SeRestorePrivilege	4516	7zG.exe
Token: 35	4516	7zG.exe
Token: SeSecurityPrivilege	4516	7zG.exe
Token: SeSecurityPrivilege	4516	7zG.exe
Token: SeDebugPrivilege	5832	csc.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
5852	7zFM.exe
4516	7zG.exe
4516	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3152	OpenWith.exe
5708	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 5068	4488	msedge.exe	82
PID 4488 wrote to memory of 5068	4488	msedge.exe	82
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 2580	4488	msedge.exe	83
PID 4488 wrote to memory of 1956	4488	msedge.exe	84
PID 4488 wrote to memory of 1956	4488	msedge.exe	84
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85
PID 4488 wrote to memory of 5060	4488	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/uc?export=download&id=111IURIV45bsrkUdYePPPURs5b5RJmOdy
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffde80646f8,0x7ffde8064708,0x7ffde8064718
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16609351799497330351,2160580101449967060,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5708

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Formato_Juridico_PROC_N°_427291771.tar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Formato_Juridico_PROC_N°_427291771\" -spe -an -ai#7zMap11949:126:7zEvent3158
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4516

C:\Users\Admin\Desktop\Formato_Juridico_PROC_N°_427291771\Formato_Juridico_PROC_N°_427291771..exe
"C:\Users\Admin\Desktop\Formato_Juridico_PROC_N°_427291771\Formato_Juridico_PROC_N°_427291771..exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5832

C:\Users\Admin\Desktop\Formato_Juridico_PROC_N°_427291771\Formato_Juridico_PROC_N°_427291771..exe
"C:\Users\Admin\Desktop\Formato_Juridico_PROC_N°_427291771\Formato_Juridico_PROC_N°_427291771..exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2436

C:\Users\Admin\Desktop\Formato_Juridico_PROC_N°_427291771\Formato_Juridico_PROC_N°_427291771..exe
"C:\Users\Admin\Desktop\Formato_Juridico_PROC_N°_427291771\Formato_Juridico_PROC_N°_427291771..exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
511B

MD5
209e9f4afcae35785ea762f182867b35

SHA1
6efe711ddb4584612a93e3753dd7b0c9b28e46a0

SHA256
394108ac74a274334d48df8556e8e2286dda9a70c7225f3e5e2624bdb49356aa

SHA512
8c9ef71fc8fc8781701235a0e414d904c9f0b711d007e345cfbac29a5c704e31f004692ee580cc008e481174daaec71bb1b79480eb54c537be432e7e51990422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bef99dffa81418b80224d7d9a7191bab

SHA1
a8337f716dc7017df9838dcc0e3734e879013182

SHA256
ade344e15d7c069184b2b19d783518439a4416a770d0b865de7a6dd163a87efb

SHA512
e0e46d53dd987d790387578b77e3caffd2b2b988ad9efde1b24cde087d41eba49cce5a589b1d4dd612321bb852b5837aae0295557e9c5db0af498e75b914f86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a3e06eb6b32f6d44f15b85599e40e317

SHA1
63668dd2d4dda3eb11d88be135ee2c6239d2bba5

SHA256
c91137e9d74c5a075334658480ae87a4acfce415701ad7911d5b67ba1256c449

SHA512
49d031b17f2709c5b4ad7b0b1df7f3b2e189c33fb8e9ffeb718e87a70036832139a58295c82a8cdbe083eee564a97de3b485a867a2511e5b02099a1c73b63961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5156f3b39f093dd8b3ecc7ec6fd7ae4e

SHA1
91f1c879bbaf513f71413ccda7b65c0dec4165ec

SHA256
92f59fee5b91affa762b43af31962946689e4c082cbafded6d1190f1e92ffb41

SHA512
526a082ed822b04588e334bc028db044e0007c189edbd329c0bad4172dc75cdb39ae4e070a0c72012defae80aa4fae39798f1261a8b3745ec85214d77771b6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c22a22328280b4b0b923fc2eb86c98cd

SHA1
afba7bb4bcd3c68c55d214d0e7f2ab357de24412

SHA256
05350d428199ed1a56691a74ca9f36c941b966c7075a15ea88462f8deff9ae98

SHA512
b3e0b23acb5f2c789f22a0bbcf22b7edd7a514eab0e50c84c89dc71f7288106a8b23c258f0610045a4d332712adfd29c8d843daced80bc0746616fca1d83b30f

Download Submit
C:\Users\Admin\Desktop\Formato_Juridico_PROC_N°_427291771\Formato_Juridico_PROC_N°_427291771..exe

Filesize
1.2MB

MD5
85c05fdce803cedbcc8c85b940f413f0

SHA1
3dc4b04d587184791f3c298bbd451516d6cd0534

SHA256
ad9cc67cb32b0d430cd8de00ea954d2028f0b7ab0aaca0a4a0caf0f0ae261e36

SHA512
ebbb6c1560628f282e1da2f7028a47013b346d44cef627490674ef800c9e752789e5e81f14421021ea0a0d2df83419f124e62e86b4e33c315df9cc0477dbfe4e

Download Submit
C:\Users\Admin\Documents\unaReversa\unaVersia.exe

Filesize
220.9MB

MD5
4d3f8d3723807912b88dc6eff4fbc90d

SHA1
c9e564c1ad4f62600b75f2eb5595f9ebf9dfb8b9

SHA256
3cc4fe4b103e98630d4acf6df9df746eba676c47ead4249b7026054b5ccab33f

SHA512
e6343d4146c354f1002e023c0126d4c9c9d83b834b70e85ca12a1db92bba2e0bc4a58d8ed139b4e3f250a2e72e71ae39fd83eeb3e839e54ee7815a5d0b8177e8

Download Submit
C:\Users\Admin\Documents\unaReversa\unaVersia.exe

Filesize
633.6MB

MD5
684529ef9ce7b0d5d10345a6ecbe3fcd

SHA1
4e33333451b794cac971642c60dfbc510e14f3f9

SHA256
24eaf795866403c7a8ea5a0f69603a208a9cd3cf909d2da3fe30bdcd9ef1e177

SHA512
7e5ad427a17f059c127423d2a81a6e80d4bfc78bf33179fa0e3cd817bce29116b5e67880dfa716d90ea399284b20212de72e1e8939823f9820a09cd6044653c1

Download Submit
C:\Users\Admin\Downloads\Formato_Juridico_PROC_N°_427291771.tar

Filesize
444KB

MD5
b90d0b609b68aa1b98dd612d53508b43

SHA1
cbe075c77af3b727873f9e076a70cd5d9e1b4ae9

SHA256
81e9a66d69802ab38f9736e202abea170466d7f223b33b5125636e029eb5a24c

SHA512
3949e8bee38f89e152ab80be9febba9bcad3ba1a22140971e42ea5f795e1406ad1469e03dfac5c776e027df5a2e2232de4c287909bb3303c811e550696c8f359

Download Submit
memory/2436-141-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/3436-132-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5788-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5832-135-0x0000000005650000-0x00000000056EC000-memory.dmp

Filesize
624KB

Download
memory/5832-137-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/5832-136-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/5832-133-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/5872-143-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5880-145-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download