asyncrat | hxxps://drive[.]google[.]com/uc?export=download&id=1wduOSkkWqh5x4hm4wtdsd-UF7CWsaGMS

Analysis

max time kernel
124s
max time network
125s
platform
windows10-1703_x64
resource
win10-20240404-es
resource tags

arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
01-10-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1wduOSkkWqh5x4hm4wtdsd-UF7CWsaGMS

Score

10^/10

asyncrat probando1 discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

PROBANDO1

probando1.con-ip.com:6606

Mutex

uuooxuxbnkywum

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 1 IoCs

Processes:

ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe

pid process

1960 ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe

pid	process
1960	ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lrlng = "C:\\Users\\Admin\\AppData\\Roaming\\Lrlng.exe"	ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 drive.google.com
3 drive.google.com
4 drive.google.com

flow	ioc
2	drive.google.com
3	drive.google.com
4	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe

description	pid	process	target process
PID 1960 set thread context of 236	1960	ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe	aspnet_compiler.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exeaspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133722717914974283"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exe7zFM.exechrome.exe

pid process

1364 chrome.exe
1364 chrome.exe
3696 7zFM.exe
3696 7zFM.exe
5032 chrome.exe
5032 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3696 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1364 chrome.exe
1364 chrome.exe
1364 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe

pid	process
3696	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zFM.exe

description	pid	process
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeRestorePrivilege	3696	7zFM.exe
Token: 35	3696	7zFM.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe
Token: SeShutdownPrivilege	1364	chrome.exe
Token: SeCreatePagefilePrivilege	1364	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
3696	7zFM.exe
3696	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe
1364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1364 wrote to memory of 3356	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 3356	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4384	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4856	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 4856	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe
PID 1364 wrote to memory of 5020	1364	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?export=download&id=1wduOSkkWqh5x4hm4wtdsd-UF7CWsaGMS
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbe5769758,0x7ffbe5769768,0x7ffbe5769778
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:2
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:8
2⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1892 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:1
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2868 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:1
2⤵
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3752 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:1
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3160 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:8
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:8
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:8
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:8
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3332 --field-trial-handle=1860,i,16743989216903936898,16338860238963551022,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1848

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR98765746354254675843656 .rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3696

C:\Users\Admin\AppData\Local\Temp\7zO07E4EC78\ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe
"C:\Users\Admin\AppData\Local\Temp\7zO07E4EC78\ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e0a6d25b640390a75fc1825027e3ea6c

SHA1
5d55e97a7611a7f922e70fc490275379ebb443c7

SHA256
1c47a1cf7241cfdfd6ffa259c1c4a7a6c8387419fa058f64106886d1306f0e68

SHA512
f76d4757c623ba2f854a051a90e04ef53c60885db15a713f06b3ba29162507d58ee6fb9be666570eb6a27d161d412ff1aaeb214ce675e9a07a667a3e0509e3b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
3dcbb0ae0dbd558487e14fd5b1a3417c

SHA1
d0e08fd38dee15023c14645bffe427e3ee6e1773

SHA256
2fdc838e2c1721bfbeafabcd88df869e1ba8786d4acd0d915d407bdf73e36eb9

SHA512
7fd8bdd8bd35d2999db9811fddd52394e8ff8c7f6c45561888b9866645b5fa5005bee0ad296100f2914975d096c708667137771af1163e2808c9309c0b5d7925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
be92ea3b42953950c200477f966c8083

SHA1
a9438314a39d810fb13cf127ec88c39ced58d3c4

SHA256
04c6908b01225f55f6a80d978559ac7a06d759f37ae1f63d5966918232594e61

SHA512
2e359bf2e3e44d38476fcb06bb66099d9bfb26bee7c3fb1b0bde56e2303ba89e3aae204edffd817ed1185e97034a6d60ef7a1c918a2f10523857cd6be902e04f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5d3f94a91ae59082f8c023e431f2b2a0

SHA1
7b4b9ce08d56825d65b68651cda1265c59e670cf

SHA256
458d332e72aa231a0d1c47d37f08fe1c6df0d0f17178f58cedc2c8b42cec98a2

SHA512
4899de9e7639086c41c676ec4f54e5c3a64f30251e0c756be046047d3696cf6490f3cabe55a969a863c314cb13cd581a3b862554d3b4eebd30e92ac6bcd4c30f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
de10be623dc805c1b145aacdc875f9a1

SHA1
7fb3b352d22db645d2b303525a97f66314f43354

SHA256
d76f6b59697028a9e067cff5423ea2135ed231a19d6195cf0a86c852b6a90551

SHA512
690a4cd8441f6f32391001ad1a46d6508f8d357b8055bb357531f98145a9555c20dc005981134ed03b7c055f5c09111ed4b2cb00a14f332216993702acac7a91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
4c65924252550aef75f4f3dde96093b9

SHA1
8b5e85540c3a67ac2320202095da30ba3e3a7da0

SHA256
7ed4a9f8522b87145e50ccac815bda7cb7f63e986c644508b5d39e010ce0cc23

SHA512
04531a6d73195c79dacc13c8ab26e7ccac1fc2881b2c40e3659f22b3eb570c7559c3717b6987a20dc1d640025293cc2153075639c2c2545cc7872e1c8dcd8f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dc66.TMP

Filesize
94KB

MD5
cf1c4d6844143dddc98bd51c34e5d292

SHA1
fd1dcf41ef02211852864c7d6da33136dcf208df

SHA256
11cd828f829847216b89f35ccf4a2446108428d59c9e688a1e70e9d25470bd93

SHA512
267426d568d6bf406e2d5b43a7c94882fbc2d7faee7a0c956fd560afef532a9b77b020029b1e4e7fb9944211d5012c34162e85422f5fb7c1b902feef2abcd529

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO07E4EC78\ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR .exe

Filesize
1.2MB

MD5
85f7b821447f60fac22dfc4f1dc0c417

SHA1
a3953f0173b52b2d766c68b781ec2cf299d1d5a9

SHA256
482463199b527d7219500816c7f7140bec353045c8f312f49efbb75e17382d51

SHA512
066f12eab46fb4c6392c54e93f503441537004569c5ca277a90e116bd4a4c87465aa10aaaa1ab3025fc196b0a3613b0f7f3895acb5662ea2aadbe0f83a928511

Download Submit
C:\Users\Admin\Downloads\ANEXADOS Y DOCUMENTOS POR ENTE PARA PROCESO REGULADOR98765746354254675843656 .rar.crdownload

Filesize
1.0MB

MD5
68ae65c536d08100b6e5596de57ee785

SHA1
bb2b6f12611cabc2c40cacd53958c8983202e7d2

SHA256
13ad7f815c8f9ea1a87f00710ac3a2d4670317aee0e4154fa3bb1737b14e2e7b

SHA512
edb937be7b482df22b964b66f1ac9881aea7e857dde3e1ccd16b1d64cf72c0091babbf854c49ec78fccc6f0042b2c468651b1aab1c173b6a205f7f4bedcb7b49

Download Submit
\??\pipe\crashpad_1364_BKJBIVZYMJHJQQMR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/236-1192-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/236-1191-0x0000000005CE0000-0x0000000005D7C000-memory.dmp

Filesize
624KB

Download
memory/236-1188-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1960-127-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-111-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-149-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-145-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-139-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-137-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-135-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-133-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-131-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-129-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-143-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-141-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-147-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-125-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-123-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-121-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-119-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-117-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-115-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-151-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-107-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-105-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-103-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-97-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-95-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-113-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-91-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-101-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-99-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-89-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-88-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-1164-0x0000000004C30000-0x0000000004C8C000-memory.dmp

Filesize
368KB

Download
memory/1960-1165-0x0000000004C90000-0x0000000004CDC000-memory.dmp

Filesize
304KB

Download
memory/1960-109-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-1183-0x00000000052B0000-0x00000000053B2000-memory.dmp

Filesize
1.0MB

Download
memory/1960-1184-0x00000000058C0000-0x0000000005DBE000-memory.dmp

Filesize
5.0MB

Download
memory/1960-1185-0x00000000051E0000-0x0000000005234000-memory.dmp

Filesize
336KB

Download
memory/1960-93-0x0000000004990000-0x0000000004A6B000-memory.dmp

Filesize
876KB

Download
memory/1960-87-0x0000000004990000-0x0000000004A72000-memory.dmp

Filesize
904KB

Download
memory/1960-86-0x0000000000030000-0x0000000000170000-memory.dmp

Filesize
1.2MB

Download