ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14b

Analysis

max time kernel
110s
max time network
93s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 15:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe
Size

57KB
MD5

a50f84553d56ae0f304b1457d324bab0
SHA1

579b19837ef28ec09dea1999928f6cc878d632c6
SHA256

ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14b
SHA512

7d27cc84d18a7fb21d0d07379092a71aa593e91ef6156589bd2f60de459d79b8ecd32ecb56ae4687a634f8c69876b0cd55151202352881473f779cbe398436d6
SSDEEP

1536:hvQoLHjw2iWPKMvw71/RLyX3NvvvZeee5LttttU:hv5Ls27BIJ/RLyX3HeeeRttttU

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1924	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2404	ayahost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\ayahost.exe	ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe
File opened for modification	C:\Windows\Debug\ayahost.exe	ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayahost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ayahost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ayahost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1680	ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1924	1680	ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe	31
PID 1680 wrote to memory of 1924	1680	ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe	31
PID 1680 wrote to memory of 1924	1680	ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe	31
PID 1680 wrote to memory of 1924	1680	ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe	31

C:\Users\Admin\AppData\Local\Temp\ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe
"C:\Users\Admin\AppData\Local\Temp\ba0dfee31b6acf609d0d8b74bd9af20ede43bdf0f44b0b6d9b1a486f838de14bN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BA0DFE~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1924

C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\ayahost.exe

Filesize
57KB

MD5
766c838c8b8ed9c14dd22923ba02b9de

SHA1
b49e47fef1a891279070153baf03a80881c0e134

SHA256
84b6cebb57a08466de36a34e16d235fd70f814ff5ddadf657558045073e80a96

SHA512
aee4feca191701f9ad2e21b1ee0cef4a6fe95df183b5dec52d051bbe4630d384e275b16dd1d8af1067b48b70c21ad3548864f571ebfa788783490ccacf03111e

Download Submit