Analysis
-
max time kernel
80s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 07:50
Static task
static1
Behavioral task
behavioral1
Sample
e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe
Resource
win10-en
General
-
Target
e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe
-
Size
166KB
-
MD5
2258afbf2c361317eb951290728fa85d
-
SHA1
a95bb8b68ffb9d3399ace2e7de22647d2fbe1fb4
-
SHA256
e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2
-
SHA512
b67203a1b56376ed53176861055361b338385f2c7775240cb2deb5b6578aec66188c780af8f873513517e38ce9bd2a71f21384e3688c01996e22b07aed8da1a2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 4764 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4676 schtasks.exe 4788 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exesihost.exedescription pid process target process PID 4656 wrote to memory of 4676 4656 e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe schtasks.exe PID 4656 wrote to memory of 4676 4656 e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe schtasks.exe PID 4656 wrote to memory of 4676 4656 e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe schtasks.exe PID 4764 wrote to memory of 4788 4764 sihost.exe schtasks.exe PID 4764 wrote to memory of 4788 4764 sihost.exe schtasks.exe PID 4764 wrote to memory of 4788 4764 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe"C:\Users\Admin\AppData\Local\Temp\e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
2258afbf2c361317eb951290728fa85d
SHA1a95bb8b68ffb9d3399ace2e7de22647d2fbe1fb4
SHA256e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2
SHA512b67203a1b56376ed53176861055361b338385f2c7775240cb2deb5b6578aec66188c780af8f873513517e38ce9bd2a71f21384e3688c01996e22b07aed8da1a2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
2258afbf2c361317eb951290728fa85d
SHA1a95bb8b68ffb9d3399ace2e7de22647d2fbe1fb4
SHA256e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2
SHA512b67203a1b56376ed53176861055361b338385f2c7775240cb2deb5b6578aec66188c780af8f873513517e38ce9bd2a71f21384e3688c01996e22b07aed8da1a2
-
memory/4656-116-0x0000000000030000-0x0000000000034000-memory.dmpFilesize
16KB
-
memory/4656-117-0x0000000000400000-0x0000000002148000-memory.dmpFilesize
29.3MB
-
memory/4676-115-0x0000000000000000-mapping.dmp
-
memory/4764-121-0x0000000000400000-0x0000000002148000-memory.dmpFilesize
29.3MB
-
memory/4788-120-0x0000000000000000-mapping.dmp