Overview
overview
10Static
static
100898-ENVI...CA.zip
windows11-21h2-x64
1000898-ENVI...IA.exe
windows11-21h2-x64
1000898-ENVI...at.dll
windows11-21h2-x64
300898-ENVI...IB.dll
windows11-21h2-x64
300898-ENVI...enwljq
windows11-21h2-x64
100898-ENVI...90.dll
windows11-21h2-x64
300898-ENVI...90.dll
windows11-21h2-x64
300898-ENVI...vfipgs
windows11-21h2-x64
100898-ENVI...te.dll
windows11-21h2-x64
3Analysis
-
max time kernel
276s -
max time network
280s -
platform
windows11-21h2_x64 -
resource
win11-20241023-es -
resource tags
arch:x64arch:x86image:win11-20241023-eslocale:es-esos:windows11-21h2-x64systemwindows -
submitted
24-10-2024 16:25
Static task
static1
Behavioral task
behavioral1
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA.zip
Resource
win11-20241007-es
Behavioral task
behavioral2
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/02 LEER NOTIFICACION ELECTRONIA.exe
Resource
win11-20241023-es
Behavioral task
behavioral3
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/AXE8SharedExpat.dll
Resource
win11-20241007-es
Behavioral task
behavioral4
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/BIB.dll
Resource
win11-20241007-es
Behavioral task
behavioral5
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/enwljq
Resource
win11-20241007-es
Behavioral task
behavioral6
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/msvcp90.dll
Resource
win11-20241023-es
Behavioral task
behavioral7
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/msvcr90.dll
Resource
win11-20241007-es
Behavioral task
behavioral8
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/rvfipgs
Resource
win11-20241007-es
Behavioral task
behavioral9
Sample
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/sqlite.dll
Resource
win11-20241007-es
General
-
Target
00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA/02 LEER NOTIFICACION ELECTRONIA.exe
-
Size
1.2MB
-
MD5
f778e9136ab0db9de9802a7043de50a7
-
SHA1
850dca074534a14fdb9ada6afaceea88558764e0
-
SHA256
90803a583e9f693de5e7b8a196832436f6f648b27fb82e55904c256f30cc8b3a
-
SHA512
cd6c5c3537f05ad5826d503e38b8e6ef2eaf668616bec15ba51ad3d81e0337a72779d7ca6af9e8ebee12d713891b30c0b73bf34718552bc9f4e7d8909b998156
-
SSDEEP
24576:+heavSigvk0vhkzswHD4/V3OQdnYKYc4wXUyuy1:qP710vezrj4dJYFYUyuy1
Malware Config
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Default
ansy21oct.duckdns.org:1415
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exedescription pid process target process PID 4764 set thread context of 2440 4764 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 2440 set thread context of 4812 2440 cmd.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeMSBuild.execmd.exetimeout.exe02 LEER NOTIFICACION ELECTRONIA.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02 LEER NOTIFICACION ELECTRONIA.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4460 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exepid process 4764 02 LEER NOTIFICACION ELECTRONIA.exe 4764 02 LEER NOTIFICACION ELECTRONIA.exe 2440 cmd.exe 2440 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exepid process 4764 02 LEER NOTIFICACION ELECTRONIA.exe 2440 cmd.exe 2440 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 4812 MSBuild.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
02 LEER NOTIFICACION ELECTRONIA.execmd.exeMSBuild.execmd.exedescription pid process target process PID 4764 wrote to memory of 2440 4764 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 4764 wrote to memory of 2440 4764 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 4764 wrote to memory of 2440 4764 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 4764 wrote to memory of 2440 4764 02 LEER NOTIFICACION ELECTRONIA.exe cmd.exe PID 2440 wrote to memory of 4812 2440 cmd.exe MSBuild.exe PID 2440 wrote to memory of 4812 2440 cmd.exe MSBuild.exe PID 2440 wrote to memory of 4812 2440 cmd.exe MSBuild.exe PID 2440 wrote to memory of 4812 2440 cmd.exe MSBuild.exe PID 2440 wrote to memory of 4812 2440 cmd.exe MSBuild.exe PID 4812 wrote to memory of 5116 4812 MSBuild.exe cmd.exe PID 4812 wrote to memory of 5116 4812 MSBuild.exe cmd.exe PID 4812 wrote to memory of 5116 4812 MSBuild.exe cmd.exe PID 5116 wrote to memory of 4460 5116 cmd.exe timeout.exe PID 5116 wrote to memory of 4460 5116 cmd.exe timeout.exe PID 5116 wrote to memory of 4460 5116 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA\02 LEER NOTIFICACION ELECTRONIA.exe"C:\Users\Admin\AppData\Local\Temp\00898-ENVIO COPIA DE LA NOTIFICACION ELECTRONICA\02 LEER NOTIFICACION ELECTRONIA.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp353.tmp.bat""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD5df6227ef226b17de139625c6969e72b4
SHA1b0a44c64f874ec226398e5e0615519cca50d8daa
SHA25641f36f5ed3aa9d24614df31b52f44083a4b020178dcb48197e579d6c97d83028
SHA51287f200d19c45f0b6a7e37730649805c8abb091f93c58c4666d0516d2bff291442c5930565cb00c1ee9d56a56213ec3c1768f8eb0ac40d05586e6bcbdaac1b1c5
-
Filesize
170B
MD5d6b143fd1c6892e07fde1dbe04bcb715
SHA12c85e5b1126fce4bf6d2f20632f95a6f0b619285
SHA256ef14c5dff431fe57721ab478cb3ec7ed8bdb9d5797ef0c91835125d6debba888
SHA512ec66fb7120cfb78976ce44c99b1a5bde9a690dc86ad3537225c6a258a947530e0c1a826eb834287dedfbee8ac5af03a6c7f2a543845d06b4b63af607623f7515