Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2024, 02:33
Behavioral task
behavioral1
Sample
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe
Resource
win7-20231129-en
General
-
Target
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe
-
Size
48KB
-
MD5
1f58a5ef877adab164e528929729d3b0
-
SHA1
d1aa7ed83011d8b5c72c875f0e30ccc31d6c245d
-
SHA256
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
-
SHA512
f7698c86454d034460946effb224c2922806b5c39686ef9817befecb033f72a9d03f400baaa69516396756e80ebfc63f7ed8f1b60eaf5f4702c4ccfc964ae03d
-
SSDEEP
768:8ukLVT0kLd3WULgPdVmo2qDGEZIdeNxsMxPIjqoQcyL0bE0LwylVdTNztVftBDZ1:8ukLVT0Mq12+GeDzujq0yAbE0dlPTN5Z
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:8080
20.98.203.218:8080
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Axenta.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1468-0-0x0000000000740000-0x0000000000752000-memory.dmp asyncrat behavioral2/files/0x00020000000228cb-11.dat asyncrat behavioral2/files/0x00020000000228cb-12.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe -
Executes dropped EXE 1 IoCs
pid Process 4696 Axenta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3768 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3308 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe Token: SeDebugPrivilege 4696 Axenta.exe Token: SeDebugPrivilege 4696 Axenta.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1468 wrote to memory of 3952 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 94 PID 1468 wrote to memory of 3952 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 94 PID 1468 wrote to memory of 3952 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 94 PID 1468 wrote to memory of 4984 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 96 PID 1468 wrote to memory of 4984 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 96 PID 1468 wrote to memory of 4984 1468 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 96 PID 3952 wrote to memory of 3768 3952 cmd.exe 98 PID 3952 wrote to memory of 3768 3952 cmd.exe 98 PID 3952 wrote to memory of 3768 3952 cmd.exe 98 PID 4984 wrote to memory of 3308 4984 cmd.exe 99 PID 4984 wrote to memory of 3308 4984 cmd.exe 99 PID 4984 wrote to memory of 3308 4984 cmd.exe 99 PID 4984 wrote to memory of 4696 4984 cmd.exe 101 PID 4984 wrote to memory of 4696 4984 cmd.exe 101 PID 4984 wrote to memory of 4696 4984 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"'3⤵
- Creates scheduled task(s)
PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp57A5.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3308
-
-
C:\Users\Admin\AppData\Roaming\Axenta.exe"C:\Users\Admin\AppData\Roaming\Axenta.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD50f305e29a9ee82da1333dcae6c19301a
SHA1132c532613a4c1e1b30c5d3360e42cfb58dc160b
SHA256ee1c06179c2e6538f205e1aa463955751846bdcf75b60973f5dd2e5d341c0c62
SHA512124024fba05d4ec931f0d45411d237ada8eced9523d9dcbcade1000b63fdc721ecc8ac92027f8303558a28b2d73050b645e5845dcb8cb2b7eed9ea9fde22002e
-
Filesize
21KB
MD5e4f33f71cf19699c4a8ef0ef20ad2da7
SHA1daddd8b29a70ff3c01ceffb4466c5b5a99a4d51a
SHA256842d4a1bad855019b1054a9c4bc080fd21df560f21a95ab3e044f8125797443d
SHA5128642b0a1433bf614b03cc0aac94ab39962b2584a9fd39a34c5f1c687c0706a8fbc65e4c86cebb4769870a4c6bafd0255c7253d091bc1bbad03b5199c974ca472
-
Filesize
48KB
MD51f58a5ef877adab164e528929729d3b0
SHA1d1aa7ed83011d8b5c72c875f0e30ccc31d6c245d
SHA25601ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
SHA512f7698c86454d034460946effb224c2922806b5c39686ef9817befecb033f72a9d03f400baaa69516396756e80ebfc63f7ed8f1b60eaf5f4702c4ccfc964ae03d