Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23/01/2024, 02:33
Behavioral task
behavioral1
Sample
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe
Resource
win7-20231129-en
General
-
Target
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe
-
Size
48KB
-
MD5
1f58a5ef877adab164e528929729d3b0
-
SHA1
d1aa7ed83011d8b5c72c875f0e30ccc31d6c245d
-
SHA256
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
-
SHA512
f7698c86454d034460946effb224c2922806b5c39686ef9817befecb033f72a9d03f400baaa69516396756e80ebfc63f7ed8f1b60eaf5f4702c4ccfc964ae03d
-
SSDEEP
768:8ukLVT0kLd3WULgPdVmo2qDGEZIdeNxsMxPIjqoQcyL0bE0LwylVdTNztVftBDZ1:8ukLVT0Mq12+GeDzujq0yAbE0dlPTN5Z
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:8080
20.98.203.218:8080
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Axenta.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral1/memory/1996-0-0x0000000001270000-0x0000000001282000-memory.dmp asyncrat behavioral1/files/0x0009000000014826-13.dat asyncrat behavioral1/memory/2268-16-0x0000000000F40000-0x0000000000F52000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2268 Axenta.exe -
Loads dropped DLL 1 IoCs
pid Process 1260 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2628 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2644 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe Token: SeDebugPrivilege 2268 Axenta.exe Token: SeDebugPrivilege 2268 Axenta.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1996 wrote to memory of 3012 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 28 PID 1996 wrote to memory of 3012 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 28 PID 1996 wrote to memory of 3012 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 28 PID 1996 wrote to memory of 3012 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 28 PID 1996 wrote to memory of 1260 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 30 PID 1996 wrote to memory of 1260 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 30 PID 1996 wrote to memory of 1260 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 30 PID 1996 wrote to memory of 1260 1996 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 30 PID 3012 wrote to memory of 2628 3012 cmd.exe 32 PID 3012 wrote to memory of 2628 3012 cmd.exe 32 PID 3012 wrote to memory of 2628 3012 cmd.exe 32 PID 3012 wrote to memory of 2628 3012 cmd.exe 32 PID 1260 wrote to memory of 2644 1260 cmd.exe 33 PID 1260 wrote to memory of 2644 1260 cmd.exe 33 PID 1260 wrote to memory of 2644 1260 cmd.exe 33 PID 1260 wrote to memory of 2644 1260 cmd.exe 33 PID 1260 wrote to memory of 2268 1260 cmd.exe 34 PID 1260 wrote to memory of 2268 1260 cmd.exe 34 PID 1260 wrote to memory of 2268 1260 cmd.exe 34 PID 1260 wrote to memory of 2268 1260 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"'3⤵
- Creates scheduled task(s)
PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2644
-
-
C:\Users\Admin\AppData\Roaming\Axenta.exe"C:\Users\Admin\AppData\Roaming\Axenta.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5ccdbda6c146a55e7bd487c0086097773
SHA1dc186d572413360e81a88ac5dac03f1962438622
SHA2566fbbd04203909c50c5ffda444f62344b0f96aa43a51caca7d2d9920909a3eb24
SHA5121e0595f5f94caf324adaf2a4f943ba9fae4cf3a325fc59c64cc0b72ecb53be9b2dd93ceff399147546b9fab21928f651f7f789214c76bd91674794945e22a2bf
-
Filesize
48KB
MD51f58a5ef877adab164e528929729d3b0
SHA1d1aa7ed83011d8b5c72c875f0e30ccc31d6c245d
SHA25601ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
SHA512f7698c86454d034460946effb224c2922806b5c39686ef9817befecb033f72a9d03f400baaa69516396756e80ebfc63f7ed8f1b60eaf5f4702c4ccfc964ae03d