Analysis
-
max time kernel
78s -
max time network
80s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 20:20
Static task
static1
Behavioral task
behavioral1
Sample
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe
Resource
win10v20210408
General
-
Target
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe
-
Size
124KB
-
MD5
b3e2b5afa14c74d2b35c893b4b51e4cc
-
SHA1
d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
-
SHA256
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
-
SHA512
f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sihost.exepid process 3720 sihost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exesihost.exedescription pid process target process PID 528 wrote to memory of 664 528 034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe schtasks.exe PID 528 wrote to memory of 664 528 034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe schtasks.exe PID 528 wrote to memory of 664 528 034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe schtasks.exe PID 3720 wrote to memory of 3920 3720 sihost.exe schtasks.exe PID 3720 wrote to memory of 3920 3720 sihost.exe schtasks.exe PID 3720 wrote to memory of 3920 3720 sihost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe"C:\Users\Admin\AppData\Local\Temp\034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
b3e2b5afa14c74d2b35c893b4b51e4cc
SHA1d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
SHA256034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
SHA512f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeMD5
b3e2b5afa14c74d2b35c893b4b51e4cc
SHA1d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
SHA256034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
SHA512f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e
-
memory/528-116-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/528-115-0x0000000000720000-0x0000000000724000-memory.dmpFilesize
16KB
-
memory/664-114-0x0000000000000000-mapping.dmp
-
memory/3720-120-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3920-119-0x0000000000000000-mapping.dmp