Overview
overview
10Static
static
100898-ENVI...CA.zip
windows11-21h2-x64
1000898-ENVI...IA.exe
windows11-21h2-x64
1000898-ENVI...at.dll
windows11-21h2-x64
300898-ENVI...IB.dll
windows11-21h2-x64
300898-ENVI...enwljq
windows11-21h2-x64
100898-ENVI...90.dll
windows11-21h2-x64
300898-ENVI...90.dll
windows11-21h2-x64
300898-ENVI...vfipgs
windows11-21h2-x64
100898-ENVI...te.dll
windows11-21h2-x64
3Analysis
-
max time kernel
292s -
max time network
291s -
platform
windows11-21h2_x64 -
resource
win11-20241007-es -
resource tags
arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows -
submitted
24-10-2024 16:25
Static task
static1
Behavioral task
behavioral1
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA.zip
Resource
win11-20241007-es
Behavioral task
behavioral2
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/02 LEER NOTIFICACION ELECTRONIA.exe
Resource
win11-20241023-es
Behavioral task
behavioral3
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/AXE8SharedExpat.dll
Resource
win11-20241007-es
Behavioral task
behavioral4
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/BIB.dll
Resource
win11-20241007-es
Behavioral task
behavioral5
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/enwljq
Resource
win11-20241007-es
Behavioral task
behavioral6
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/msvcp90.dll
Resource
win11-20241023-es
Behavioral task
behavioral7
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/msvcr90.dll
Resource
win11-20241007-es
Behavioral task
behavioral8
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/rvfipgs
Resource
win11-20241007-es
Behavioral task
behavioral9
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/sqlite.dll
Resource
win11-20241007-es
General
-
Target
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA.zip
-
Size
1.7MB
-
MD5
2746f5004ab0cc959b69442ca5004efa
-
SHA1
79b79fdb7f92e55baf1f917be82f7706cb652216
-
SHA256
5a47a9d3dbb16c5926f4a4a20dfc5b7d66a517ce257c74bf94efa7d543e4d467
-
SHA512
ece51951331623d3b555d87f6cb98b81c9da64cca5f6d7a514cb803bfc7360beec74e98f71636a0e7764a967d413932669ceddc956bcf330f639c9ebc7b8dea9
-
SSDEEP
49152:W6tBsqpFgpjll9UDVXm85GTaDgW6LOPg7DiQQZ4n3M:WuHkf6lCaDgInQL8
Malware Config
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Default
ansy21oct.duckdns.org:1415
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.exepid process 2900 02 LEER NOTIFICACION ELECTRONIA.exe -
Loads dropped DLL 3 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.exepid process 2900 02 LEER NOTIFICACION ELECTRONIA.exe 2900 02 LEER NOTIFICACION ELECTRONIA.exe 2900 02 LEER NOTIFICACION ELECTRONIA.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exedescription pid process target process PID 2900 set thread context of 4980 2900 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 4980 set thread context of 3192 4980 cmd.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exeMSBuild.execmd.exetimeout.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02 LEER NOTIFICACION ELECTRONIA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4816 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exepid process 2900 02 LEER NOTIFICACION ELECTRONIA.exe 2900 02 LEER NOTIFICACION ELECTRONIA.exe 4980 cmd.exe 4980 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exepid process 2900 02 LEER NOTIFICACION ELECTRONIA.exe 4980 cmd.exe 4980 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exeMSBuild.exedescription pid process Token: SeRestorePrivilege 4968 7zFM.exe Token: 35 4968 7zFM.exe Token: SeSecurityPrivilege 4968 7zFM.exe Token: SeDebugPrivilege 3192 MSBuild.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 4968 7zFM.exe 4968 7zFM.