Malware Analysis Report

2025-08-10 16:40

Sample ID 241030-rxzxwswrgn
Target a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN
SHA256 a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59f
Tags
defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59f

Threat Level: Shows suspicious behavior

The file a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery

Deletes itself

Executes dropped EXE

Checks computer location settings

Indicator Removal: File Deletion

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 14:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 14:35

Reported

2024-10-30 14:37

Platform

win7-20241023-en

Max time kernel

110s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\ayahost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\ayahost.exe C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A
File opened for modification C:\Windows\Debug\ayahost.exe C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\ayahost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\ayahost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\ayahost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe

"C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe"

C:\Windows\Debug\ayahost.exe

C:\Windows\Debug\ayahost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A93EDF~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.188:80 www.baidu.com tcp
US 8.8.8.8:53 gS7oiNFWPX.nnnn.eu.org udp
US 8.8.8.8:53 GeozTLiedl.nnnn.eu.org udp

Files

C:\Windows\debug\ayahost.exe

MD5 a12d17bd768d5fc65020009c1ecc2551
SHA1 920a51983e8c94ab6b61f0fc05ef35ee7b75f4b2
SHA256 fb2343aea644efcc372f640d5a262995332e8712284a68263474d9ef45c07b97
SHA512 228ad2b15e7fbc6eaf01a07958466c4248ad232313854355da09a21f59048311ed0ccd204ea2daf9b0fe1b03af188c8bc110ee1300e6c44956f16c37bdb9e5d8

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 14:35

Reported

2024-10-30 14:37

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\dcihost.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\dcihost.exe C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A
File opened for modification C:\Windows\Debug\dcihost.exe C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Debug\dcihost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\dcihost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\dcihost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe

"C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe"

C:\Windows\Debug\dcihost.exe

C:\Windows\Debug\dcihost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A93EDF~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.47.188:80 www.baidu.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 188.47.235.103.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 T28sm2RNf.nnnn.eu.org udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 65RfuL7Iij.nnnn.eu.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Windows\Debug\dcihost.exe

MD5 93f76f717b5ee4130ba116057725842e
SHA1 d638b4f3febcc50af41ad91f4abae33d924ceae6
SHA256 dc85a01981943b445b3af06e99d533aa50f4de395c85157e50c38befdc23412e
SHA512 128bb8246f6eaff59665f97a8302b5e7748a34112989a2f8d9d102bcec03a149da30e70ac73c5ad11290594dbce8de0cf4f5d00b94bbf526cc4cf2c19119386d