0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 20:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe
Size

196KB
MD5

6b64dcd8042024a8bb19380a26ef1f49
SHA1

9c4f122a1557ed224f13c2c5049fbb8b92484b84
SHA256

0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a
SHA512

277315dae5738d7e33541e6640f3f0b4bd27933bba6c583c27a500e19d3ecb726e473fc119644ec3ba8f1fc69661e9bf3a52aab9885077e3838efd8195443d9d
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOi:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	ayahost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ayahost.exe	0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe
File created	C:\Windows\Debug\ayahost.exe	0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3052	2360	0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe	29
PID 2360 wrote to memory of 3052	2360	0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe	29
PID 2360 wrote to memory of 3052	2360	0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe	29
PID 2360 wrote to memory of 3052	2360	0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe	29

C:\Users\Admin\AppData\Local\Temp\0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe
"C:\Users\Admin\AppData\Local\Temp\0fd849bda2582bfef56e9a830f357e9f4640e18b3ee470590937f69be9e3e68a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0FD849~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3052

C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
1⤵
- Executes dropped EXE
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\ayahost.exe

Filesize
196KB

MD5
ee062975c37e37aa1cdbd7c2ab6cf35d

SHA1
88dc06b3d668d0696feab99de2462a422f54192c

SHA256
e1b757acfae12df8b4264bba813ee41753469a1eae2af15e765e6b83bf21beec

SHA512
6ae087f6a81d4707ccb3dc590662a56d4a3e6ce44b203533fa050509b00095526a637e5150d1ff50a78a27d691d72bf7db30a860f981afec4887d17956499a97

Download Submit