b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b

General

Target

b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe
Size

127KB
MD5

2625930e30ae21301ec79922a74fc7b5
SHA1

73ea28a8ed178ba2c0455f78d12b600443b81615
SHA256

b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b
SHA512

7f369ffa8452b2482c20de03c75aa8d05d4762da4ffd0e1c237d3f27e17018d421cf3ef77c01b10f3a397aee29b5046b0441733101388e051a00c4016ff7106e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

2772 sihost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2360 schtasks.exe
2788 schtasks.exe

pid	process
2772	sihost.exe

pid	process
2360	schtasks.exe
2788	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exesihost.exe

description	pid	process	target process
PID 2176 wrote to memory of 2360	2176	b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe	schtasks.exe
PID 2176 wrote to memory of 2360	2176	b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe	schtasks.exe
PID 2176 wrote to memory of 2360	2176	b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe	schtasks.exe
PID 2772 wrote to memory of 2788	2772	sihost.exe	schtasks.exe
PID 2772 wrote to memory of 2788	2772	sihost.exe	schtasks.exe
PID 2772 wrote to memory of 2788	2772	sihost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe
"C:\Users\Admin\AppData\Local\Temp\b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:2360

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
2625930e30ae21301ec79922a74fc7b5

SHA1
73ea28a8ed178ba2c0455f78d12b600443b81615

SHA256
b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b

SHA512
7f369ffa8452b2482c20de03c75aa8d05d4762da4ffd0e1c237d3f27e17018d421cf3ef77c01b10f3a397aee29b5046b0441733101388e051a00c4016ff7106e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
2625930e30ae21301ec79922a74fc7b5

SHA1
73ea28a8ed178ba2c0455f78d12b600443b81615

SHA256
b7e30fc053a17390a84947ea79de98efc36e929a306a54478c29f55e24f98f8b

SHA512
7f369ffa8452b2482c20de03c75aa8d05d4762da4ffd0e1c237d3f27e17018d421cf3ef77c01b10f3a397aee29b5046b0441733101388e051a00c4016ff7106e

Download Submit
memory/2176-117-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2176-116-0x0000000000720000-0x0000000000724000-memory.dmp

Filesize
16KB

Download
memory/2360-115-0x0000000000000000-mapping.dmp

Download
memory/2772-121-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2788-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads