Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2024, 08:52
Behavioral task
behavioral1
Sample
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe
Resource
win7-20231129-en
General
-
Target
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe
-
Size
48KB
-
MD5
1f58a5ef877adab164e528929729d3b0
-
SHA1
d1aa7ed83011d8b5c72c875f0e30ccc31d6c245d
-
SHA256
01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
-
SHA512
f7698c86454d034460946effb224c2922806b5c39686ef9817befecb033f72a9d03f400baaa69516396756e80ebfc63f7ed8f1b60eaf5f4702c4ccfc964ae03d
-
SSDEEP
768:8ukLVT0kLd3WULgPdVmo2qDGEZIdeNxsMxPIjqoQcyL0bE0LwylVdTNztVftBDZ1:8ukLVT0Mq12+GeDzujq0yAbE0dlPTN5Z
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:8080
20.98.203.218:8080
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Axenta.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1152-0-0x0000000000CA0000-0x0000000000CB2000-memory.dmp asyncrat behavioral2/memory/1152-2-0x0000000005610000-0x0000000005620000-memory.dmp asyncrat behavioral2/files/0x0009000000023142-11.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe -
Executes dropped EXE 1 IoCs
pid Process 4872 Axenta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4532 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4700 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe Token: SeDebugPrivilege 4872 Axenta.exe Token: SeDebugPrivilege 4872 Axenta.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1152 wrote to memory of 1636 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 93 PID 1152 wrote to memory of 1636 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 93 PID 1152 wrote to memory of 1636 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 93 PID 1152 wrote to memory of 2436 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 97 PID 1152 wrote to memory of 2436 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 97 PID 1152 wrote to memory of 2436 1152 01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe 97 PID 2436 wrote to memory of 4700 2436 cmd.exe 96 PID 2436 wrote to memory of 4700 2436 cmd.exe 96 PID 2436 wrote to memory of 4700 2436 cmd.exe 96 PID 1636 wrote to memory of 4532 1636 cmd.exe 95 PID 1636 wrote to memory of 4532 1636 cmd.exe 95 PID 1636 wrote to memory of 4532 1636 cmd.exe 95 PID 2436 wrote to memory of 4872 2436 cmd.exe 100 PID 2436 wrote to memory of 4872 2436 cmd.exe 100 PID 2436 wrote to memory of 4872 2436 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"C:\Users\Admin\AppData\Local\Temp\01ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Axenta" /tr '"C:\Users\Admin\AppData\Roaming\Axenta.exe"'3⤵
- Creates scheduled task(s)
PID:4532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp611B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Roaming\Axenta.exe"C:\Users\Admin\AppData\Roaming\Axenta.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
PID:4700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5e5683e9b399ba8c585895838e1f4d6f3
SHA1547bd9a7f595b7a7d7b48d5b144eb2c0db3429dc
SHA2562e89febc7b91ed7f3f740b7d5957dddcc6d48ff03ef2be3e401d2c5b68a548c0
SHA5129fa4d00e62f47cd87f7be0da1c57e84a6085a66d4702ee07e6342f5ad622919220a013a520da24b4b927dfade57f4197c0e36330fc98383dab51179ece47c744
-
Filesize
48KB
MD51f58a5ef877adab164e528929729d3b0
SHA1d1aa7ed83011d8b5c72c875f0e30ccc31d6c245d
SHA25601ba5474eb258af7537da60d65d652a9f6acd92c7f0799db01356261f019c639
SHA512f7698c86454d034460946effb224c2922806b5c39686ef9817befecb033f72a9d03f400baaa69516396756e80ebfc63f7ed8f1b60eaf5f4702c4ccfc964ae03d