Overview

overview

10

Static

static

taskhost.exe

windows7_x64

10

taskhost.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 11:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskhost.exe

  • Size

    2.8MB

  • MD5

    7f6b8e103f0a42615d90a2b7ad862135

  • SHA1

    095d2bef8afc9a657cb0dfbe9e95ae467a7364d0

  • SHA256

    51edeab1acc8739d6e419b59c1ea6c1e1a8e783d1a3852729b35781ddb008639

  • SHA512

    b058baa67cce6631bb4937b8df81ac42fbe2955c1c43723b136a74378dece449dcd50d0c7ea3d2b9817939e1126767c3935d12dde7863edcb66d1bd56675ca83

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 17 IoCs
  • Program crash 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
        3⤵
          PID:3260
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 3260 -s 180
            4⤵
            • Program crash
            PID:3704
        • C:\Windows\notepad.exe
          "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
          3⤵
            PID:1580
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 1580 -s 180
              4⤵
              • Program crash
              PID:3948
          • C:\Windows\notepad.exe
            "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
            3⤵
              PID:2160
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 2160 -s 180
                4⤵
                • Program crash
                PID:2584
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C WScript "C:\ProgramData\lSuRugDFHR\r.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4060
              • C:\Windows\SysWOW64\wscript.exe
                WScript "C:\ProgramData\lSuRugDFHR\r.vbs"
                4⤵
                • Drops startup file
                PID:1928
            • C:\Windows\notepad.exe
              "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
              3⤵
                PID:3376
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 3376 -s 180
                  4⤵
                  • Program crash
                  PID:2868
              • C:\Windows\notepad.exe
                "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                3⤵
                  PID:4040
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 4040 -s 180
                    4⤵
                    • Program crash
                    PID:1316
                • C:\Windows\notepad.exe
                  "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                  3⤵
                    PID:900
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 900 -s 112
                      4⤵
                      • Program crash
                      PID:4016
                  • C:\Windows\notepad.exe
                    "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                    3⤵
                      PID:1448
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 1448 -s 180
                        4⤵
                        • Program crash
                        PID:416
                    • C:\Windows\notepad.exe
                      "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                      3⤵
                        PID:3368
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -u -p 3368 -s 180
                          4⤵
                          • Program crash
                          PID:2656
                      • C:\Windows\notepad.exe
                        "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                        3⤵
                          PID:2420
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 2420 -s 180
                            4⤵
                            • Program crash
                            PID:2148
                        • C:\Windows\notepad.exe
                          "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                          3⤵
                            PID:3700
                            • C:\Windows\system32\WerFault.exe
                              C:\Windows\system32\WerFault.exe -u -p 3700 -s 180
                              4⤵
                              • Program crash
                              PID:3340
                          • C:\Windows\notepad.exe
                            "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                            3⤵
                              PID:3752
                              • C:\Windows\system32\WerFault.exe
                                C:\Windows\system32\WerFault.exe -u -p 3752 -s 180
                                4⤵
                                • Program crash
                                PID:3556
                            • C:\Windows\notepad.exe
                              "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                              3⤵
                                PID:3600
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -u -p 3600 -s 180
                                  4⤵
                                  • Program crash
                                  PID:1392
                              • C:\Windows\notepad.exe
                                "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                                3⤵
                                  PID:2244
                                  • C:\Windows\system32\WerFault.exe
                                    C:\Windows\system32\WerFault.exe -u -p 2244 -s 180
                                    4⤵
                                    • Program crash
                                    PID:3440
                                • C:\Windows\notepad.exe
                                  "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                                  3⤵
                                    PID:3120
                                    • C:\Windows\system32\WerFault.exe
                                      C:\Windows\system32\WerFault.exe -u -p 3120 -s 180
                                      4⤵
                                      • Program crash
                                      PID:1952
                                  • C:\Windows\notepad.exe
                                    "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                                    3⤵
                                      PID:2100
                                      • C:\Windows\system32\WerFault.exe
                                        C:\Windows\system32\WerFault.exe -u -p 2100 -s 180
                                        4⤵
                                        • Program crash
                                        PID:1112
                                    • C:\Windows\notepad.exe
                                      "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                                      3⤵
                                        PID:200
                                        • C:\Windows\system32\WerFault.exe
                                          C:\Windows\system32\WerFault.exe -u -p 200 -s 180
                                          4⤵
                                          • Program crash
                                          PID:1516

                                  Network

                                  MITRE ATT&CK Matrix

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\ProgramData\lSuRugDFHR\r.vbs
                                    MD5

                                    aaeac492102e79fb3268ee27bbb46cac

                                    SHA1

                                    240f554c3ea020167019406c36e06a68c4cc1b63

                                    SHA256

                                    2c914731f4e36b3601bc30706bb1a2339a1970af9d87630886208a1ebef04fb4

                                    SHA512

                                    1b4c3a755fc84d26a60dce9ac6a112de999d3c17fd48ec749d6003496753c7eb2e037f57885bf810f2ecb0e18b00ca0da49ae7b19f337d50e3a5aa7b2de462a5

                                    Download Submit
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UkeplxjeiD.url
                                    MD5

                                    35015db45f574eb0c6202efeef2c0dcc

                                    SHA1

                                    6fcd6a0cc15a21477bf99f05add9015eb7e11aa6

                                    SHA256

                                    e43d7feb7648b9b5ee2bed19aeb990818429580dfd731106f25caade1f485f5e

                                    SHA512

                                    d145ec6ee6ce970dc4397305fe4f5ee7addf2e43b0e10b6f3e87eb56fc5cce603e2b2ad6c534dda082e756e423cb79e0a96564df86ecf86ebe464f40fb891612

                                    Download Submit
                                  • memory/200-200-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/900-151-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/1448-156-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/1580-126-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/1928-135-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2100-196-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/2160-131-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/2244-186-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/2420-166-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/2528-118-0x0000000000400000-0x00000000005D4000-memory.dmp
                                    Filesize

                                    1.8MB

                                    Download
                                  • memory/2528-117-0x0000000000404470-mapping.dmp
                                    Download
                                  • memory/2528-116-0x0000000000400000-0x00000000005D4000-memory.dmp
                                    Filesize

                                    1.8MB

                                    Download
                                  • memory/3120-191-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3260-120-0x0000000000400000-0x0000000000A16000-memory.dmp
                                    Filesize

                                    6.1MB

                                    Download
                                  • memory/3260-119-0x0000000000400000-0x0000000000A16000-memory.dmp
                                    Filesize

                                    6.1MB

                                    Download
                                  • memory/3260-121-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3368-161-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3376-141-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3600-181-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3700-171-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3752-176-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/4040-146-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/4060-137-0x0000000003770000-0x0000000003944000-memory.dmp
                                    Filesize

                                    1.8MB

                                    Download
                                  • memory/4060-134-0x0000000000000000-mapping.dmp
                                    Download