e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2

General

Target

e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe
Size

166KB
MD5

2258afbf2c361317eb951290728fa85d
SHA1

a95bb8b68ffb9d3399ace2e7de22647d2fbe1fb4
SHA256

e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2
SHA512

b67203a1b56376ed53176861055361b338385f2c7775240cb2deb5b6578aec66188c780af8f873513517e38ce9bd2a71f21384e3688c01996e22b07aed8da1a2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

4764 sihost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4676 schtasks.exe
4788 schtasks.exe

pid	process
4764	sihost.exe

pid	process
4676	schtasks.exe
4788	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exesihost.exe

description	pid	process	target process
PID 4656 wrote to memory of 4676	4656	e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe	schtasks.exe
PID 4656 wrote to memory of 4676	4656	e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe	schtasks.exe
PID 4656 wrote to memory of 4676	4656	e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe	schtasks.exe
PID 4764 wrote to memory of 4788	4764	sihost.exe	schtasks.exe
PID 4764 wrote to memory of 4788	4764	sihost.exe	schtasks.exe
PID 4764 wrote to memory of 4788	4764	sihost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe
"C:\Users\Admin\AppData\Local\Temp\e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:4676

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:4788

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
2258afbf2c361317eb951290728fa85d

SHA1
a95bb8b68ffb9d3399ace2e7de22647d2fbe1fb4

SHA256
e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2

SHA512
b67203a1b56376ed53176861055361b338385f2c7775240cb2deb5b6578aec66188c780af8f873513517e38ce9bd2a71f21384e3688c01996e22b07aed8da1a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
2258afbf2c361317eb951290728fa85d

SHA1
a95bb8b68ffb9d3399ace2e7de22647d2fbe1fb4

SHA256
e2aa75c5fad7be04eb362e69c04e5cb945aba5cf24319af861ebd5ca2a4f0bf2

SHA512
b67203a1b56376ed53176861055361b338385f2c7775240cb2deb5b6578aec66188c780af8f873513517e38ce9bd2a71f21384e3688c01996e22b07aed8da1a2

Download Submit
memory/4656-116-0x0000000000030000-0x0000000000034000-memory.dmp

Filesize
16KB

Download
memory/4656-117-0x0000000000400000-0x0000000002148000-memory.dmp

Filesize
29.3MB

Download
memory/4676-115-0x0000000000000000-mapping.dmp

Download
memory/4764-121-0x0000000000400000-0x0000000002148000-memory.dmp

Filesize
29.3MB

Download
memory/4788-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads