66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe
Size

197KB
MD5

db48b76933051c9637b0836bdaf50ea3
SHA1

f87e36e71a08b34ed5f131bc37dd8fa2c4f96ef4
SHA256

66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0
SHA512

8f0f3b9d14c2ba27ea1c710d09a291bd03681888b5984aa8fc37fb37d42f46a343eb2ed69d6c9b55844fbd7da2ae8bd3e247327a534a1c57e30e806a05daba97
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOo:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXN

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2452	ayahost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ayahost.exe	66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe
File created	C:\Windows\Debug\ayahost.exe	66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1008	66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2556	1008	66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe	29
PID 1008 wrote to memory of 2556	1008	66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe	29
PID 1008 wrote to memory of 2556	1008	66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe	29
PID 1008 wrote to memory of 2556	1008	66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe	29

C:\Users\Admin\AppData\Local\Temp\66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe
"C:\Users\Admin\AppData\Local\Temp\66b67479f7516c50357ea9471771b8eeaac3c6087de921ff91e197bb90812cd0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\66B674~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2556

C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
1⤵
- Executes dropped EXE
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\ayahost.exe

Filesize
197KB

MD5
79a6e9ba573a925c9b5318cadc2c1f71

SHA1
127a296232aa31e8733236ad319a9f23d427d132

SHA256
c7c24006d85c523c09d2a099f9a8c95bb22a3639db700fcb929d8bcb81e6a687

SHA512
efc78137e1e06fe97a7c27b6a6765c4b768fcaff043c747bf6bca3e7d3885b926922fbb11e4bb2b9aabc134e4a313133516349dd1fc83a93ba4ac2cd736028e9

Download Submit