Overview

overview

10

Static

static

taskhost.exe

windows7_x64

10

taskhost.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    07-05-2021 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskhost.exe

  • Size

    2.8MB

  • MD5

    4d07687083cbaa9c4f9ed49ce324a74b

  • SHA1

    b56252678f52db028b3731de9940bffe4d666fcc

  • SHA256

    fd262d6c99b548dc34af6c75ec941894432781cbd760e8213be95ce65f1a7bba

  • SHA512

    07962b7d646a6e2d8c570da102a1bbd960c81df22c5681b39c49b307a9cf2a4dfea8e607f5be40c43a5828ba15d1c4ada76ebc95d0f6d540e2d0b86a32d41ba7

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 17 IoCs
  • Program crash 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
        3⤵
          PID:1524
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1524 -s 180
            4⤵
            • Program crash
            PID:2356
        • C:\Windows\notepad.exe
          "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
          3⤵
            PID:3176
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3176 -s 180
              4⤵
              • Program crash
              PID:3928
          • C:\Windows\notepad.exe
            "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
            3⤵
              PID:3856
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 3856 -s 180
                4⤵
                • Program crash
                PID:684
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C WScript "C:\ProgramData\lSuRugDFHR\r.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3172
              • C:\Windows\SysWOW64\wscript.exe
                WScript "C:\ProgramData\lSuRugDFHR\r.vbs"
                4⤵
                • Drops startup file
                PID:1160
            • C:\Windows\notepad.exe
              "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
              3⤵
                PID:1808
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 1808 -s 180
                  4⤵
                  • Program crash
                  PID:2812
              • C:\Windows\notepad.exe
                "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                3⤵
                  PID:1456
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 1456 -s 180
                    4⤵
                    • Program crash
                    PID:3792
                • C:\Windows\notepad.exe
                  "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                  3⤵
                    PID:3968
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 3968 -s 112
                      4⤵
                      • Program crash
                      PID:2148
                  • C:\Windows\notepad.exe
                    "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                    3⤵
                      PID:1860
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 1860 -s 180
                        4⤵
                        • Program crash
                        PID:8
                    • C:\Windows\notepad.exe
                      "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                      3⤵
                        PID:4088
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -u -p 4088 -s 180
                          4⤵
                          • Program crash
                          PID:3952
                      • C:\Windows\notepad.exe
                        "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                        3⤵
                          PID:3864
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 3864 -s 180
                            4⤵
                            • Program crash
                            PID:664
                        • C:\Windows\notepad.exe
                          "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                          3⤵
                            PID:3856
                            • C:\Windows\system32\WerFault.exe
                              C:\Windows\system32\WerFault.exe -u -p 3856 -s 180
                              4⤵
                              • Program crash
                              PID:2228
                          • C:\Windows\notepad.exe
                            "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                            3⤵
                              PID:2204
                              • C:\Windows\system32\WerFault.exe
                                C:\Windows\system32\WerFault.exe -u -p 2204 -s 212
                                4⤵
                                • Program crash
                                PID:1368
                            • C:\Windows\notepad.exe
                              "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                              3⤵
                                PID:1160
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -u -p 1160 -s 180
                                  4⤵
                                  • Program crash
                                  PID:2496
                              • C:\Windows\notepad.exe
                                "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                                3⤵
                                  PID:984
                                  • C:\Windows\system32\WerFault.exe
                                    C:\Windows\system32\WerFault.exe -u -p 984 -s 180
                                    4⤵
                                    • Program crash
                                    PID:2384
                                • C:\Windows\notepad.exe
                                  "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                                  3⤵
                                    PID:3992
                                    • C:\Windows\system32\WerFault.exe
                                      C:\Windows\system32\WerFault.exe -u -p 3992 -s 180
                                      4⤵
                                      • Program crash
                                      PID:2768
                                  • C:\Windows\notepad.exe
                                    "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                                    3⤵
                                      PID:700
                                      • C:\Windows\system32\WerFault.exe
                                        C:\Windows\system32\WerFault.exe -u -p 700 -s 180
                                        4⤵
                                        • Program crash
                                        PID:1628
                                    • C:\Windows\notepad.exe
                                      "C:\Windows\notepad.exe" -c "C:\ProgramData\lSuRugDFHR\cfgi"
                                      3⤵
                                        PID:2164
                                        • C:\Windows\system32\WerFault.exe
                                          C:\Windows\system32\WerFault.exe -u -p 2164 -s 180
                                          4⤵
                                          • Program crash
                                          PID:2148

                                  Network

                                  MITRE ATT&CK Matrix

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\ProgramData\lSuRugDFHR\r.vbs
                                    MD5

                                    aaeac492102e79fb3268ee27bbb46cac

                                    SHA1

                                    240f554c3ea020167019406c36e06a68c4cc1b63

                                    SHA256

                                    2c914731f4e36b3601bc30706bb1a2339a1970af9d87630886208a1ebef04fb4

                                    SHA512

                                    1b4c3a755fc84d26a60dce9ac6a112de999d3c17fd48ec749d6003496753c7eb2e037f57885bf810f2ecb0e18b00ca0da49ae7b19f337d50e3a5aa7b2de462a5

                                    Download Submit
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UkeplxjeiD.url
                                    MD5

                                    35015db45f574eb0c6202efeef2c0dcc

                                    SHA1

                                    6fcd6a0cc15a21477bf99f05add9015eb7e11aa6

                                    SHA256

                                    e43d7feb7648b9b5ee2bed19aeb990818429580dfd731106f25caade1f485f5e

                                    SHA512

                                    d145ec6ee6ce970dc4397305fe4f5ee7addf2e43b0e10b6f3e87eb56fc5cce603e2b2ad6c534dda082e756e423cb79e0a96564df86ecf86ebe464f40fb891612

                                    Download Submit
                                  • memory/700-195-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/984-185-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/1160-135-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1160-180-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/1456-145-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/1524-121-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/1524-120-0x0000000000400000-0x0000000000A16000-memory.dmp
                                    Filesize

                                    6.1MB

                                    Download
                                  • memory/1524-119-0x0000000000400000-0x0000000000A16000-memory.dmp
                                    Filesize

                                    6.1MB

                                    Download
                                  • memory/1808-140-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/1860-155-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/2164-199-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/2204-175-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3172-134-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3176-126-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3280-116-0x0000000000400000-0x00000000005D4000-memory.dmp
                                    Filesize

                                    1.8MB

                                    Download
                                  • memory/3280-118-0x0000000000400000-0x00000000005D4000-memory.dmp
                                    Filesize

                                    1.8MB

                                    Download
                                  • memory/3280-117-0x0000000000404470-mapping.dmp
                                    Download
                                  • memory/3856-168-0x0000000000400000-0x0000000000400138-memory.dmp
                                    Filesize

                                    312B

                                    Download
                                  • memory/3856-170-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3856-131-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3864-165-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3968-150-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/3992-190-0x0000000000A14AA0-mapping.dmp
                                    Download
                                  • memory/4088-160-0x0000000000A14AA0-mapping.dmp
                                    Download