Overview

overview

10

Static

static

3

DEMANDA LA...ZA.exe

windows7-x64

10

DEMANDA LA...ZA.exe

windows10-2004-x64

10

DEMANDA LA...MM.dll

windows7-x64

10

DEMANDA LA...MM.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DEMANDA LABORAL POR ABUSO DE CONFIANZA 01/WINMM.dll

  • Size

    5.0MB

  • MD5

    9d9b59e2893e58686a0cc608522102bd

  • SHA1

    b4a213c4f456ca191efc5711f0d2d819874444aa

  • SHA256

    7b91d4680dd3d290703a50db25b751cb9c7c8b612c1bed0d389ce9ace1f81333

  • SHA512

    327e63d2c5604210e8ba54d94fcd86b3dfeb91d0cf7af70110869d4f3aafbf00b4f8526defc9dcdeba36449d3fd9d6ddbb97a63ad169f4bbe8cb7a84b07ba218

  • SSDEEP

    98304:XVo25lOF7FdfzW64cv5tQpgBZwy7zJDSiQCz+acvnIpeT+4:XVoGQJF7v5tQpgBZR7zJDSiQCz+acvI1

Score
10/10
asyncratremcosplataremotehostdiscoveryratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

mastermrcol.net:6565

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-89JTT1

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

PLATA

C2

mastermrcol.net:7474

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL POR ABUSO DE CONFIANZA 01\WINMM.dll",#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn "h5czQ95nhaFoPRcK" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn "h5czQ95nhaFoPRcK" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4716
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
        "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4476
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zjcitxakacjvpzicsunorgmlzyoysps.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    Filesize

    66KB

    MD5

    07554efccfc2a1b265e155f689bf46be

    SHA1

    5a5103b26e6584863f4f1e3c210edede6c58064a

    SHA256

    0e0b867c176d56b9ee2fe6ef05534d1051df3c5f05116b2af16cbe365276d6e7

    SHA512

    8ed2d1d358ac0818eb67340bfc57130e1a020007a393bc43aac42ebb7dd44d2627293e81c8a733a874f5f54a8e509ba4acbab04619b0272d95c2688192b59461

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    481KB

    MD5

    7351848cf8f7b5307295fd43baa212b0

    SHA1

    72e21a3a6a5d28ba4750c2dbfe68d772922c658b

    SHA256

    ace75a22a1dae4bab204a56aae3461619ed52a1315bdd1efb5197debff2268d0

    SHA512

    ba9cad85728ea0b1a7c2144e788c9f83d4a6086607b244697a641c15a5f09aad4d226772a5ea001e41ba5abf85e1d39259bbffc33f72a355fbb1804a65e79f38

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zjcitxakacjvpzicsunorgmlzyoysps.vbs
    Filesize

    500B

    MD5

    f1da013fa58295ac94372331e618f047

    SHA1

    b52f602bca7d2b9a04a55be4a1a4de857c98cbdb

    SHA256

    01df7d7ec8acb49f038a93cf1aeb9a79ddda138fa38992f477e6448689c09cd9

    SHA512

    fc1cfb5f09b5d96958d9387f582629e6691e996890ea345466fc47e214be074c9c625f3fb7f4e86d7e5b9864edcfe0d40031e6a0d6c496c5427d21bcffba26a8

    Download Submit

  • memory/3396-32-0x000000006D080000-0x000000006D57E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3396-0-0x0000000000400000-0x0000000000835000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/4476-35-0x0000000006230000-0x00000000062CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4476-31-0x0000000000E60000-0x0000000000E76000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4476-36-0x0000000006880000-0x0000000006E24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4476-37-0x00000000062D0000-0x0000000006336000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4476-38-0x000000007343E000-0x000000007343F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4476-30-0x000000007343E000-0x000000007343F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4476-44-0x0000000007430000-0x00000000074A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4476-45-0x00000000073B0000-0x00000000073D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4476-46-0x00000000074B0000-0x00000000074CE000-memory.dmp

    Filesize

    120KB

    Download