0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe
Size

197KB
MD5

4383704b18dd83c24f9a149050d8c7fa
SHA1

a783147f89cd14a4a57d6653b30bbcd3b0f7e65a
SHA256

0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046
SHA512

e0e548e439a5a7862b9604d4037c2f8681b827c0b509c4098e84ec146a09c45f446ced2dea11d2713bdd1d917708cac11e77d66bfae2eaac46544a37f532abd8
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOE:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	ayahost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\ayahost.exe	0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe
File opened for modification	C:\Windows\Debug\ayahost.exe	0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1332	0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2572	1332	0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe	29
PID 1332 wrote to memory of 2572	1332	0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe	29
PID 1332 wrote to memory of 2572	1332	0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe	29
PID 1332 wrote to memory of 2572	1332	0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe	29

C:\Users\Admin\AppData\Local\Temp\0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe
"C:\Users\Admin\AppData\Local\Temp\0c58f5fcb2b2386a753bed089f63979fe7e922626efc2eb6e1b32aceb5504046.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0C58F5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2572

C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
1⤵
- Executes dropped EXE
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\ayahost.exe

Filesize
197KB

MD5
d4003ab20fd6abd0a2d5bd4e47db3663

SHA1
2bb2ccdac0ed73ea82ff4c00b26a20a996bf04d7

SHA256
0548da817d0e52cafee89e40ceffe521ee8970361319ca53730cfe528dae6f77

SHA512
879f6d54fe2febbf96e71dd61f2c9d1681d1cddd0a8c88ada92681a445b5eba47e73b5359d463c5790019c29d17edd7e18fb2c3966a67221592806fae0d13b52

Download Submit