Analysis
-
max time kernel
1799s -
max time network
1795s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 13:05
Static task
static1
Behavioral task
behavioral1
Sample
232024-LEER NOTIFICACIONDEMANDA LABORAL-55214/02 LEER DEMANDA LABORAL.exe
Resource
win7-20240903-en
General
-
Target
232024-LEER NOTIFICACIONDEMANDA LABORAL-55214/02 LEER DEMANDA LABORAL.exe
-
Size
1.2MB
-
MD5
f778e9136ab0db9de9802a7043de50a7
-
SHA1
850dca074534a14fdb9ada6afaceea88558764e0
-
SHA256
90803a583e9f693de5e7b8a196832436f6f648b27fb82e55904c256f30cc8b3a
-
SHA512
cd6c5c3537f05ad5826d503e38b8e6ef2eaf668616bec15ba51ad3d81e0337a72779d7ca6af9e8ebee12d713891b30c0b73bf34718552bc9f4e7d8909b998156
-
SSDEEP
24576:+heavSigvk0vhkzswHD4/V3OQdnYKYc4wXUyuy1:qP710vezrj4dJYFYUyuy1
Malware Config
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Default
envio122344.duckdns.org:3030
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
02 LEER DEMANDA LABORAL.execmd.exedescription pid process target process PID 1888 set thread context of 3248 1888 02 LEER DEMANDA LABORAL.exe cmd.exe PID 3248 set thread context of 1084 3248 cmd.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
02 LEER DEMANDA LABORAL.execmd.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02 LEER DEMANDA LABORAL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
02 LEER DEMANDA LABORAL.execmd.exepid process 1888 02 LEER DEMANDA LABORAL.exe 1888 02 LEER DEMANDA LABORAL.exe 3248 cmd.exe 3248 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
02 LEER DEMANDA LABORAL.execmd.exepid process 1888 02 LEER DEMANDA LABORAL.exe 3248 cmd.exe 3248 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1084 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
02 LEER DEMANDA LABORAL.execmd.exedescription pid process target process PID 1888 wrote to memory of 3248 1888 02 LEER DEMANDA LABORAL.exe cmd.exe PID 1888 wrote to memory of 3248 1888 02 LEER DEMANDA LABORAL.exe cmd.exe PID 1888 wrote to memory of 3248 1888 02 LEER DEMANDA LABORAL.exe cmd.exe PID 1888 wrote to memory of 3248 1888 02 LEER DEMANDA LABORAL.exe cmd.exe PID 3248 wrote to memory of 1084 3248 cmd.exe MSBuild.exe PID 3248 wrote to memory of 1084 3248 cmd.exe MSBuild.exe PID 3248 wrote to memory of 1084 3248 cmd.exe MSBuild.exe PID 3248 wrote to memory of 1084 3248 cmd.exe MSBuild.exe PID 3248 wrote to memory of 1084 3248 cmd.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\232024-LEER NOTIFICACIONDEMANDA LABORAL-55214\02 LEER DEMANDA LABORAL.exe"C:\Users\Admin\AppData\Local\Temp\232024-LEER NOTIFICACIONDEMANDA LABORAL-55214\02 LEER DEMANDA LABORAL.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD56b4e6b50da493434af6ed56a716e4882
SHA11973e3a2fd459c521138fa801a62dec4efdc2095
SHA256e615e08f4e8ae48afe64fd5c4bcea6aa2682ab6cf0e1b14a634e00bfd6af0c36
SHA51275058d9c5ab1c5f7aee6ba8c7c22ee2229c04a44df97cfd3b947ac8f311b1e054497bfb6f7c42775564db31de552f7016a61aee1795a5be82ccef3aac542033a