Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
20d15ddc7fc533320470adb46b29a0c0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
20d15ddc7fc533320470adb46b29a0c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
20d15ddc7fc533320470adb46b29a0c0N.exe
-
Size
55KB
-
MD5
20d15ddc7fc533320470adb46b29a0c0
-
SHA1
691982118324ce183649863e3031f5fcc998c703
-
SHA256
f22fdab0a86dda1291d49f719577c25c29d0645bc70f69ab7e7af2d1a847fd8e
-
SHA512
78b197060724bb962473bd4ba00db6253dd86501bbd16bdd0f41c4eab59792fc07393fbf15ae14addbf21b272e3d38bc33cc766f9aa3441ec6ad8905a3bba60b
-
SSDEEP
1536:hvQoLHjw2iWPKMvw71/RLyX3NvvvZeee5w:hv5Ls27BIJ/RLyX3HeeeS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1412 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2776 ayahost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Debug\ayahost.exe 20d15ddc7fc533320470adb46b29a0c0N.exe File opened for modification C:\Windows\Debug\ayahost.exe 20d15ddc7fc533320470adb46b29a0c0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20d15ddc7fc533320470adb46b29a0c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ayahost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ayahost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ayahost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1628 20d15ddc7fc533320470adb46b29a0c0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1412 1628 20d15ddc7fc533320470adb46b29a0c0N.exe 31 PID 1628 wrote to memory of 1412 1628 20d15ddc7fc533320470adb46b29a0c0N.exe 31 PID 1628 wrote to memory of 1412 1628 20d15ddc7fc533320470adb46b29a0c0N.exe 31 PID 1628 wrote to memory of 1412 1628 20d15ddc7fc533320470adb46b29a0c0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\20d15ddc7fc533320470adb46b29a0c0N.exe"C:\Users\Admin\AppData\Local\Temp\20d15ddc7fc533320470adb46b29a0c0N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\20D15D~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1412
-
-
C:\Windows\Debug\ayahost.exeC:\Windows\Debug\ayahost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD541b8b38ff8d1c486e8150f911b74a1ce
SHA12a887055618c96d9d6f15a2198f51a830f20f30e
SHA25641f4c2d14bd0fe753fd26fc8d4b40601c87b7ac1cc8e5bc08aa3cf6c7b51f010
SHA51248d98dad362b0400c1452af55d379e8157077e447fa8b109d44a3b91fd191b39404510e67aa698460ab34b1072e6eba875c0f54af0a0bef553284882e9e70920