asyncrat | hxxps://drive[.]google[.]com/uc?export=download&id=1hfnYcH__GjFgOkUkCIv12lOcqHGd2N23

Analysis

max time kernel
240s
max time network
299s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-09-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1hfnYcH__GjFgOkUkCIv12lOcqHGd2N23

Score

10^/10

asyncrat probando1 discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

PROBANDO1

probando1.con-ip.com:6606

Mutex

uuooxuxbnkywum

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 2 IoCs

pid	Process
3648	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe
2404	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jrhkhbvt = "C:\\Users\\Admin\\AppData\\Roaming\\Jrhkhbvt.exe"	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
4	drive.google.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3648 set thread context of 8160	3648	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe	102
PID 2404 set thread context of 6712	2404	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe	105

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
3920	msedge.exe
3920	msedge.exe
4812	identity_helper.exe
4812	identity_helper.exe
4980	msedge.exe
4980	msedge.exe
3212	msedge.exe
3212	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1544	7zG.exe
Token: 35	1544	7zG.exe
Token: SeSecurityPrivilege	1544	7zG.exe
Token: SeSecurityPrivilege	1544	7zG.exe
Token: SeDebugPrivilege	3648	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe
Token: SeDebugPrivilege	3648	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe
Token: SeDebugPrivilege	8160	aspnet_compiler.exe
Token: SeDebugPrivilege	2404	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe
Token: SeDebugPrivilege	2404	DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
1544	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2112	3920	msedge.exe	78
PID 3920 wrote to memory of 2112	3920	msedge.exe	78
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 3112	3920	msedge.exe	79
PID 3920 wrote to memory of 4904	3920	msedge.exe	80
PID 3920 wrote to memory of 4904	3920	msedge.exe	80
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81
PID 3920 wrote to memory of 4344	3920	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?export=download&id=1hfnYcH__GjFgOkUkCIv12lOcqHGd2N23
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc66253cb8,0x7ffc66253cc8,0x7ffc66253cd8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,14368782062492125233,2363466609588752173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5460 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4660

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674\" -spe -an -ai#7zMap1602:238:7zEvent16226
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1544

C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe
"C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8160

C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe
"C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
797B

MD5
b4d48ce1ecc449226376b80391ccf6fd

SHA1
e505982998e8ead1fc71b90bce66ea79adcbc517

SHA256
dda2d80ab76d01972db871f5e284d8db33f3f9825e0332a6812c6b90538081d5

SHA512
8c24559a46abe7e16cf32293a6d9b1d61ece742a6b22f0a1a7e9f212089023c32cbac53a615ec2145933fccf09e8b17f1ecf575b0bdbea887f7008b8f4bb7968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
458298423b048262f2ff19d7182307fb

SHA1
57bc1eddcb67dcb68cf401c6760bc5220e398535

SHA256
570fc7486a54bc54bfe362f7d9389762fc5ab80a9454594072f2a74114e9419e

SHA512
c3f4e437adf31b3e813526ce024153896141b8dd8c9380facb760b0ee077b6124dbfcd96094febae56efccdd0fcd3de4e9ce42a163dbe7b2a3f1073cdcbfe07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fba7fea21c0de57c59e5861f5c8b4145

SHA1
7db179ca352f1e46cc3bb1e5f93fce9ba0fbc518

SHA256
a32ce02fb03dac5b00ca9e223e4155f86f615165d5f8b914dcfc997fea8204de

SHA512
38288257a702dda0fcb79ded05d4bc5c6ade5ac5c9515c2c0266df5dbedba95cb17d1c9c16404215031b0db4814edf577565620ef0a4a5089dc0b16f29c0dec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18b12d30977e7a14ac178acb773ae826