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exeMSBuild.execmd.exedescription pid process target process PID 2900 wrote to memory of 4980 2900 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 2900 wrote to memory of 4980 2900 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 2900 wrote to memory of 4980 2900 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 2900 wrote to memory of 4980 2900 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 4980 wrote to memory of 3192 4980 cmd.exe MSBuild.exe PID 4980 wrote to memory of 3192 4980 cmd.exe MSBuild.exe PID 4980 wrote to memory of 3192 4980 cmd.exe MSBuild.exe PID 4980 wrote to memory of 3192 4980 cmd.exe MSBuild.exe PID 4980 wrote to memory of 3192 4980 cmd.exe MSBuild.exe PID 3192 wrote to memory of 3196 3192 MSBuild.exe cmd.exe PID 3192 wrote to memory of 3196 3192 MSBuild.exe cmd.exe PID 3192 wrote to memory of 3196 3192 MSBuild.exe cmd.exe PID 3196 wrote to memory of 4816 3196 cmd.exe timeout.exe PID 3196 wrote to memory of 4816 3196 cmd.exe timeout.exe PID 3196 wrote to memory of 4816 3196 cmd.exe timeout.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4968
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3760
-
C:\Users\Admin\Desktop\00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA\02 LEER NOTIFICACION ELECTRONIA.exe"C:\Users\Admin\Desktop\00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA\02 LEER NOTIFICACION ELECTRONIA.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE5D8.tmp.bat""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD5da8ee1178c7e51cddca97f263a2c3052
SHA1b3860fe9965293141004cd6011e0323a13d04fc0
SHA256daf5a8979085d88bae8e7365fe530177141a06b877bd226a438d2bebf16db216
SHA5121e24419ab6de0fbf5643d776ffd07a83a39916c2ecf8066c105710013b85a2781c7187bfad10929faacf19f90769e583698482bb94ea0d8dc71c31153903fc90
-
Filesize
171B
MD586e3f9d7b6d2504e3d4db9965bd302f0
SHA1a498792c0427a491a27fe1580b0c0cfd7df7592a
SHA25654255397dcfd64b6e334c7f5d6ac9d6b7f14d0e8527593c3da3da30dbe2403d7
SHA5125e1ed94d441ba910c75ab85926bc35bf81cd520c9e954c7529ee12a89da2ee27c07bd8f75382ad747b66ddd550efc08a1a630dabf827efc5e4ab821fe794b002
-
C:\Users\Admin\Desktop\00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA\02 LEER NOTIFICACION ELECTRONIA.exe
Filesize1.2MB
MD5f778e9136ab0db9de9802a7043de50a7
SHA1850dca074534a14fdb9ada6afaceea88558764e0
SHA25690803a583e9f693de5e7b8a196832436f6f648b27fb82e55904c256f30cc8b3a
SHA512cd6c5c3537f05ad5826d503e38b8e6ef2eaf668616bec15ba51ad3d81e0337a72779d7ca6af9e8ebee12d713891b30c0b73bf34718552bc9f4e7d8909b998156
-
Filesize
170KB
MD50cfb90c28768e26498834d780fbbd754
SHA194738b02338ac939ab610e69111f68a0b888da1d
SHA2565b3434727cd6805870550c4912e23543d3f9b58a19d32c412b8978d1515e1229
SHA512ff6f99a06a7f4bd02ca9d66568459dc9f584fdd140e9a1d1e426eb32152717d298b603d9e3aece0591fac0d951ab3225bb78a3665e3ac763319cb717135aac73
-
Filesize
107KB
MD5759d71fc9442ab5a9b5749c0f6c0c263
SHA107a68c6922d443eb9d6d445da18ae8a6d92f7ac6
SHA256109647f58e7e8386a4c025f2c8175a4d638e5c0e62768953390764010ea22a2e
SHA512e3efe66c76ea81285ba01b1978fdb3e807eb0bf2cfe0373bb6fef06f2fd7d9ddc3269acf0d87517cbf9bea5fa09b2703a03792491dc8265d26b724d7dca106c7
-
Filesize
535KB
MD552d8723c67cdb08c33c1c07a584bbfec
SHA1dadacd339557ce028035003b62850c191988f5ea
SHA2569ea9353a6315ed0c4940033103cf56613fd7f47ff74be26eb98b8d158e9bab46
SHA512c62a8c515f47e1bafd4307b9964ee95678d2b2c783af0d00ceab5107a6d3843c4466fa6e8451d1779d523282862a330a5574bdd06123ff79c83ef104d56e3d07
-
Filesize
557KB
MD590a32d8e07f7fb3d102eab1da28f0723
SHA10903911bbb5d00f68ba51895fa898b38a5453ded
SHA256004ed24507dc7307cec1a3732fa57eabf19e918c3e1b54561e6cc01f554c0b77
SHA5122c69586d5c5d2b4b5decf2bf479554c3d0ff5f5a6fbacb01b8583ea8d96d0ae9c850c30a0d43eb2ad1116be901578d15fe08fce3e505440c854082c208a79f1a
-
Filesize
638KB
MD511d49148a302de4104ded6a92b78b0ed
SHA1fd58a091b39ed52611ade20a782ef58ac33012af
SHA256ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0
SHA512fdc43b3ee38f7beb2375c953a29db8bcf66b73b78ccc04b147e26108f3b650c0a431b276853bb8e08167d34a8cc9c6b7918daef9ebc0a4833b1534c5afac75e4
-
Filesize
71KB
MD5547fb76d84d38e30ffd204fe105d1741
SHA15da798a9911f0f138340005c96d5ec26ca0a3285
SHA2567cf51674e517f4c0e2e294f51370d906812250ddc5b6eba09d12683ecbe76777
SHA512e3de8e08124b7ca111c234f3ad2aa9152ca21aade5534c5ea110698ecd48fdcba9679300a1ac1295e7b816748b9bf973366cd33f1e6e56230f690be95e7faeca
-
Filesize
243KB
MD561c4af783de766cee0b3172b8acb02a7
SHA19396e8545da198e616e0d157f8bce399469e9627
SHA256f6ed01358bc99993ed8bf2303995a6d6fbd4acefec99df35d347f51eef0c3fca
SHA512b2d3f73c731d37eebe8bc8fb46ad02a592a192da6b9552fa223aded2203259c928495f249a106b37d3b8103515f9550b13397ee7e42dd8bca32127026612af72