Overview

overview

8

Static

static

3

4a8bddd108...5c.exe

windows7-x64

8

4a8bddd108...5c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a8bddd108ca8374fbd710cb750c4c5c.exe

  • Size

    95KB

  • MD5

    4a8bddd108ca8374fbd710cb750c4c5c

  • SHA1

    f633b6580d1903eb8f3c5c9bbccc406f7a532c2f

  • SHA256

    e1a3b1a7b3f392fcad1c1fd1104e09b64040f5464c8cecd8a0168a4b6056bae6

  • SHA512

    e04aab60a8b8ce657967d02e79292b6322b87f63e993940906a3d19d9c3f9897f1139cf0c53c8989495821ccbcab8589ab61bf75e961c332767a8544e0cb3887

  • SSDEEP

    1536:lDcfLfIb5Ep1uzgyXVdtnlHNWnnn3CCCCrrDRe6661:lD2LTnuzgyXVd1xIDU6661

Score
8/10
evasion

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a8bddd108ca8374fbd710cb750c4c5c.exe
    "C:\Users\Admin\AppData\Local\Temp\4a8bddd108ca8374fbd710cb750c4c5c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\aiyhost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\4A8BDD~1.EXE > nul
      2⤵
        PID:1128
    • C:\Windows\Debug\aiyhost.exe
      C:\Windows\Debug\aiyhost.exe
      1⤵
      • Executes dropped EXE
      PID:464

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\debug\aiyhost.exe
      Filesize

      95KB

      MD5

      204fa649d276244bc50222f14cf83407

      SHA1

      385aab2f3a8b32467f689669795f3d2c29d133d4

      SHA256

      a5c4f3a3309cf1bad7fd15b6e14bccf15b0c5c4697e8ca655de506c25abe2438

      SHA512

      abf1de0c7e96989feb7caeda7ea5132ccc8918d0e43cc30715dc9155798db37e0fcf4352468d04a73cbdccdeb475e08f6184b3095a6f5ba1a7b6b261f9ab058f

      Download Submit

    • memory/464-5-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/464-7-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4420-0-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4420-6-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download