Analysis Overview
SHA256
a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59f
Threat Level: Shows suspicious behavior
The file a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Checks computer location settings
Indicator Removal: File Deletion
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 14:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 14:35
Reported
2024-10-30 14:37
Platform
win7-20241023-en
Max time kernel
110s
Max time network
100s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\ayahost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\ayahost.exe | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
| File opened for modification | C:\Windows\Debug\ayahost.exe | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\ayahost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Debug\ayahost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Debug\ayahost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1776 wrote to memory of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1776 wrote to memory of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1776 wrote to memory of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1776 wrote to memory of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe
"C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe"
C:\Windows\Debug\ayahost.exe
C:\Windows\Debug\ayahost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A93EDF~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.47.188:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | gS7oiNFWPX.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | GeozTLiedl.nnnn.eu.org | udp |
Files
C:\Windows\debug\ayahost.exe
| MD5 | a12d17bd768d5fc65020009c1ecc2551 |
| SHA1 | 920a51983e8c94ab6b61f0fc05ef35ee7b75f4b2 |
| SHA256 | fb2343aea644efcc372f640d5a262995332e8712284a68263474d9ef45c07b97 |
| SHA512 | 228ad2b15e7fbc6eaf01a07958466c4248ad232313854355da09a21f59048311ed0ccd204ea2daf9b0fe1b03af188c8bc110ee1300e6c44956f16c37bdb9e5d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 14:35
Reported
2024-10-30 14:37
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
110s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\dcihost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\dcihost.exe | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
| File opened for modification | C:\Windows\Debug\dcihost.exe | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Debug\dcihost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Debug\dcihost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Debug\dcihost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4856 wrote to memory of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4856 wrote to memory of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4856 wrote to memory of 4800 | N/A | C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe
"C:\Users\Admin\AppData\Local\Temp\a93edf36ef25a61c0a99b157304430622b69a0182ae853dab26ca2fdc14ee59fN.exe"
C:\Windows\Debug\dcihost.exe
C:\Windows\Debug\dcihost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A93EDF~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.47.188:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.47.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | T28sm2RNf.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65RfuL7Iij.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Windows\Debug\dcihost.exe
| MD5 | 93f76f717b5ee4130ba116057725842e |
| SHA1 | d638b4f3febcc50af41ad91f4abae33d924ceae6 |
| SHA256 | dc85a01981943b445b3af06e99d533aa50f4de395c85157e50c38befdc23412e |
| SHA512 | 128bb8246f6eaff59665f97a8302b5e7748a34112989a2f8d9d102bcec03a149da30e70ac73c5ad11290594dbce8de0cf4f5d00b94bbf526cc4cf2c19119386d |