d465c67c0fa0072fa1da23b8c24478dc027f79610d81e0797491aea6581e1b75

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae4832af15cb2ee454df76e85b78e2f0N.exe
Size

55KB
MD5

ae4832af15cb2ee454df76e85b78e2f0
SHA1

2016c97333517de9691867aee7b451ca8a10a2ea
SHA256

d465c67c0fa0072fa1da23b8c24478dc027f79610d81e0797491aea6581e1b75
SHA512

699c67888947f8038edec0b7dafecfcdec8682217a76298dea6b34afed2a3fd8deef153cc7805fa055e15affad5c277e5af3a3a83e515977744e7002c4af7486
SSDEEP

1536:hvQoLHjw2iWPKMvw71/RLyX3Gvooodwwwt111W:hv5Ls27BIJ/RLyX3qooodwwwt111W

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	ayahost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\ayahost.exe	ae4832af15cb2ee454df76e85b78e2f0N.exe
File opened for modification	C:\Windows\Debug\ayahost.exe	ae4832af15cb2ee454df76e85b78e2f0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ayahost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ayahost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2740	ae4832af15cb2ee454df76e85b78e2f0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2768	2740	ae4832af15cb2ee454df76e85b78e2f0N.exe	31
PID 2740 wrote to memory of 2768	2740	ae4832af15cb2ee454df76e85b78e2f0N.exe	31
PID 2740 wrote to memory of 2768	2740	ae4832af15cb2ee454df76e85b78e2f0N.exe	31
PID 2740 wrote to memory of 2768	2740	ae4832af15cb2ee454df76e85b78e2f0N.exe	31

C:\Users\Admin\AppData\Local\Temp\ae4832af15cb2ee454df76e85b78e2f0N.exe
"C:\Users\Admin\AppData\Local\Temp\ae4832af15cb2ee454df76e85b78e2f0N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\AE4832~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\ayahost.exe

Filesize
55KB

MD5
676ecb661499e47e60d4cacc7e918b54

SHA1
d050f41d7dc2add3cd4766149d18bbcb8888cd9a

SHA256
bbd66825ad77aa103503b88a8b8683b639cfc835b283623bd50e933d7c1da82e

SHA512
6f2e62c8f856e6cf0712c409874da4c674b6a7d28d3f5aa1a077a23f569e88eb54d6b6deef28d53747ee9d5f15fec1c409d84f326a0011ef5c9422758bc58563

Download Submit