Analysis
-
max time kernel
111s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe
Resource
win10v2004-20241007-en
General
-
Target
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe
-
Size
74KB
-
MD5
70c95d7fac0eea9b97eb03710113a7d0
-
SHA1
ac76af9bda73c09c30bba4b19a0b25070da08207
-
SHA256
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980
-
SHA512
183ed82cd3a062ac422d2f29f40143f855173d63f5d14181a0100fab149b4daab835a3c663c23aa8103220529fc2aa06550e0ac6d7e823676c615a22f6d4f274
-
SSDEEP
768:bDcpEBlLfQcubgEp1Ayk96XyXuPdtldE9aHNWnnnl000e999vddddIyyyOc:bDcWLfIbgEp10gyXOdtnTHNWnnn6c
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe -
Executes dropped EXE 1 IoCs
Processes:
eiyhost.exepid process 220 eiyhost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Windows directory 3 IoCs
Processes:
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exeattrib.exedescription ioc process File created C:\Windows\Debug\eiyhost.exe db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe File opened for modification C:\Windows\Debug\eiyhost.exe db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe File opened for modification C:\Windows\Debug\eiyhost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exeeiyhost.exeattrib.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eiyhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
eiyhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 eiyhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz eiyhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exedescription pid process Token: SeIncBasePriorityPrivilege 3708 db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exedescription pid process target process PID 3708 wrote to memory of 2264 3708 db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe attrib.exe PID 3708 wrote to memory of 2264 3708 db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe attrib.exe PID 3708 wrote to memory of 2264 3708 db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe attrib.exe PID 3708 wrote to memory of 4076 3708 db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe cmd.exe PID 3708 wrote to memory of 4076 3708 db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe cmd.exe PID 3708 wrote to memory of 4076 3708 db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe"C:\Users\Admin\AppData\Local\Temp\db768b4c05c687b3495535ab4865b10e3a3ef43fa6bb27e9d4098c4b8da2e980N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\eiyhost.exe2⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DB768B~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:4076
-
C:\Windows\Debug\eiyhost.exeC:\Windows\Debug\eiyhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5aacdba6c449114a483b2b9fbd6ba201c
SHA1f06342c242ce375444aab810574da56bd875745e
SHA256d57b2ed3e76c797ceb19bfc593f7f5df067c332820b89f3c92b243d9224aa0de
SHA5128efd2bd7ca766e74db00bb7e50ce64f2a242e31f104d95b1a761f4df6545435745f1e501456f07034d75b0a7616d35d1b052110571221ad8e9c87050a8b1b837