034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

General

Target

b3e2b5afa14c74d2b35c893b4b51e4cc.exe
Size

124KB
MD5

b3e2b5afa14c74d2b35c893b4b51e4cc
SHA1

d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
SHA256

034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
SHA512

f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

3904 sihost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

888 schtasks.exe
2264 schtasks.exe

pid	process
3904	sihost.exe

pid	process
888	schtasks.exe
2264	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b3e2b5afa14c74d2b35c893b4b51e4cc.exesihost.exe

description	pid	process	target process
PID 664 wrote to memory of 888	664	b3e2b5afa14c74d2b35c893b4b51e4cc.exe	schtasks.exe
PID 664 wrote to memory of 888	664	b3e2b5afa14c74d2b35c893b4b51e4cc.exe	schtasks.exe
PID 664 wrote to memory of 888	664	b3e2b5afa14c74d2b35c893b4b51e4cc.exe	schtasks.exe
PID 3904 wrote to memory of 2264	3904	sihost.exe	schtasks.exe
PID 3904 wrote to memory of 2264	3904	sihost.exe	schtasks.exe
PID 3904 wrote to memory of 2264	3904	sihost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b3e2b5afa14c74d2b35c893b4b51e4cc.exe
"C:\Users\Admin\AppData\Local\Temp\b3e2b5afa14c74d2b35c893b4b51e4cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:888

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:2264

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
b3e2b5afa14c74d2b35c893b4b51e4cc

SHA1
d649ceb434bbd2cd8c3b226d0235f0dc60967ba8

SHA256
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

SHA512
f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
b3e2b5afa14c74d2b35c893b4b51e4cc

SHA1
d649ceb434bbd2cd8c3b226d0235f0dc60967ba8

SHA256
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

SHA512
f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Download Submit
memory/664-114-0x0000000000540000-0x0000000000544000-memory.dmp

Filesize
16KB

Download
memory/664-116-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/888-115-0x0000000000000000-mapping.dmp

Download
memory/2264-119-0x0000000000000000-mapping.dmp

Download
memory/3904-120-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads