Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/04/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe
Resource
win10v2004-20240412-en
General
-
Target
43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe
-
Size
197KB
-
MD5
1f713539b5dbfdf2ef5b0620806af6ee
-
SHA1
a1b82c2f270bef7afd1fc2e5d102832695d06be1
-
SHA256
43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb
-
SHA512
ede9a0fa39da67d7116da9e207807b5bc893a975621e39bb600fc4dac8025ce4ac2faccaf0b98723a3f09050db55dc2498a89ecb203dbd24e5b4bc6f9139bb87
-
SSDEEP
6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOJ:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2824 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2272 ayahost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Debug\ayahost.exe 43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe File created C:\Windows\Debug\ayahost.exe 43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2236 43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2824 2236 43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe 29 PID 2236 wrote to memory of 2824 2236 43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe 29 PID 2236 wrote to memory of 2824 2236 43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe 29 PID 2236 wrote to memory of 2824 2236 43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe"C:\Users\Admin\AppData\Local\Temp\43c794f124ae4ec6e85cd828af00470301c0bbed2e76fc63b95177a7010f0abb.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\43C794~1.EXE > nul2⤵
- Deletes itself
PID:2824
-
-
C:\Windows\Debug\ayahost.exeC:\Windows\Debug\ayahost.exe1⤵
- Executes dropped EXE
PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5b0e3fc8e8c3a1c8041966721dd56b624
SHA118e937552d03868fa5d419eb7950fdf041d98e08
SHA2560082fd5e89cb3e8a20424fcdf0b05b922036397784fde7e8b597dc3b9af360a6
SHA5126a8c4832884002d13ff317010d940acb9197853d281d5e072f5dac2a3d36a414be026c0064b9383246ce1619b4f20cc95bc23e5ee28e5129fe948f0cd55157ec