Analysis Overview
SHA256
052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e
Threat Level: Known bad
The file 052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e was found to be: Known bad.
Malicious Activity Summary
Detects Windows executables referencing non-Windows User-Agents
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Detects Windows executables referencing non-Windows User-Agents
Sets file to hidden
Executes dropped EXE
Checks computer location settings
UPX packed file
Deletes itself
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-13 18:45
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 18:45
Reported
2024-06-13 18:47
Platform
win7-20240508-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\ayahost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\ayahost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\Debug\ayahost.exe | C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe | N/A |
| File opened for modification | C:\Windows\Debug\ayahost.exe | C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe
"C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\052CDF~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | iwPV5m9Y4.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | vtrs6X9ETN.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 8qWpg0Wmug.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | LJmkTtqKz.nnnn.eu.org | udp |
Files
memory/2932-0-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\Debug\ayahost.exe
| MD5 | 3ad5d86e45a45b881531d586fa14893b |
| SHA1 | cedbf3c1cbff795d0c1c9b51662626e68199c4c8 |
| SHA256 | 95589526408887c58c2c3149ff9555ba0db87de02916a749a8cd78585fa556f7 |
| SHA512 | 094127cbaef89f7eb0b31821d750edbb39ce9534743c19b520e6e606dee3f025b73efbd92d1383df60a3d630c6f8abd802651ecffd3c597d10696b70c128fd5e |
memory/2072-5-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2932-7-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2072-8-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2072-9-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2072-13-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2072-18-0x0000000000400000-0x0000000000417000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 18:45
Reported
2024-06-13 18:47
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\uauhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\uauhost.exe | C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe | N/A |
| File opened for modification | C:\Windows\Debug\uauhost.exe | C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe | N/A |
| File opened for modification | C:\Windows\Debug\uauhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe
"C:\Users\Admin\AppData\Local\Temp\052cdfd178c797de657b148d8573510ccff06607c4d87d7efa0a903f8406930e.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\uauhost.exe
C:\Windows\Debug\uauhost.exe
C:\Windows\Debug\uauhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\052CDF~1.EXE > nul
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | bjRCIvNaRs.nnnn.eu.org | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | og69sOk8M.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | SjQw0gQ3PF.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | fg5ta9n7qY.nnnn.eu.org | udp |
Files
memory/1060-0-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\debug\uauhost.exe
| MD5 | f637baaa5e0c674e777f130e6e9cc7fd |
| SHA1 | 8bc11c143146cb7b8091d2be7017df0df7bca7a0 |
| SHA256 | e153c529175a6eec386327900f95aa677e1c06c7f5345f779170b9f859964853 |
| SHA512 | d591c8f5b971934da395f38b2090decc8bc7998b9179d12ed786cba6db218deaa72adc04601b1d88c2bbd3b39948c5e8e89aa29610749da8b14c3ef9a3b33199 |
memory/2668-5-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2668-7-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2668-8-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2668-12-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2668-15-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2668-19-0x0000000000400000-0x0000000000417000-memory.dmp