43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe
Size

197KB
MD5

1f713539b5dbfdf2ef5b0620806af6ee
SHA1

a1b82c2f270bef7afd1fc2e5d102832695d06be1
SHA256

43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb
SHA512

ede9a0fa39da67d7116da9e207807b5bc893a975621e39bb600fc4dac8025ce4ac2faccaf0b98723a3f09050db55dc2498a89ecb203dbd24e5b4bc6f9139bb87
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOJ:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2824	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2272	ayahost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ayahost.exe	43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe
File created	C:\Windows\Debug\ayahost.exe	43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2824	2236	43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe	29
PID 2236 wrote to memory of 2824	2236	43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe	29
PID 2236 wrote to memory of 2824	2236	43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe	29
PID 2236 wrote to memory of 2824	2236	43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe	29

C:\Users\Admin\AppData\Local\Temp\43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe
"C:\Users\Admin\AppData\Local\Temp\43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\43C794~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2824

C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
1⤵
- Executes dropped EXE
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\ayahost.exe

Filesize
197KB

MD5
b0e3fc8e8c3a1c8041966721dd56b624

SHA1
18e937552d03868fa5d419eb7950fdf041d98e08

SHA256
0082fd5e89cb3e8a20424fcdf0b05b922036397784fde7e8b597dc3b9af360a6

SHA512
6a8c4832884002d13ff317010d940acb9197853d281d5e072f5dac2a3d36a414be026c0064b9383246ce1619b4f20cc95bc23e5ee28e5129fe948f0cd55157ec

Download Submit