034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

General

Target

034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe
Size

124KB
MD5

b3e2b5afa14c74d2b35c893b4b51e4cc
SHA1

d649ceb434bbd2cd8c3b226d0235f0dc60967ba8
SHA256

034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e
SHA512

f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

3720 sihost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

664 schtasks.exe
3920 schtasks.exe

pid	process
3720	sihost.exe

pid	process
664	schtasks.exe
3920	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exesihost.exe

description	pid	process	target process
PID 528 wrote to memory of 664	528	034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe	schtasks.exe
PID 528 wrote to memory of 664	528	034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe	schtasks.exe
PID 528 wrote to memory of 664	528	034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe	schtasks.exe
PID 3720 wrote to memory of 3920	3720	sihost.exe	schtasks.exe
PID 3720 wrote to memory of 3920	3720	sihost.exe	schtasks.exe
PID 3720 wrote to memory of 3920	3720	sihost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe
"C:\Users\Admin\AppData\Local\Temp\034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:664

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:3920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
b3e2b5afa14c74d2b35c893b4b51e4cc

SHA1
d649ceb434bbd2cd8c3b226d0235f0dc60967ba8

SHA256
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

SHA512
f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
b3e2b5afa14c74d2b35c893b4b51e4cc

SHA1
d649ceb434bbd2cd8c3b226d0235f0dc60967ba8

SHA256
034cab7d36d022d5c2a8ca7e9957d81c155aeb32cb0c3e575ba8b5692a1bfb5e

SHA512
f581f62724d4dc4f2b5b9da36d3cf8c3c747c57472fca6f790870377bcdda2889a684246e91757d4444817a9527c77ef4ec0e84cecb2589397c45a10ffb4a12e

Download Submit
memory/528-116-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/528-115-0x0000000000720000-0x0000000000724000-memory.dmp

Filesize
16KB

Download
memory/664-114-0x0000000000000000-mapping.dmp

Download
memory/3720-120-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3920-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads