Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 15:11
Static task
static1
Behavioral task
behavioral1
Sample
b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe
Resource
win10-en-20210920
General
-
Target
b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe
-
Size
127KB
-
MD5
2625930e30ae21301ec79922a74fc7b5
-
SHA1
73ea28a8ed178ba2c0455f78d12b600443b81615
-
SHA256
b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b
-
SHA512
7f369ffa8452b2482c20de03c75aa8d05d4762da4ffd0e1c237d3f27e17018d421cf3ef77c01b10f3a397aee29b5046b0441733101388e051a00c4016ff7106e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 2772 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2360 schtasks.exe 2788 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exesihost.exedescription pid process target process PID 2176 wrote to memory of 2360 2176 b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe schtasks.exe PID 2176 wrote to memory of 2360 2176 b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe schtasks.exe PID 2176 wrote to memory of 2360 2176 b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe schtasks.exe PID 2772 wrote to memory of 2788 2772 sihost.exe schtasks.exe PID 2772 wrote to memory of 2788 2772 sihost.exe schtasks.exe PID 2772 wrote to memory of 2788 2772 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe"C:\Users\Admin\AppData\Local\Temp\b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
2625930e30ae21301ec79922a74fc7b5
SHA173ea28a8ed178ba2c0455f78d12b600443b81615
SHA256b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b
SHA5127f369ffa8452b2482c20de03c75aa8d05d4762da4ffd0e1c237d3f27e17018d421cf3ef77c01b10f3a397aee29b5046b0441733101388e051a00c4016ff7106e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
2625930e30ae21301ec79922a74fc7b5
SHA173ea28a8ed178ba2c0455f78d12b600443b81615
SHA256b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b
SHA5127f369ffa8452b2482c20de03c75aa8d05d4762da4ffd0e1c237d3f27e17018d421cf3ef77c01b10f3a397aee29b5046b0441733101388e051a00c4016ff7106e
-
memory/2176-117-0x0000000000400000-0x00000000004A7000-memory.dmpFilesize
668KB
-
memory/2176-116-0x0000000000720000-0x0000000000724000-memory.dmpFilesize
16KB
-
memory/2360-115-0x0000000000000000-mapping.dmp
-
memory/2772-121-0x0000000000400000-0x00000000004A7000-memory.dmpFilesize
668KB
-
memory/2788-120-0x0000000000000000-mapping.dmp