034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

General

Target

b3e2b5afa14c74d2b35c893b4b51e4cc.exe
Size

124KB
MD5

b3e2b5afa14c74d2b35c893b4b51e4cc
SHA1

d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
SHA256

034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
SHA512

f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

1032 sihost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1480 schtasks.exe
896 schtasks.exe

pid	process
1032	sihost.exe

pid	process
1480	schtasks.exe
896	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b3e2b5afa14c74d2b35c893b4b51e4cc.exetaskeng.exesihost.exe

description	pid	process	target process
PID 612 wrote to memory of 1480	612	b3e2b5afa14c74d2b35c893b4b51e4cc.exe	schtasks.exe
PID 612 wrote to memory of 1480	612	b3e2b5afa14c74d2b35c893b4b51e4cc.exe	schtasks.exe
PID 612 wrote to memory of 1480	612	b3e2b5afa14c74d2b35c893b4b51e4cc.exe	schtasks.exe
PID 612 wrote to memory of 1480	612	b3e2b5afa14c74d2b35c893b4b51e4cc.exe	schtasks.exe
PID 960 wrote to memory of 1032	960	taskeng.exe	sihost.exe
PID 960 wrote to memory of 1032	960	taskeng.exe	sihost.exe
PID 960 wrote to memory of 1032	960	taskeng.exe	sihost.exe
PID 960 wrote to memory of 1032	960	taskeng.exe	sihost.exe
PID 1032 wrote to memory of 896	1032	sihost.exe	schtasks.exe
PID 1032 wrote to memory of 896	1032	sihost.exe	schtasks.exe
PID 1032 wrote to memory of 896	1032	sihost.exe	schtasks.exe
PID 1032 wrote to memory of 896	1032	sihost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b3e2b5afa14c74d2b35c893b4b51e4cc.exe
"C:\Users\Admin\AppData\Local\Temp\b3e2b5afa14c74d2b35c893b4b51e4cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:612
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1480

C:\Windows\system32\taskeng.exe
taskeng.exe {0138727C-D0AF-4E63-9F0B-0F816D9D871D} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

MD5
b3e2b5afa14c74d2b35c893b4b51e4cc

SHA1
d649ceb434bbd2cd8c3b226d0235f0dc60967ba8

SHA256
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

SHA512
f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

MD5
b3e2b5afa14c74d2b35c893b4b51e4cc

SHA1
d649ceb434bbd2cd8c3b226d0235f0dc60967ba8

SHA256
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

SHA512
f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Download Submit
memory/612-54-0x0000000075651000-0x0000000075653000-memory.dmp

Filesize
8KB

Download
memory/612-56-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/612-57-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/896-62-0x0000000000000000-mapping.dmp

Download
memory/1032-59-0x0000000000000000-mapping.dmp

Download
memory/1032-63-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1480-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads