1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe
Size

99KB
MD5

94efa2a5a4ff118f39f86b1b6fd76dde
SHA1

0e8be7072f9b99969caf26a7f30beb341107e904
SHA256

1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2
SHA512

21d6354ac44dc2279bbf7b7c72e2649be62ab2b9d13ca8eee5ef86aaa3315f6c4986c6b0bd05e5e63776ffde5c249afb59a9291ae7f9944499decc8c86382514
SSDEEP

1536:MDcfLfIb5Ep1uzgyXVdtnqHNWnnn3CCCCrrDRNxUUUkmbbbR:MD2LTnuzgyXVd1mID4bbbR

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4476	aiyhost.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1572	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Debug\aiyhost.exe	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe
File opened for modification	C:\Windows\Debug\aiyhost.exe	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe
File opened for modification	C:\Windows\Debug\aiyhost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aiyhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	aiyhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1256	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1572	1256	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe	82
PID 1256 wrote to memory of 1572	1256	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe	82
PID 1256 wrote to memory of 1572	1256	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe	82
PID 1256 wrote to memory of 5020	1256	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe	85
PID 1256 wrote to memory of 5020	1256	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe	85
PID 1256 wrote to memory of 5020	1256	1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1572	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe
"C:\Users\Admin\AppData\Local\Temp\1e1db2b5f2612e3361d65efd5ac54d71bc9ca7ec6a2f51712a695ebe7480dce2.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\attrib.exe
  attrib +a +s +h +r C:\Windows\Debug\aiyhost.exe
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1E1DB2~1.EXE > nul
  2⤵
  PID:5020

C:\Windows\Debug\aiyhost.exe
C:\Windows\Debug\aiyhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\aiyhost.exe

Filesize
99KB

MD5
e02e8f5caf78684d434f45098da12fc2

SHA1
e33d856ddac6b321490c86d8874ff274fa26c134

SHA256
b4d23eb6650f3cfae4873d4ecde522af9ba641cacc27080c7f27eac8396db95a

SHA512
0546caff5af6a74d965598bcbafba77bd199da31b4a93e2e32f1e3d326ca6410d8ee0df23bfd388eb62b5b5ee78811d90315e31b783e472eeb04b0a761a4169f

Download Submit
C:\Windows\debug\aiyhost.exe

Filesize
99KB

MD5
e02e8f5caf78684d434f45098da12fc2

SHA1
e33d856ddac6b321490c86d8874ff274fa26c134

SHA256
b4d23eb6650f3cfae4873d4ecde522af9ba641cacc27080c7f27eac8396db95a

SHA512
0546caff5af6a74d965598bcbafba77bd199da31b4a93e2e32f1e3d326ca6410d8ee0df23bfd388eb62b5b5ee78811d90315e31b783e472eeb04b0a761a4169f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads