Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 12:26
Static task
static1
Behavioral task
behavioral1
Sample
2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe
Resource
win10-en-20210920
General
-
Target
2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe
-
Size
135KB
-
MD5
13d6542b23dfe0a254885ad5b6986141
-
SHA1
893cd4ab98575b0e54f9d053fa0fa50b4f17cb33
-
SHA256
2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8
-
SHA512
e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 2624 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2812 schtasks.exe 2264 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exesihost.exedescription pid process target process PID 2064 wrote to memory of 2264 2064 2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe schtasks.exe PID 2064 wrote to memory of 2264 2064 2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe schtasks.exe PID 2064 wrote to memory of 2264 2064 2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe schtasks.exe PID 2624 wrote to memory of 2812 2624 sihost.exe schtasks.exe PID 2624 wrote to memory of 2812 2624 sihost.exe schtasks.exe PID 2624 wrote to memory of 2812 2624 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe"C:\Users\Admin\AppData\Local\Temp\2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
13d6542b23dfe0a254885ad5b6986141
SHA1893cd4ab98575b0e54f9d053fa0fa50b4f17cb33
SHA2562d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8
SHA512e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
13d6542b23dfe0a254885ad5b6986141
SHA1893cd4ab98575b0e54f9d053fa0fa50b4f17cb33
SHA2562d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8
SHA512e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681
-
memory/2064-115-0x00000000005D0000-0x000000000071A000-memory.dmpFilesize
1.3MB
-
memory/2064-117-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2264-116-0x0000000000000000-mapping.dmp
-
memory/2624-122-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2624-121-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1.3MB
-
memory/2812-120-0x0000000000000000-mapping.dmp