67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077

General

Target

67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077.exe
Size

167KB
MD5

3192cd0b9c0ffc4275c161adcf991ce8
SHA1

76ba14371142872f251cb94331f1871a5307ba62
SHA256

67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077
SHA512

581b1d40252c06956392ba0f97d43a308cb84289939fac79261fb997b7af20e309382ada2a9a93993f574fab05662d7f211c3250eeb58e09e37b179d3d3a6fb9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

1056 sihost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1004 schtasks.exe
1220 schtasks.exe

pid	process
1056	sihost.exe

pid	process
1004	schtasks.exe
1220	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077.exesihost.exe

description	pid	process	target process
PID 656 wrote to memory of 1004	656	67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077.exe	schtasks.exe
PID 656 wrote to memory of 1004	656	67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077.exe	schtasks.exe
PID 656 wrote to memory of 1004	656	67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077.exe	schtasks.exe
PID 1056 wrote to memory of 1220	1056	sihost.exe	schtasks.exe
PID 1056 wrote to memory of 1220	1056	sihost.exe	schtasks.exe
PID 1056 wrote to memory of 1220	1056	sihost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077.exe
"C:\Users\Admin\AppData\Local\Temp\67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:1004

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:1220

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
3192cd0b9c0ffc4275c161adcf991ce8

SHA1
76ba14371142872f251cb94331f1871a5307ba62

SHA256
67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077

SHA512
581b1d40252c06956392ba0f97d43a308cb84289939fac79261fb997b7af20e309382ada2a9a93993f574fab05662d7f211c3250eeb58e09e37b179d3d3a6fb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
3192cd0b9c0ffc4275c161adcf991ce8

SHA1
76ba14371142872f251cb94331f1871a5307ba62

SHA256
67825bbb3619ba21d1ca2831746840f93a62850bab152bc55ce00a34ddba6077

SHA512
581b1d40252c06956392ba0f97d43a308cb84289939fac79261fb997b7af20e309382ada2a9a93993f574fab05662d7f211c3250eeb58e09e37b179d3d3a6fb9

Download Submit
memory/656-114-0x0000000000030000-0x0000000000034000-memory.dmp

Filesize
16KB

Download
memory/656-115-0x0000000000400000-0x0000000002148000-memory.dmp

Filesize
29.3MB

Download
memory/1004-116-0x0000000000000000-mapping.dmp

Download
memory/1056-120-0x0000000000400000-0x0000000002148000-memory.dmp

Filesize
29.3MB

Download
memory/1220-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads