asyncrat | d757220303ba2375cddfe686e9ff44bb758a19e2faf63296fadf9911528207e2

Analysis

max time kernel
181s
max time network
175s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-10-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFICIO REMISORIO N° 225374198.rar
Size

958KB
MD5

8ea3a2e7c8b5576fbe35faae4b825e40
SHA1

f570beefbac268457f9a4fca248c612fb208d255
SHA256

d757220303ba2375cddfe686e9ff44bb758a19e2faf63296fadf9911528207e2
SHA512

b45662493500a43d19aa27cfc4264cbc93e8df2b92323de0348c3751d6561b4ef244d9521d506e08e3c61d89c7481b490c909409b306ccdc49c92c0bbd62b796
SSDEEP

12288:0lRAH//JpYDDZsF7jkpebOIMgZVwHTOrnC7niSWJJLzMt6OIEZIMpxnPfB/VPPYL:0UHZpO6JjceZV6CQi9DMtdIE6gPfjnL4

Score

10^/10

asyncrat octubre 9 discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

octubre 9

dcmen09.duckdns.org:6000

Mutex

firewalljegjgghfyfyfyksklddhcmsjgkeedhkio

Attributes

delay
10
install
false
install_file
defender
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 9 IoCs

Processes:

OFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exe

pid	process
5000	OFICIO REMISORIO N° 225374198.exe
4704	OFICIO REMISORIO N° 225374198.exe
1976	OFICIO REMISORIO N° 225374198.exe
3224	OFICIO REMISORIO N° 225374198.exe
4072	OFICIO REMISORIO N° 225374198.exe
5068	OFICIO REMISORIO N° 225374198.exe
4040	OFICIO REMISORIO N° 225374198.exe
916	OFICIO REMISORIO N° 225374198.exe
2172	OFICIO REMISORIO N° 225374198.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe"	OFICIO REMISORIO N° 225374198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe"	OFICIO REMISORIO N° 225374198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe"	OFICIO REMISORIO N° 225374198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe鬀"	OFICIO REMISORIO N° 225374198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe䀀"	OFICIO REMISORIO N° 225374198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe\u3100"	OFICIO REMISORIO N° 225374198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe怀"	OFICIO REMISORIO N° 225374198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe쀀"	OFICIO REMISORIO N° 225374198.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

description	pid	process	target process
PID 5000 set thread context of 5100	5000	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4704 set thread context of 164	4704	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 1976 set thread context of 2812	1976	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 3224 set thread context of 3172	3224	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4072 set thread context of 820	4072	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5068 set thread context of 3368	5068	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4040 set thread context of 4104	4040	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 916 set thread context of 4520	916	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 2172 set thread context of 1644	2172	OFICIO REMISORIO N° 225374198.exe	csc.exe

Drops file in Windows directory 1 IoCs

Processes:

7zFM.exe

description ioc process

File created C:\Windows\rescache\_merged\3720402701\1568373884.pri 7zFM.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	7zFM.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

OFICIO REMISORIO N° 225374198.execsc.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.execsc.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.execsc.execsc.exeOFICIO REMISORIO N° 225374198.execsc.exeOFICIO REMISORIO N° 225374198.execsc.execsc.execsc.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.execsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OFICIO REMISORIO N° 225374198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies registry class 2 IoCs

Processes:

7zG.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	7zG.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7zFM.exe

pid process

3152 7zFM.exe
3152 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exe7zG.exe

pid process

3152 7zFM.exe
1524 7zG.exe

pid	process
3152	7zFM.exe
3152	7zFM.exe

pid	process
3152	7zFM.exe
1524	7zG.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zFM.execsc.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	3152	7zFM.exe
Token: 35	3152	7zFM.exe
Token: SeSecurityPrivilege	3152	7zFM.exe
Token: SeDebugPrivilege	5100	csc.exe
Token: SeRestorePrivilege	1524	7zG.exe
Token: 35	1524	7zG.exe
Token: SeSecurityPrivilege	1524	7zG.exe
Token: SeSecurityPrivilege	1524	7zG.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe7zG.exe

pid process

3152 7zFM.exe
3152 7zFM.exe
1524 7zG.exe

pid	process
3152	7zFM.exe
3152	7zFM.exe
1524	7zG.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

7zFM.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exeOFICIO REMISORIO N° 225374198.exe

description	pid	process	target process
PID 3152 wrote to memory of 5000	3152	7zFM.exe	OFICIO REMISORIO N° 225374198.exe
PID 3152 wrote to memory of 5000	3152	7zFM.exe	OFICIO REMISORIO N° 225374198.exe
PID 3152 wrote to memory of 5000	3152	7zFM.exe	OFICIO REMISORIO N° 225374198.exe
PID 5000 wrote to memory of 5100	5000	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5000 wrote to memory of 5100	5000	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5000 wrote to memory of 5100	5000	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5000 wrote to memory of 5100	5000	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5000 wrote to memory of 5100	5000	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 3152 wrote to memory of 1524	3152	7zFM.exe	7zG.exe
PID 3152 wrote to memory of 1524	3152	7zFM.exe	7zG.exe
PID 4704 wrote to memory of 164	4704	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4704 wrote to memory of 164	4704	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4704 wrote to memory of 164	4704	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4704 wrote to memory of 164	4704	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4704 wrote to memory of 164	4704	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 1976 wrote to memory of 2812	1976	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 1976 wrote to memory of 2812	1976	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 1976 wrote to memory of 2812	1976	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 1976 wrote to memory of 2812	1976	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 1976 wrote to memory of 2812	1976	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 3224 wrote to memory of 3172	3224	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 3224 wrote to memory of 3172	3224	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 3224 wrote to memory of 3172	3224	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 3224 wrote to memory of 3172	3224	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 3224 wrote to memory of 3172	3224	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4072 wrote to memory of 820	4072	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4072 wrote to memory of 820	4072	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4072 wrote to memory of 820	4072	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4072 wrote to memory of 820	4072	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4072 wrote to memory of 820	4072	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5068 wrote to memory of 3368	5068	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5068 wrote to memory of 3368	5068	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5068 wrote to memory of 3368	5068	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5068 wrote to memory of 3368	5068	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 5068 wrote to memory of 3368	5068	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4040 wrote to memory of 4104	4040	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4040 wrote to memory of 4104	4040	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4040 wrote to memory of 4104	4040	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4040 wrote to memory of 4104	4040	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 4040 wrote to memory of 4104	4040	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 916 wrote to memory of 4520	916	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 916 wrote to memory of 4520	916	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 916 wrote to memory of 4520	916	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 916 wrote to memory of 4520	916	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 916 wrote to memory of 4520	916	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 2172 wrote to memory of 1644	2172	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 2172 wrote to memory of 1644	2172	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 2172 wrote to memory of 1644	2172	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 2172 wrote to memory of 1644	2172	OFICIO REMISORIO N° 225374198.exe	csc.exe
PID 2172 wrote to memory of 1644	2172	OFICIO REMISORIO N° 225374198.exe	csc.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\OFICIO REMISORIO N° 225374198.rar"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\7zO05C6E947\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\AppData\Local\Temp\7zO05C6E947\OFICIO REMISORIO N° 225374198.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\OFICIO REMISORIO N° 225374198\" -ad -an -ai#7zMap16593:138:7zEvent17504
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4996

C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:164

C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:2812

C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:3172

C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:820

C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:3368

C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:4104

C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:4520

C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe
"C:\Users\Admin\Downloads\OFICIO REMISORIO N° 225374198\OFICIO REMISORIO N° 225374198.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO05C6E947\OFICIO REMISORIO N° 225374198.exe

Filesize
2.8MB

MD5
04962f854727c6096896f669ebcbf2c5

SHA1
656a0e05af429119b813c363a0bb13185084f688

SHA256
ac67b9df2f62a978141bc8dab3bfe63cb9774224b7f8d4fa5afda2801fd89d1e

SHA512
c5e72d60646e50c3d0238c33f06ff7c95e9bca740ded0163df963812421bf1c3a891e42518d623b3b9f6fa2e5b00827706e44e0e7d90695842204075c07a1026

Download Submit
C:\Users\Admin\Music\ComfortDesignerUpdater\ComfortVideo.exe

Filesize
80.1MB

MD5
33cc9f93aa6c57a663357453bf55c276

SHA1
86b453c6b4c4da2ecfd41c307d33016ee4b78ece

SHA256
728fae06c1cb4058947bc799d16987108b49046783149da60534d06a64db46fa

SHA512
304eccff66b71b5a4878994f70b7808bd4aee3a76cd657079bac7c721d8c3f34e8aabf97188034852c4267990fe199c0b2678fe211fcfe415a87aaa63e0d8c86

Download Submit
C:\Users\Admin\Music\ComfortDesignerUpdater\ComfortVideo.exe

Filesize
47.5MB

MD5
2566253952195004198128156f452353

SHA1
a09aab80609728b0f875a5bac7651bea30483441

SHA256
1a592a257fd8ae58ce5da4938ae422bb9b745e054e6b7f07f5bba60e55114fa7

SHA512
1fe2b97bb9f944974d70a25081918376770a8cba35c021657dc8f658eeb62340c292831ae2ced318be6506222868ab615b41207aa7e4166ddf990076bcbfa859

