306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21

Analysis

max time kernel
142s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe
Size

198KB
MD5

b6d5d2be416d49e39c063d9a5764dd8a
SHA1

ab76ff11471a1babee9994feb5a520e483cbdd43
SHA256

306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21
SHA512

0198a6077d884f61a7ba4260b5d194f571501db1452f30d1fd357570f10856326454efbd16ae0f37d4060e00ef3439d9ea0926ec35d97290603e505f343bfdf1
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOA:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	ayahost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\ayahost.exe	306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe
File opened for modification	C:\Windows\Debug\ayahost.exe	306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ayahost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ayahost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2452	306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1932	2452	306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe	29
PID 2452 wrote to memory of 1932	2452	306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe	29
PID 2452 wrote to memory of 1932	2452	306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe	29
PID 2452 wrote to memory of 1932	2452	306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe	29

C:\Users\Admin\AppData\Local\Temp\306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe
"C:\Users\Admin\AppData\Local\Temp\306be0c3019ea54c53df124f0817b65c440d8732f7c0ab7acf1ec06ee83b9f21.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\306BE0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1932

C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\ayahost.exe

Filesize
198KB

MD5
175c162efe2cdc6ac64b90eb8bca83cc

SHA1
05fc0b1c5631ba6227ecb8a4d61f45c1ee6f2b78

SHA256
cb1aa20301d68c042453d33842d43115cd756257bee6e95f85cb38a7d329c921

SHA512
52adabdf256d3be3dfa21ea987b693842531d7b6afac3694a907df2621d99dba9e12e8ec4a19256d8eabe89af244c7b9df9289b4632429b68c9e35b08b046528

Download Submit
C:\Windows\debug\ayahost.exe

Filesize
198KB

MD5
175c162efe2cdc6ac64b90eb8bca83cc

SHA1
05fc0b1c5631ba6227ecb8a4d61f45c1ee6f2b78

SHA256
cb1aa20301d68c042453d33842d43115cd756257bee6e95f85cb38a7d329c921

SHA512
52adabdf256d3be3dfa21ea987b693842531d7b6afac3694a907df2621d99dba9e12e8ec4a19256d8eabe89af244c7b9df9289b4632429b68c9e35b08b046528

Download Submit