a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053

General

Target

a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe
Size

4.8MB
MD5

ee4ebaecca0009f0bd995c7d5d6ea7c1
SHA1

fa084f9d343b14cee9adb96e97b1821f83f777e0
SHA256

a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053
SHA512

373e58711b83d8e45edbaf1af732643ce31fd8f02da0884e0fecb4e8a2096eb0b6bfe99d8ef83a8f2a251769973a7e6cbbe16513a066eb39697a5a52a51cc66a

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

416 sihost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exesihost.exe

pid process

2388 a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe
416 sihost.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2924 schtasks.exe
1344 schtasks.exe

pid	process
416	sihost.exe

pid	process
2924	schtasks.exe
1344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exesihost.exe

pid	process
2388	a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe
2388	a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe
416	sihost.exe
416	sihost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exesihost.exe

description	pid	process	target process
PID 2388 wrote to memory of 2924	2388	a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe	schtasks.exe
PID 2388 wrote to memory of 2924	2388	a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe	schtasks.exe
PID 2388 wrote to memory of 2924	2388	a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe	schtasks.exe
PID 416 wrote to memory of 1344	416	sihost.exe	schtasks.exe
PID 416 wrote to memory of 1344	416	sihost.exe	schtasks.exe
PID 416 wrote to memory of 1344	416	sihost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe
"C:\Users\Admin\AppData\Local\Temp\a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:2924

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
ee4ebaecca0009f0bd995c7d5d6ea7c1

SHA1
fa084f9d343b14cee9adb96e97b1821f83f777e0

SHA256
a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053

SHA512
373e58711b83d8e45edbaf1af732643ce31fd8f02da0884e0fecb4e8a2096eb0b6bfe99d8ef83a8f2a251769973a7e6cbbe16513a066eb39697a5a52a51cc66a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
ee4ebaecca0009f0bd995c7d5d6ea7c1

SHA1
fa084f9d343b14cee9adb96e97b1821f83f777e0

SHA256
a611c1e9dcec711840ea9295cb66ee04dc68f3a154e1abac99ffc88047464053

SHA512
373e58711b83d8e45edbaf1af732643ce31fd8f02da0884e0fecb4e8a2096eb0b6bfe99d8ef83a8f2a251769973a7e6cbbe16513a066eb39697a5a52a51cc66a

Download Submit
memory/416-123-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/416-124-0x0000000000400000-0x0000000000B9B000-memory.dmp

Filesize
7.6MB

Download
memory/416-125-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1344-126-0x0000000000000000-mapping.dmp

Download
memory/2388-116-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2388-117-0x0000000000400000-0x0000000000B9B000-memory.dmp

Filesize
7.6MB

Download
memory/2388-118-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2924-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads