Analysis
-
max time kernel
68s -
max time network
71s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe
Resource
win10v20210408
General
-
Target
0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe
-
Size
134KB
-
MD5
2cd9ee84b4da1a802e9f5082a5ffeb6d
-
SHA1
f6cd9b6b5561456c8a0d8880e2a468bd2256618a
-
SHA256
0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348
-
SHA512
e64ed4bd1cf7974cb0392f1fe37c81372035808db2b6fa34d80daa3af20ef588b536a9242dba7f9e6c9a52ab6f588defbb9020674dcd2b8f559311169241713f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 3792 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exesihost.exedescription pid process target process PID 620 wrote to memory of 788 620 0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe schtasks.exe PID 620 wrote to memory of 788 620 0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe schtasks.exe PID 620 wrote to memory of 788 620 0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe schtasks.exe PID 3792 wrote to memory of 3936 3792 sihost.exe schtasks.exe PID 3792 wrote to memory of 3936 3792 sihost.exe schtasks.exe PID 3792 wrote to memory of 3936 3792 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe"C:\Users\Admin\AppData\Local\Temp\0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
2cd9ee84b4da1a802e9f5082a5ffeb6d
SHA1f6cd9b6b5561456c8a0d8880e2a468bd2256618a
SHA2560e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348
SHA512e64ed4bd1cf7974cb0392f1fe37c81372035808db2b6fa34d80daa3af20ef588b536a9242dba7f9e6c9a52ab6f588defbb9020674dcd2b8f559311169241713f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
2cd9ee84b4da1a802e9f5082a5ffeb6d
SHA1f6cd9b6b5561456c8a0d8880e2a468bd2256618a
SHA2560e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348
SHA512e64ed4bd1cf7974cb0392f1fe37c81372035808db2b6fa34d80daa3af20ef588b536a9242dba7f9e6c9a52ab6f588defbb9020674dcd2b8f559311169241713f
-
memory/620-114-0x00000000001E0000-0x00000000001E4000-memory.dmpFilesize
16KB
-
memory/620-115-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/788-116-0x0000000000000000-mapping.dmp
-
memory/3792-121-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3792-120-0x00000000005D0000-0x000000000071A000-memory.dmpFilesize
1.3MB
-
memory/3936-119-0x0000000000000000-mapping.dmp