55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
Size

210KB
MD5

c520fcd1769620b61125ae6df2ccaabf
SHA1

eb435d105d0f3ccb889cf8cae993861263eb7643
SHA256

55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0
SHA512

253af4180c7535e96e40ff289e899efec23522718b4a90362cc45cb8a3a737bc999184c3a1c8ba3fd2d125517d148ba5976c04d7461bfa4d1270fb75dd75da31
SSDEEP

3072:kIM0v/eJvCeXoBapseh8hqyU4lamrIJDN:kI7Jo8cyU4ldrIR

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

axna.exe

pid process

968 axna.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

580 cmd.exe

pid	process
580	cmd.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exeaxna.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\WINE	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\WINE	axna.exe

Loads dropped DLL 2 IoCs

Processes:

55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe

pid	process
1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

axna.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	axna.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\axna.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Anso\\axna.exe"	axna.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe

description pid process target process

PID 1504 set thread context of 580 1504 55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe cmd.exe

description	pid	process	target process
PID 1504 set thread context of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

axna.exe

pid	process
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe
968	axna.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe

description pid process

Token: SeSecurityPrivilege 1504 55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe

description	pid	process
Token: SeSecurityPrivilege	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exeaxna.exe

description	pid	process	target process
PID 1504 wrote to memory of 968	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	axna.exe
PID 1504 wrote to memory of 968	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	axna.exe
PID 1504 wrote to memory of 968	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	axna.exe
PID 1504 wrote to memory of 968	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	axna.exe
PID 968 wrote to memory of 1260	968	axna.exe	taskhost.exe
PID 968 wrote to memory of 1260	968	axna.exe	taskhost.exe
PID 968 wrote to memory of 1260	968	axna.exe	taskhost.exe
PID 968 wrote to memory of 1260	968	axna.exe	taskhost.exe
PID 968 wrote to memory of 1260	968	axna.exe	taskhost.exe
PID 968 wrote to memory of 1344	968	axna.exe	Dwm.exe
PID 968 wrote to memory of 1344	968	axna.exe	Dwm.exe
PID 968 wrote to memory of 1344	968	axna.exe	Dwm.exe
PID 968 wrote to memory of 1344	968	axna.exe	Dwm.exe
PID 968 wrote to memory of 1344	968	axna.exe	Dwm.exe
PID 968 wrote to memory of 1396	968	axna.exe	Explorer.EXE
PID 968 wrote to memory of 1396	968	axna.exe	Explorer.EXE
PID 968 wrote to memory of 1396	968	axna.exe	Explorer.EXE
PID 968 wrote to memory of 1396	968	axna.exe	Explorer.EXE
PID 968 wrote to memory of 1396	968	axna.exe	Explorer.EXE
PID 968 wrote to memory of 1504	968	axna.exe	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
PID 968 wrote to memory of 1504	968	axna.exe	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
PID 968 wrote to memory of 1504	968	axna.exe	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
PID 968 wrote to memory of 1504	968	axna.exe	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
PID 968 wrote to memory of 1504	968	axna.exe	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 1504 wrote to memory of 580	1504	55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe	cmd.exe
PID 968 wrote to memory of 1552	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1552	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1552	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1552	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1552	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1736	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1736	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1736	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1736	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1736	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 360	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 360	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 360	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 360	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 360	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1460	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1460	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1460	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1460	968	axna.exe	DllHost.exe
PID 968 wrote to memory of 1460	968	axna.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe
"C:\Users\Admin\AppData\Local\Temp\55158c733090bc56f7cad292cee570b704416282063414bb258a7d78d71bd4f0.exe"
2⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Roaming\Anso\axna.exe
"C:\Users\Admin\AppData\Roaming\Anso\axna.exe"
3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp70b99c7b.bat"
3⤵
- Deletes itself
PID:580

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70b99c7b.bat

Filesize
307B

MD5
35f48d309f7ca66d303d7f2034b1a60e

SHA1
1ee411d3915c1733c0f124c4815a0abae5f03448

SHA256
ac2e9bf09aa14f6bd84d3688a7a39c6221148012511ebdca81d09714226c3794

SHA512
07ad186b3c75aea55bb24ec9659e969f882c8024babe817c452dd45bf46eb7de395c4eaf53b61bac16bd455b3d57a7564eae5aeae1aa70aabd9b9dd120537ee1