Download Submit
C:\Users\Admin\Music\ComfortDesignerUpdater\ComfortVideo.exe

Filesize
37.1MB

MD5
774df5b5df3d4983cb60971ac1573b5f

SHA1
aac4c4643dd33427a9840bf9ad9b8c7dabb072e5

SHA256
5bc1ced3c60829fbd4bede59c9e0da4f0dd45b1d9cfcf2961e2278ad4ec18e77

SHA512
21d412b975f260d1763235e0d1d5c9d5b5394dd5cf0e221766e6288eb8f846d17b07f35fa5535b3b4af7c556e68072a855f378bfac5d5aaf191e76eab5b02653

Download Submit
C:\Users\Admin\Music\ComfortDesignerUpdater\ComfortVideo.exe

Filesize
3.9MB

MD5
213777e0366ce7ac5716146c6e03e6b2

SHA1
573a18a38d5fe50a9ac7bfdde70b9e8e471e6240

SHA256
de4bc707e7fe0da3600fc46170b52f11468312fa1931ac166fc7d3f70209c9fe

SHA512
53d9318586ccc128274a80c0f54bbcee56c5f6ea297f3f71f7d9b557d28a2db8415a4b46549f6c8ea60cfdfa6985d86ae20dabab88354b493f2191eebbe10568

Download Submit
C:\Users\Admin\Music\ComfortDesignerUpdater\ComfortVideo.exe

Filesize
641.8MB

MD5
86575ada5f79d36d365b4141581094a5

SHA1
2c976b3524514eda7d0135ef487dc9ceaab09c0a

SHA256
0f93d5fa24c194f334193c9ab3ec71670fcadbe759c7d4c80cfbbabe45e614c5

SHA512
f56d2c6a426619e5e13a38a9694940f9134dc6f7908597690c4a9e4cead6f5d5e24b81a2c3f2e5c483a72f92e7718f1210ab6297573c94b6cdc9037419d8c057

Download Submit
C:\Users\Admin\Music\ComfortDesignerUpdater\ComfortVideo.exe

Filesize
247.5MB

MD5
25011faa581dd3ba3e221d74e0eb2ee7

SHA1
b1559f789c81dda2102e60c651193df934a8ab19

SHA256
fca7342e334d3a51ae4b9ba31ea09f39fb9a6f2edcaa08411cafa9d28ff6789f

SHA512
d496efa12c13d9d7e85bf37b8cf5a8e7e84697690cbb6ddaaa885b84b68dd3a4338dafe3bb87e4b0fe03370c9f2a29d8e513e958283ab023d542e202bd46ae71

Download Submit
C:\Users\Admin\Music\ComfortDesignerUpdater\ComfortVideo.exe

Filesize
99.6MB

MD5
7ae369d907d56d2600793ad7f16e8b68

SHA1
67f9892d4016cfdc13f560c6ba46d011e1eb7ae8

SHA256
8119d3ce0a0f982386b77e562ec3adaa3a40dfd8d84aedb0a12411a79ee2894a

SHA512
0a5fff59edaf39f5ef569137923378d9e5959c34a1f32598cd3d9f75f6329c2a48d0557ffbcce834a5acd84c1cd5d1fe57ef9aef0e993e299c51a387f15eec0d

Download Submit
memory/164-50-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/820-105-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

Filesize
72KB

Download
memory/1644-164-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1976-63-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/1976-62-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2812-61-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/3172-88-0x0000000004B00000-0x0000000004B12000-memory.dmp

Filesize
72KB

Download
memory/3224-83-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/3224-87-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/3368-117-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/4072-100-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/4072-104-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/4520-150-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download
memory/4704-39-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/4704-40-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/4704-47-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/4704-44-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/4704-41-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/4704-42-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/4704-37-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5000-6-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5000-19-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5000-5-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5000-23-0x0000000000512000-0x000000000052B000-memory.dmp

Filesize
100KB

Download
memory/5000-7-0x0000000000512000-0x000000000052B000-memory.dmp

Filesize
100KB

Download
memory/5000-10-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5000-9-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5000-12-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5000-11-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5000-21-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5068-112-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5068-115-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/5100-32-0x000000000A370000-0x000000000A3D6000-memory.dmp

Filesize
408KB

Download
memory/5100-13-0x00000000052B0000-0x00000000052C2000-memory.dmp

Filesize
72KB

Download
memory/5100-31-0x000000000A870000-0x000000000AD6E000-memory.dmp

Filesize
5.0MB

Download
memory/5100-30-0x000000000A2D0000-0x000000000A36C000-memory.dmp

Filesize
624KB

Download