Analysis
-
max time kernel
113s -
max time network
116s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 13:51
Static task
static1
Behavioral task
behavioral1
Sample
dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571.exe
Resource
win10-en-20210920
General
-
Target
dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571.exe
-
Size
188KB
-
MD5
c5f0db33f6c3174e4b5463ed5ee82f9d
-
SHA1
dfa8ff7b2dd6228cacbeb08252d612f0bb826e33
-
SHA256
dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571
-
SHA512
af5cbe183ec0699dc233aa8818b6081fd96b488627e2386bdacc39d5ba727b4021fd703ccd058e4e4adce7be1e8f951284ae571771b32b4e6a868cbba7a2c8a6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 360 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3640 schtasks.exe 2228 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571.exesihost.exedescription pid process target process PID 3716 wrote to memory of 3640 3716 dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571.exe schtasks.exe PID 3716 wrote to memory of 3640 3716 dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571.exe schtasks.exe PID 3716 wrote to memory of 3640 3716 dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571.exe schtasks.exe PID 360 wrote to memory of 2228 360 sihost.exe schtasks.exe PID 360 wrote to memory of 2228 360 sihost.exe schtasks.exe PID 360 wrote to memory of 2228 360 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571.exe"C:\Users\Admin\AppData\Local\Temp\dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
c5f0db33f6c3174e4b5463ed5ee82f9d
SHA1dfa8ff7b2dd6228cacbeb08252d612f0bb826e33
SHA256dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571
SHA512af5cbe183ec0699dc233aa8818b6081fd96b488627e2386bdacc39d5ba727b4021fd703ccd058e4e4adce7be1e8f951284ae571771b32b4e6a868cbba7a2c8a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
c5f0db33f6c3174e4b5463ed5ee82f9d
SHA1dfa8ff7b2dd6228cacbeb08252d612f0bb826e33
SHA256dd5bbc150a036931474d1f4cae928d67aeda4ad357fb8bef0b740faa77148571
SHA512af5cbe183ec0699dc233aa8818b6081fd96b488627e2386bdacc39d5ba727b4021fd703ccd058e4e4adce7be1e8f951284ae571771b32b4e6a868cbba7a2c8a6
-
memory/360-121-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/2228-120-0x0000000000000000-mapping.dmp
-
memory/3640-115-0x0000000000000000-mapping.dmp
-
memory/3716-117-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/3716-116-0x00000000001D0000-0x00000000001D4000-memory.dmpFilesize
16KB