7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe
Size

196KB
MD5

60cd6708df6052ad1b362ee115cfeb38
SHA1

4a5c7729cd1004fd888fc2bb19a0395b229d494b
SHA256

7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd
SHA512

ee8f99db2105fbb94f455cf5f0929dc3dac0b773d2a74bbfc751644a98f634b9767cc24691e6496d46f03ff4c0a70b75eb43ee27d23d61ace23baaeb4c641be4
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO6:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe

Executes dropped EXE 1 IoCs

pid	Process
408	eiyhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\eiyhost.exe	7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe
File opened for modification	C:\Windows\Debug\eiyhost.exe	7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1944	7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 3020	1944	7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe	85
PID 1944 wrote to memory of 3020	1944	7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe	85
PID 1944 wrote to memory of 3020	1944	7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe	85

C:\Users\Admin\AppData\Local\Temp\7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe
"C:\Users\Admin\AppData\Local\Temp\7490b7cdec04445bb44c6cac3e7fe9fd9199539299128b060c7f96d0abc26cfd.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7490B7~1.EXE > nul
  2⤵
  PID:3020

C:\Windows\Debug\eiyhost.exe
C:\Windows\Debug\eiyhost.exe
1⤵
- Executes dropped EXE
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\eiyhost.exe

Filesize
196KB

MD5
828fdd2d8b46d3cc389c94ce1cc523f0

SHA1
d36ed0e76f9e3da2d7d25900146e8133d51431b3

SHA256
c304a561183a3f6e79254c2112cbdf4ea4740e3fd21df66e97ca8067864b8d1c

SHA512
901cab725230d397e43084f5237a0ee704eb980bb3d9789c9a1bd95c83707759e22c700b08ef7c55cf11bbeba16daa8ca0a8beca0a22757b312a0363b8b4acd5

Download Submit