Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 15:31
Static task
static1
Behavioral task
behavioral1
Sample
19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204.exe
Resource
win10-en-20210920
General
-
Target
19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204.exe
-
Size
128KB
-
MD5
1819b88422d6cf021bbb9156d1074c5a
-
SHA1
5a8e73f9c713c65e6b9b1bd97ab2f0963c512991
-
SHA256
19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204
-
SHA512
e6558fc73b329037f7830f643b1daa9b1fdad387d543b03bfac1f31c62573a348f4633f200fc179ff0474fc5f8fa7f9fc3658e7e56157059afb91c73d9ef6942
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 3148 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2228 schtasks.exe 2808 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204.exesihost.exedescription pid process target process PID 2072 wrote to memory of 2228 2072 19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204.exe schtasks.exe PID 2072 wrote to memory of 2228 2072 19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204.exe schtasks.exe PID 2072 wrote to memory of 2228 2072 19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204.exe schtasks.exe PID 3148 wrote to memory of 2808 3148 sihost.exe schtasks.exe PID 3148 wrote to memory of 2808 3148 sihost.exe schtasks.exe PID 3148 wrote to memory of 2808 3148 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204.exe"C:\Users\Admin\AppData\Local\Temp\19a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
1819b88422d6cf021bbb9156d1074c5a
SHA15a8e73f9c713c65e6b9b1bd97ab2f0963c512991
SHA25619a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204
SHA512e6558fc73b329037f7830f643b1daa9b1fdad387d543b03bfac1f31c62573a348f4633f200fc179ff0474fc5f8fa7f9fc3658e7e56157059afb91c73d9ef6942
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
1819b88422d6cf021bbb9156d1074c5a
SHA15a8e73f9c713c65e6b9b1bd97ab2f0963c512991
SHA25619a20c17581f93ad5f8bea44c9368c5b829c51dbd410679c8703c9179f727204
SHA512e6558fc73b329037f7830f643b1daa9b1fdad387d543b03bfac1f31c62573a348f4633f200fc179ff0474fc5f8fa7f9fc3658e7e56157059afb91c73d9ef6942
-
memory/2072-117-0x0000000000400000-0x00000000004A7000-memory.dmpFilesize
668KB
-
memory/2072-116-0x0000000000720000-0x0000000000724000-memory.dmpFilesize
16KB
-
memory/2228-115-0x0000000000000000-mapping.dmp
-
memory/2808-120-0x0000000000000000-mapping.dmp
-
memory/3148-121-0x0000000000400000-0x00000000004A7000-memory.dmpFilesize
668KB