SHA1
27a52a38e6b5840f5a2990e9f59a59cf48935a2e

SHA256
96a4cbcbb5bee1391e0b6ae82cf4d628b3f1070cb5a5da5165a242c110d57630

SHA512
611e7debceb095ccfa90d934e23bcc067dee119d965c144c530f6d0749f207e8d2f3792131cdfb4085d90e379b9637754ace8472cd8e4579d4b8962df4a40fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b49be852de82d3f5f7365dedb314da7a

SHA1
523e6e136a9212f36785c1086c277e5cd82caa93

SHA256
1a36eb3ff149271938f51208a95bf68fadf09427c3bd88e96309429cf1ba9113

SHA512
4c4ccffb1cbe97c6ec9ebd780abde81d7114c0c01f58776e3c6c7714377b717e5320a3bc1854e558071bbb8551ab29171434e577f549e6465cefa63508e45d51

Download Submit
C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.rar

Filesize
905KB

MD5
f2728c3bdd11e4602f52620abc65bf88

SHA1
ff32a3f591a8b0ca3fe91726a3a1f6f768fdcfd6

SHA256
22f991b244c344887b6d18904f1df16accf12420ecc88910123c6d4a55355c50

SHA512
9474bc97f1c65f5d756fb6415ea9c9ca26b9577440666f775b3bd0043249f29f0c9feb7287282ff8c05ef1a3d3704ea07f14d0c201422d168d0de37fc906b009

Download Submit
C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.rar:Zone.Identifier

Filesize
186B

MD5
d672ec6531eb20de175d951a05d20ca4

SHA1
84afed824af3d4a099bace20ce2f567dffc1f67c

SHA256
2a643fdbd74ad1bd24a310a3d6fe815f54ff774c39ed9af87987d88bf2d458a4

SHA512
3fe23b67e10452b394c84a908083d44a99cafd96a00896c2a4d2297d5bdb15438b6dd4871a93044094e6f2c456133136743027a002246c76f1285c7473a10ded

Download Submit
C:\Users\Admin\Downloads\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674\DOCUMENTOS CONTABLES ANEXADOS CON FACTURAS DETALLADAS 8324693223645983265932659863445674.exe

Filesize
930KB

MD5
2987d18731fd2479bddabac71be5c4e4

SHA1
25f63177fd7802252099b41ab0700fd9895e5d8e

SHA256
caecb509fecc24d1d0a920fdabd1369aad6e7afc955cd22531d2c5b842cd6b30

SHA512
f10ff174cec1288f3b25facd1731ff4a284b43a5db0743af72b12a33207709d7a61f49004d29d3f69b53f50a3dc09d4d600b8ae6e8a4c7e428bf4dd472459f41

Download Submit
memory/3648-130-0x0000000000500000-0x00000000005EE000-memory.dmp

Filesize
952KB

Download
memory/3648-131-0x00000000052C0000-0x00000000053A0000-memory.dmp

Filesize
896KB

Download
memory/3648-132-0x0000000005510000-0x00000000055F0000-memory.dmp

Filesize
896KB

Download
memory/3648-134-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-146-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-182-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-196-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-1208-0x0000000005670000-0x00000000056BC000-memory.dmp

Filesize
304KB

Download
memory/3648-1207-0x00000000056D0000-0x000000000572C000-memory.dmp

Filesize
368KB

Download
memory/3648-194-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-190-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-180-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-178-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-176-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-174-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-172-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-170-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-168-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-166-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-164-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-162-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-160-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-158-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-156-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-152-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-150-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-148-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-192-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-188-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-186-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-184-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-144-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-142-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-140-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-138-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-154-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-136-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-133-0x0000000005510000-0x00000000055EB000-memory.dmp

Filesize
876KB

Download
memory/3648-1221-0x00000000063D0000-0x0000000006976000-memory.dmp

Filesize
5.6MB

Download
memory/3648-1222-0x0000000005AA0000-0x0000000005AF4000-memory.dmp

Filesize
336KB

Download
memory/8160-1225-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/8160-1226-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/8160-1227-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download