62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489

Analysis

max time kernel
141s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe
Size

196KB
MD5

7c01321a7f15588bc14f51e17b93c39e
SHA1

be4b99bdbb340a1efb7c83f304ecfae73eff484f
SHA256

62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489
SHA512

ccd7a500478bc33a9709a241919ddfb51247810c99fec16fbdfcf9441fb7426fd24965bad92f66bad462f2f9664e02136a1c08b1bc61f015cd35fe92d2ed5537
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOE:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe

Executes dropped EXE 1 IoCs

pid	Process
3960	aiyhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\aiyhost.exe	62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe
File opened for modification	C:\Windows\Debug\aiyhost.exe	62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	aiyhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aiyhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4800	62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2268	4800	62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe	31
PID 4800 wrote to memory of 2268	4800	62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe	31
PID 4800 wrote to memory of 2268	4800	62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe	31

C:\Users\Admin\AppData\Local\Temp\62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe
"C:\Users\Admin\AppData\Local\Temp\62a5c19070aa0b4ea6d01478739af85b64dd40aefd84fdcbcc41443677df5489.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\62A5C1~1.EXE > nul
  2⤵
  PID:2268

C:\Windows\Debug\aiyhost.exe
C:\Windows\Debug\aiyhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\aiyhost.exe

Filesize
32KB

MD5
afb73d804e690179a4765aa21cfa0e1c

SHA1
1cebf5de1c4114ceb419e7719ad638169ed60684

SHA256
2842c9d6cbbf7a851076e39a7c96f021434495cd5ff55a22d068dfdaf9463ce4

SHA512
dc91963cac769b8f4f445f95f15d5407fdeb325981aabdc3f564b5075c84b7812d8660176de4fe333f4b828609f7bbb841e327d95f8898db2e69ee25b96cdb90

Download Submit
C:\Windows\debug\aiyhost.exe

Filesize
46KB

MD5
c0b03cd223bac2232a45be46235a3c34

SHA1
4b760e72a5181114991c007b63d84c7ac0f11ed8

SHA256
56f9e59b2f06a901811bcf7e497c1df60e5b7923b4d42312695e108aa891e322

SHA512
8156092de491753d1736ce64fe752fee34e23276996a3d7739a9cf6695ddd4d3777ce3b939ac85134c1ea81b299826d6fb189cb6f782ae8f2910adcdac9e8a53

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads