Analysis Overview
SHA256
bdc23f3babee193e3e687c569381a32960a0812aa8ebf2384003077fd0e559dd
Threat Level: Known bad
The file bdc23f3babee193e3e687c569381a32960a0812aa8ebf2384003077fd0e559dd was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 01:46
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 01:46
Reported
2024-10-30 01:49
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
AsyncRat
Asyncrat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2068 set thread context of 3188 | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3188 set thread context of 2840 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe
"C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | warpower.dynuddns.net | udp |
| US | 172.233.162.230:7171 | warpower.dynuddns.net | tcp |
| US | 8.8.8.8:53 | 230.162.233.172.in-addr.arpa | udp |
| US | 172.233.162.230:7171 | warpower.dynuddns.net | tcp |
| US | 172.233.162.230:7171 | warpower.dynuddns.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2068-0-0x0000000000CF0000-0x0000000000DFB000-memory.dmp
memory/2068-1-0x0000000074270000-0x00000000743EB000-memory.dmp
memory/2068-2-0x00007FF9A9F30000-0x00007FF9AA125000-memory.dmp
memory/2068-8-0x0000000074283000-0x0000000074285000-memory.dmp
memory/2068-9-0x0000000074270000-0x00000000743EB000-memory.dmp
memory/2068-10-0x0000000074270000-0x00000000743EB000-memory.dmp
memory/3188-15-0x0000000074270000-0x00000000743EB000-memory.dmp
memory/2068-14-0x0000000000CF0000-0x0000000000DFB000-memory.dmp
memory/2068-12-0x0000000000400000-0x0000000000711000-memory.dmp
memory/2068-13-0x000000004A600000-0x000000004A6EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2381a800
| MD5 | 7e689509da21a51d637c470608c1fe17 |
| SHA1 | 7067502eddd66908e6973e88628fce9baca75b3a |
| SHA256 | 6ad06ebf7d45e14fa5282293e334cb5f888faa8b2a28fef63f9563be40916695 |
| SHA512 | cb579d792f82a0c896690300429edb6401215ab8f22090469f39939a0c0daa38cf7ca31a0e113abf91de3c1ca2c6e16d75c5a9c0abfb977992589db8b0677312 |
memory/3188-17-0x00007FF9A9F30000-0x00007FF9AA125000-memory.dmp
memory/3188-19-0x0000000074270000-0x00000000743EB000-memory.dmp
memory/3188-20-0x0000000074270000-0x00000000743EB000-memory.dmp
memory/3188-22-0x0000000074270000-0x00000000743EB000-memory.dmp
memory/2840-23-0x0000000072D40000-0x0000000073F94000-memory.dmp
memory/2840-26-0x00000000747CE000-0x00000000747CF000-memory.dmp
memory/2840-27-0x0000000000580000-0x0000000000596000-memory.dmp
memory/2840-28-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/2840-29-0x00000000056D0000-0x0000000005C74000-memory.dmp
memory/2840-30-0x00000000052C0000-0x0000000005352000-memory.dmp
memory/2840-31-0x0000000005280000-0x000000000528A000-memory.dmp
memory/2840-34-0x00000000062B0000-0x000000000634C000-memory.dmp
memory/2840-35-0x0000000006350000-0x00000000063B6000-memory.dmp
memory/2840-36-0x00000000747CE000-0x00000000747CF000-memory.dmp
memory/2840-37-0x0000000006CA0000-0x0000000006D16000-memory.dmp
memory/2840-38-0x0000000006C20000-0x0000000006C48000-memory.dmp
memory/2840-39-0x0000000006D40000-0x0000000006D5E000-memory.dmp
memory/2840-40-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/2840-41-0x0000000006F70000-0x0000000006F96000-memory.dmp
memory/2840-46-0x00000000747C0000-0x0000000074F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9B12.tmp.bat
| MD5 | 51d51e9bdc025c4cf203f0f748247c0d |
| SHA1 | b4511b361f8093d468bb31ffea913f2dd94bfb10 |
| SHA256 | 470f534168703a5103f7a91c4dc005c4f987f9b3fb33b3f2345483f76b0ff354 |
| SHA512 | 7f045bb22d8ed271e1e7452971d4700351b71779460fb57546c3e688ec89619e2ac6b3d7d3cfe5ac76062a9876394b097c6d3b18cd2fcf71a77d5eaea5b17d32 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-30 01:46
Reported
2024-10-30 01:49
Platform
win7-20241010-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2724 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2724 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2724 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2724 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2724 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2724 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2724 wrote to memory of 2068 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-30 01:46
Reported
2024-10-30 01:49
Platform
win7-20241010-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2872 wrote to memory of 2892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-30 01:46
Reported
2024-10-30 01:49
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 260
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-30 01:46
Reported
2024-10-30 01:49
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
138s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1252 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1252 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1252 wrote to memory of 2512 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\unrar.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2512 -ip 2512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2512 -ip 2512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 840
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 01:46
Reported
2024-10-30 01:49
Platform
win7-20240903-en
Max time kernel
138s
Max time network
139s
Command Line
Signatures
AsyncRat
Asyncrat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1636 set thread context of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2912 set thread context of 2464 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe
"C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\01DEMANDA LABORAL JDUCIAL.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
C:\Windows\SysWOW64\shutdown.exe
Shutdown /s /f /t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | warpower.dynuddns.net | udp |
| US | 172.233.162.230:7171 | warpower.dynuddns.net | tcp |
| US | 172.233.162.230:7171 | warpower.dynuddns.net | tcp |
Files
memory/1636-0-0x0000000000720000-0x000000000082B000-memory.dmp
memory/1636-1-0x0000000074910000-0x0000000074A84000-memory.dmp
memory/1636-2-0x00000000775F0000-0x0000000077799000-memory.dmp
memory/1636-8-0x0000000074923000-0x0000000074925000-memory.dmp
memory/1636-9-0x0000000074910000-0x0000000074A84000-memory.dmp
memory/1636-10-0x0000000074910000-0x0000000074A84000-memory.dmp
memory/1636-13-0x000000004A600000-0x000000004A6EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5388343c
| MD5 | a3de8ad74b55496da16d130f7665a1cf |
| SHA1 | dfe564ffaad3b979c6fa843300faaa4e80b003da |
| SHA256 | 58e2e176ac9e6b6bb10933eabfb3be9393beee0a5a80b69550467503828a28db |
| SHA512 | 84783ccaaa445d3570ff5be1c339a98d3c74f4773560ff6b92dd4a41173318ac336db5518358546eda34c5cba71e7ca2c66e119af2d5dc7cee00e28ddc94af03 |
memory/2912-15-0x0000000074910000-0x0000000074A84000-memory.dmp
memory/1636-14-0x0000000000720000-0x000000000082B000-memory.dmp
memory/1636-12-0x0000000000400000-0x0000000000711000-memory.dmp
memory/2912-17-0x00000000775F0000-0x0000000077799000-memory.dmp
memory/2912-64-0x0000000074910000-0x0000000074A84000-memory.dmp
memory/2912-63-0x0000000074910000-0x0000000074A84000-memory.dmp
memory/2912-67-0x0000000074910000-0x0000000074A84000-memory.dmp
memory/2464-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2464-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2464-66-0x0000000072B70000-0x0000000073BD2000-memory.dmp
memory/2464-70-0x0000000000400000-0x0000000000416000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab18A1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2464-88-0x0000000001F20000-0x0000000001F46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarA1C0.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-30 01:46
Reported
2024-10-30 01:49
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4020 wrote to memory of 4244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4020 wrote to memory of 4244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4020 wrote to memory of 4244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\madHcNet32.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-30 01:46
Reported
2024-10-30 01:49
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
157s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4344 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4344 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4344 wrote to memory of 1672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL\mvrSettings32.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |