Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

05 CITACIO...A..exe

windows7-x64

10

05 CITACIO...A..exe

windows10-2004-x64

10

Resubmissions

30/07/2024, 22:59 UTC

240730-2ynw5ayajh 10

30/07/2024, 22:56 UTC

240730-2wvlwsxhma 10

30/07/2024, 22:49 UTC

240730-2rrpfatbrk 10

Analysis

  • max time kernel
    298s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/07/2024, 22:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO/02 CITACION DEMANDA..exe

  • Size

    2.3MB

  • MD5

    5d52ef45b6e5bf144307a84c2af1581b

  • SHA1

    414a899ec327d4a9daa53983544245b209f25142

  • SHA256

    26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616

  • SHA512

    458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48

  • SSDEEP

    49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

gfbvhbh2024.kozow.com:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
nVXWogDuo1uuoQDBFT3XagpvKlaE7c8o

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\02 CITACION DEMANDA..exe
    "C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\02 CITACION DEMANDA..exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:632

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1FE128A4097E607621D63C6808C5614D; domain=.bing.com; expires=Sun, 24-Aug-2025 22:57:25 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FDC54E6449CB40288E41C2D634BE44FD Ref B: LON04EDGE0810 Ref C: 2024-07-30T22:57:25Z
    date: Tue, 30 Jul 2024 22:57:25 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1FE128A4097E607621D63C6808C5614D
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=wrm3dSKfPaXwQ690iiIwnSmRnsd3i8o6cBFK2FjHsi4; domain=.bing.com; expires=Sun, 24-Aug-2025 22:57:25 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D02B820BA88C4896BC46FD44204C2972 Ref B: LON04EDGE0810 Ref C: 2024-07-30T22:57:25Z
    date: Tue, 30 Jul 2024 22:57:25 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1FE128A4097E607621D63C6808C5614D; MSPTC=wrm3dSKfPaXwQ690iiIwnSmRnsd3i8o6cBFK2FjHsi4
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E591A40B29004EB8B1BEA4E91B55323E Ref B: LON04EDGE0810 Ref C: 2024-07-30T22:57:25Z
    date: Tue, 30 Jul 2024 22:57:25 GMT
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    gfbvhbh2024.kozow.com
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    gfbvhbh2024.kozow.com
    IN A
    Response
    gfbvhbh2024.kozow.com
    IN A
    45.32.169.187
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.179.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.179.89.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    gfbvhbh2024.kozow.com
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    gfbvhbh2024.kozow.com
    IN A
    Response
    gfbvhbh2024.kozow.com
    IN A
    45.32.169.187
  • flag-us
    DNS
    99.58.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.58.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    gfbvhbh2024.kozow.com
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    gfbvhbh2024.kozow.com
    IN A
    Response
    gfbvhbh2024.kozow.com
    IN A
    45.32.169.187
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a85594eb64b04acc84855a03db47f265&localId=w:56220B6C-825D-E352-B545-4639FBCA0488&deviceId=6896205211099286&anid=

    HTTP Response

    204
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    260 B
     5
  • 45.32.169.187:2000
    gfbvhbh2024.kozow.com
    MSBuild.exe
    104 B
     2
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    gfbvhbh2024.kozow.com
    dns
    MSBuild.exe
    67 B
     83 B
     1
    1

    DNS Request

    gfbvhbh2024.kozow.com

    DNS Response

    45.32.169.187

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    14.179.89.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    14.179.89.13.in-addr.arpa

  • 8.8.8.8:53
    gfbvhbh2024.kozow.com
    dns
    MSBuild.exe
    67 B
     83 B
     1
    1

    DNS Request

    gfbvhbh2024.kozow.com

    DNS Response

    45.32.169.187

  • 8.8.8.8:53
    99.58.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    99.58.20.217.in-addr.arpa

  • 8.8.8.8:53
    gfbvhbh2024.kozow.com
    dns
    MSBuild.exe
    67 B
     83 B
     1
    1

    DNS Request

    gfbvhbh2024.kozow.com

    DNS Response

    45.32.169.187

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\49656686
    Filesize

    774KB

    MD5

    aae7737c89ed9240d276bd0aa72e0ee7

    SHA1

    f4b7c0c0400ea2d70e2a905be38a4fa44b8dbcb3

    SHA256

    3a47427ccc04b02942950fde1d7c62a5aa447c9a3417deee0ae6e954ad81f785

    SHA512

    8ad80bde85cddb054dbf71ea7cdd4bd9c959b4aef5aad05bc131adc8238ba01383723838c9fa1586a9b0d8153e3afdda94617007eee11988686be85a484154ac

    Download Submit

  • memory/212-15-0x0000000059800000-0x000000005986E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/212-10-0x0000000074402000-0x0000000074404000-memory.dmp

    Filesize

    8KB

    Download

  • memory/212-11-0x00000000743F0000-0x000000007456B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/212-12-0x00000000743F0000-0x000000007456B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/212-14-0x0000000000400000-0x0000000000698000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/212-20-0x0000000050310000-0x0000000050349000-memory.dmp

    Filesize

    228KB

    Download

  • memory/212-19-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/212-1-0x00007FFD9C930000-0x00007FFD9CB25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/212-18-0x0000000057800000-0x0000000057812000-memory.dmp

    Filesize

    72KB

    Download

  • memory/212-17-0x0000000057000000-0x000000005703F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/212-16-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/212-0-0x00000000743F0000-0x000000007456B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/632-36-0x0000000005690000-0x0000000005722000-memory.dmp

    Filesize

    584KB

    Download

  • memory/632-35-0x0000000005A60000-0x0000000006004000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/632-32-0x00000000747DE000-0x00000000747DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-39-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/632-38-0x00000000747DE000-0x00000000747DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-29-0x0000000072E90000-0x00000000740E4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/632-37-0x0000000005820000-0x000000000582A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/632-33-0x0000000000990000-0x00000000009A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/632-34-0x00000000747D0000-0x0000000074F80000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/840-28-0x00000000743F0000-0x000000007456B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/840-23-0x00007FFD9C930000-0x00007FFD9CB25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/840-25-0x00000000743F0000-0x000000007456B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/840-21-0x00000000743F0000-0x000000007456B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/840-26-0x00000000743F0000-0x000000007456B000-memory.dmp

    Filesize

    1.5MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.