Analysis
-
max time kernel
71s -
max time network
74s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 22:02
Static task
static1
Behavioral task
behavioral1
Sample
b3e2b5afa14c74d2b35c893b4b51e4cc.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
b3e2b5afa14c74d2b35c893b4b51e4cc.exe
Resource
win10v20210408
General
-
Target
b3e2b5afa14c74d2b35c893b4b51e4cc.exe
-
Size
124KB
-
MD5
b3e2b5afa14c74d2b35c893b4b51e4cc
-
SHA1
d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
-
SHA256
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
-
SHA512
f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 3904 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b3e2b5afa14c74d2b35c893b4b51e4cc.exesihost.exedescription pid process target process PID 664 wrote to memory of 888 664 b3e2b5afa14c74d2b35c893b4b51e4cc.exe schtasks.exe PID 664 wrote to memory of 888 664 b3e2b5afa14c74d2b35c893b4b51e4cc.exe schtasks.exe PID 664 wrote to memory of 888 664 b3e2b5afa14c74d2b35c893b4b51e4cc.exe schtasks.exe PID 3904 wrote to memory of 2264 3904 sihost.exe schtasks.exe PID 3904 wrote to memory of 2264 3904 sihost.exe schtasks.exe PID 3904 wrote to memory of 2264 3904 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e2b5afa14c74d2b35c893b4b51e4cc.exe"C:\Users\Admin\AppData\Local\Temp\b3e2b5afa14c74d2b35c893b4b51e4cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
PID:888
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
PID:2264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
b3e2b5afa14c74d2b35c893b4b51e4cc
SHA1d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
SHA256034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
SHA512f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
b3e2b5afa14c74d2b35c893b4b51e4cc
SHA1d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
SHA256034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
SHA512f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e
-
memory/664-114-0x0000000000540000-0x0000000000544000-memory.dmpFilesize
16KB
-
memory/664-116-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/888-115-0x0000000000000000-mapping.dmp
-
memory/2264-119-0x0000000000000000-mapping.dmp
-
memory/3904-120-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB