Malware Analysis Report

2025-08-10 14:28

Sample ID 241030-b6zeqaspas
Target bdc23f3babee193e3e687c569381a32960a0812aa8ebf2384003077fd0e559dd
SHA256 bdc23f3babee193e3e687c569381a32960a0812aa8ebf2384003077fd0e559dd
Tags
asyncrat war discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdc23f3babee193e3e687c569381a32960a0812aa8ebf2384003077fd0e559dd

Threat Level: Known bad

The file bdc23f3babee193e3e687c569381a32960a0812aa8ebf2384003077fd0e559dd was found to be: Known bad.

Malicious Activity Summary

asyncrat war discovery rat

AsyncRat

Asyncrat family

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 01:46

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 01:46

Reported

2024-10-30 01:49

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2068 set thread context of 3188 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 set thread context of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3188 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3188 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3188 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3188 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2840 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1292 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1292 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe

"C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 warpower.dynuddns.net udp
US 172.233.162.230:7171 warpower.dynuddns.net tcp
US 8.8.8.8:53 230.162.233.172.in-addr.arpa udp
US 172.233.162.230:7171 warpower.dynuddns.net tcp
US 172.233.162.230:7171 warpower.dynuddns.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2068-0-0x0000000000CF0000-0x0000000000DFB000-memory.dmp

memory/2068-1-0x0000000074270000-0x00000000743EB000-memory.dmp

memory/2068-2-0x00007FF9A9F30000-0x00007FF9AA125000-memory.dmp

memory/2068-8-0x0000000074283000-0x0000000074285000-memory.dmp

memory/2068-9-0x0000000074270000-0x00000000743EB000-memory.dmp

memory/2068-10-0x0000000074270000-0x00000000743EB000-memory.dmp

memory/3188-15-0x0000000074270000-0x00000000743EB000-memory.dmp

memory/2068-14-0x0000000000CF0000-0x0000000000DFB000-memory.dmp

memory/2068-12-0x0000000000400000-0x0000000000711000-memory.dmp

memory/2068-13-0x000000004A600000-0x000000004A6EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2381a800

MD5 7e689509da21a51d637c470608c1fe17
SHA1 7067502eddd66908e6973e88628fce9baca75b3a
SHA256 6ad06ebf7d45e14fa5282293e334cb5f888faa8b2a28fef63f9563be40916695
SHA512 cb579d792f82a0c896690300429edb6401215ab8f22090469f39939a0c0daa38cf7ca31a0e113abf91de3c1ca2c6e16d75c5a9c0abfb977992589db8b0677312

memory/3188-17-0x00007FF9A9F30000-0x00007FF9AA125000-memory.dmp

memory/3188-19-0x0000000074270000-0x00000000743EB000-memory.dmp

memory/3188-20-0x0000000074270000-0x00000000743EB000-memory.dmp

memory/3188-22-0x0000000074270000-0x00000000743EB000-memory.dmp

memory/2840-23-0x0000000072D40000-0x0000000073F94000-memory.dmp

memory/2840-26-0x00000000747CE000-0x00000000747CF000-memory.dmp

memory/2840-27-0x0000000000580000-0x0000000000596000-memory.dmp

memory/2840-28-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2840-29-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/2840-30-0x00000000052C0000-0x0000000005352000-memory.dmp

memory/2840-31-0x0000000005280000-0x000000000528A000-memory.dmp

memory/2840-34-0x00000000062B0000-0x000000000634C000-memory.dmp

memory/2840-35-0x0000000006350000-0x00000000063B6000-memory.dmp

memory/2840-36-0x00000000747CE000-0x00000000747CF000-memory.dmp

memory/2840-37-0x0000000006CA0000-0x0000000006D16000-memory.dmp

memory/2840-38-0x0000000006C20000-0x0000000006C48000-memory.dmp

memory/2840-39-0x0000000006D40000-0x0000000006D5E000-memory.dmp

memory/2840-40-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2840-41-0x0000000006F70000-0x0000000006F96000-memory.dmp

memory/2840-46-0x00000000747C0000-0x0000000074F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.bat

MD5 51d51e9bdc025c4cf203f0f748247c0d
SHA1 b4511b361f8093d468bb31ffea913f2dd94bfb10
SHA256 470f534168703a5103f7a91c4dc005c4f987f9b3fb33b3f2345483f76b0ff354
SHA512 7f045bb22d8ed271e1e7452971d4700351b71779460fb57546c3e688ec89619e2ac6b3d7d3cfe5ac76062a9876394b097c6d3b18cd2fcf71a77d5eaea5b17d32

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-30 01:46

Reported

2024-10-30 01:49

Platform

win7-20241010-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2724 wrote to memory of 2068 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-30 01:46

Reported

2024-10-30 01:49

Platform

win7-20241010-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2872 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-30 01:46

Reported

2024-10-30 01:49

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 260

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-30 01:46

Reported

2024-10-30 01:49

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

138s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1252 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1252 wrote to memory of 2512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2512 -ip 2512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2512 -ip 2512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 840

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 01:46

Reported

2024-10-30 01:49

Platform

win7-20240903-en

Max time kernel

138s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 2912 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 set thread context of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2912 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2464 wrote to memory of 1452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1452 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1452 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1452 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe

"C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00

C:\Windows\SysWOW64\shutdown.exe

Shutdown /s /f /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 warpower.dynuddns.net udp
US 172.233.162.230:7171 warpower.dynuddns.net tcp
US 172.233.162.230:7171 warpower.dynuddns.net tcp

Files

memory/1636-0-0x0000000000720000-0x000000000082B000-memory.dmp

memory/1636-1-0x0000000074910000-0x0000000074A84000-memory.dmp

memory/1636-2-0x00000000775F0000-0x0000000077799000-memory.dmp

memory/1636-8-0x0000000074923000-0x0000000074925000-memory.dmp

memory/1636-9-0x0000000074910000-0x0000000074A84000-memory.dmp

memory/1636-10-0x0000000074910000-0x0000000074A84000-memory.dmp

memory/1636-13-0x000000004A600000-0x000000004A6EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5388343c

MD5 a3de8ad74b55496da16d130f7665a1cf
SHA1 dfe564ffaad3b979c6fa843300faaa4e80b003da
SHA256 58e2e176ac9e6b6bb10933eabfb3be9393beee0a5a80b69550467503828a28db
SHA512 84783ccaaa445d3570ff5be1c339a98d3c74f4773560ff6b92dd4a41173318ac336db5518358546eda34c5cba71e7ca2c66e119af2d5dc7cee00e28ddc94af03

memory/2912-15-0x0000000074910000-0x0000000074A84000-memory.dmp

memory/1636-14-0x0000000000720000-0x000000000082B000-memory.dmp

memory/1636-12-0x0000000000400000-0x0000000000711000-memory.dmp

memory/2912-17-0x00000000775F0000-0x0000000077799000-memory.dmp

memory/2912-64-0x0000000074910000-0x0000000074A84000-memory.dmp

memory/2912-63-0x0000000074910000-0x0000000074A84000-memory.dmp

memory/2912-67-0x0000000074910000-0x0000000074A84000-memory.dmp

memory/2464-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2464-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2464-66-0x0000000072B70000-0x0000000073BD2000-memory.dmp

memory/2464-70-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab18A1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2464-88-0x0000000001F20000-0x0000000001F46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarA1C0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-30 01:46

Reported

2024-10-30 01:49

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4020 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4020 wrote to memory of 4244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-30 01:46

Reported

2024-10-30 01:49

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4344 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4344 wrote to memory of 1672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A