Overview

overview

7

Static

static

3

9a928cc3a3...db.exe

windows7-x64

7

9a928cc3a3...db.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 01:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9a928cc3a35b6c37fb0e34286f52aa51539b1cceb77766d2577bc39b454867db.exe

  • Size

    198KB

  • MD5

    d05e1be9861f8a1235f5644583c5ba67

  • SHA1

    d530c4c099f1ddd2e35c2f6545f65e91f8610d02

  • SHA256

    9a928cc3a35b6c37fb0e34286f52aa51539b1cceb77766d2577bc39b454867db

  • SHA512

    a09e2541ce5846b0f6e26ab02dc3d24fba361d81a94cac28621a253758d846d25d9069ada4925f438b532be5ce0a66acb49e90481073cc8beac794fa2898bf8f

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOt:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXY

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a928cc3a35b6c37fb0e34286f52aa51539b1cceb77766d2577bc39b454867db.exe
    "C:\Users\Admin\AppData\Local\Temp\9a928cc3a35b6c37fb0e34286f52aa51539b1cceb77766d2577bc39b454867db.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9A928C~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2140
  • C:\Windows\Debug\ayahost.exe
    C:\Windows\Debug\ayahost.exe
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    PID:280

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Debug\ayahost.exe
          Filesize

          198KB

          MD5

          a1c0ba2a1523a2d4d33357b8b627d6af

          SHA1

          426a220e3971b04f891365fc9da639384cf669c0

          SHA256

          da1ce35ba54db028bef4db4cf95d99af2f44b5782c5e32cb394d10e4ce149587

          SHA512

          0fac3a91a7bc6e28bd2c4080b7c81494f981144d012821249437ad7e1164b820ceb312edda4909417ea8a5a1d3e08a110d067694a540e414686c0706d49c3e4f

          Download Submit

        • C:\Windows\debug\ayahost.exe
          Filesize

          198KB

          MD5

          a1c0ba2a1523a2d4d33357b8b627d6af

          SHA1

          426a220e3971b04f891365fc9da639384cf669c0

          SHA256

          da1ce35ba54db028bef4db4cf95d99af2f44b5782c5e32cb394d10e4ce149587

          SHA512

          0fac3a91a7bc6e28bd2c4080b7c81494f981144d012821249437ad7e1164b820ceb312edda4909417ea8a5a1d3e08a110d067694a540e414686c0706d49c3e4f

          Download Submit