Download Submit
C:\Users\Admin\AppData\Roaming\Anso\axna.exe

Filesize
210KB

MD5
d57bbf7a52a209b95b5b4ff35575f5c4

SHA1
9b633f190c345bea7f574ede27bf3577eeb44890

SHA256
1e9b06f73db87d39d5ea9b7bd74c7c31eba752bf793611f6d54c8f4c026cfeee

SHA512
6af3f4003380142f8eab05d4aa57943875bd947e5d05bc2e00bec715abf55193d1dc4a0cfc90cda1f728ec133b1eac6b0bec8561eb8290eab6195fa235bb0af7

Download Submit
C:\Users\Admin\AppData\Roaming\Anso\axna.exe

Filesize
210KB

MD5
d57bbf7a52a209b95b5b4ff35575f5c4

SHA1
9b633f190c345bea7f574ede27bf3577eeb44890

SHA256
1e9b06f73db87d39d5ea9b7bd74c7c31eba752bf793611f6d54c8f4c026cfeee

SHA512
6af3f4003380142f8eab05d4aa57943875bd947e5d05bc2e00bec715abf55193d1dc4a0cfc90cda1f728ec133b1eac6b0bec8561eb8290eab6195fa235bb0af7

Download Submit
\Users\Admin\AppData\Roaming\Anso\axna.exe

Filesize
210KB

MD5
d57bbf7a52a209b95b5b4ff35575f5c4

SHA1
9b633f190c345bea7f574ede27bf3577eeb44890

SHA256
1e9b06f73db87d39d5ea9b7bd74c7c31eba752bf793611f6d54c8f4c026cfeee

SHA512
6af3f4003380142f8eab05d4aa57943875bd947e5d05bc2e00bec715abf55193d1dc4a0cfc90cda1f728ec133b1eac6b0bec8561eb8290eab6195fa235bb0af7

Download Submit
\Users\Admin\AppData\Roaming\Anso\axna.exe

Filesize
210KB

MD5
d57bbf7a52a209b95b5b4ff35575f5c4

SHA1
9b633f190c345bea7f574ede27bf3577eeb44890

SHA256
1e9b06f73db87d39d5ea9b7bd74c7c31eba752bf793611f6d54c8f4c026cfeee

SHA512
6af3f4003380142f8eab05d4aa57943875bd947e5d05bc2e00bec715abf55193d1dc4a0cfc90cda1f728ec133b1eac6b0bec8561eb8290eab6195fa235bb0af7

Download Submit
memory/360-122-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/360-123-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/360-121-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/360-120-0x0000000001B60000-0x0000000001B87000-memory.dmp

Filesize
156KB

Download
memory/580-93-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/580-95-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/580-91-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/580-94-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/580-103-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/580-99-0x000000000005CB30-mapping.dmp

Download
memory/968-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/968-96-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download
memory/968-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/968-116-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download
memory/968-61-0x0000000000000000-mapping.dmp

Download
memory/1260-65-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1260-69-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1260-70-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1260-68-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1260-67-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1344-74-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1344-76-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1344-75-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1344-73-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1396-81-0x0000000002540000-0x0000000002567000-memory.dmp

Filesize
156KB

Download
memory/1396-82-0x0000000002540000-0x0000000002567000-memory.dmp

Filesize
156KB

Download
memory/1396-80-0x0000000002540000-0x0000000002567000-memory.dmp

Filesize
156KB

Download
memory/1396-79-0x0000000002540000-0x0000000002567000-memory.dmp

Filesize
156KB

Download
memory/1460-129-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1460-128-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1460-127-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1460-126-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1504-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1504-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1504-87-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1504-98-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-100-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1504-55-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download
memory/1504-57-0x0000000000160000-0x0000000000199000-memory.dmp

Filesize
228KB

Download
memory/1504-85-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1504-86-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1504-88-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1552-106-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1552-109-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1552-108-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1552-107-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1736-112-0x00000000026F0000-0x0000000002717000-memory.dmp

Filesize
156KB

Download
memory/1736-113-0x00000000026F0000-0x0000000002717000-memory.dmp

Filesize
156KB

Download
memory/1736-114-0x00000000026F0000-0x0000000002717000-memory.dmp

Filesize
156KB

Download
memory/1736-115-0x00000000026F0000-0x0000000002717000-memory.dmp

Filesize
156KB

Download