e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13

General

Target

e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13.exe
Size

1.9MB
MD5

bf15384858eb653a37c2c52cfb8093bf
SHA1

5c8479f7a5695587c9c8ef6aa235a2089a4b286b
SHA256

e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13
SHA512

eaab580e50d02228b58ede0fa632cdf909086aebf51bf4513c4b6ea4ae24506a3df390d9f615fb36f8d02b69160595ba6c5542b0681de6a5f2ae0a938566552e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

services32.exesihost32.exe

pid process

3508 services32.exe
3956 sihost32.exe

pid	process
3508	services32.exe
3956	sihost32.exe

Drops file in System32 directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1032 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

conhost.execonhost.exe

pid process

3732 conhost.exe
1308 conhost.exe
1308 conhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

conhost.execonhost.exe

description pid process

Token: SeDebugPrivilege 3732 conhost.exe
Token: SeDebugPrivilege 1308 conhost.exe

pid	process
1032	schtasks.exe

pid	process
3732	conhost.exe
1308	conhost.exe
1308	conhost.exe

description	pid	process
Token: SeDebugPrivilege	3732	conhost.exe
Token: SeDebugPrivilege	1308	conhost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13.execonhost.execmd.execmd.exeservices32.execonhost.exesihost32.exe

description	pid	process	target process
PID 2352 wrote to memory of 3732	2352	e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13.exe	conhost.exe
PID 2352 wrote to memory of 3732	2352	e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13.exe	conhost.exe
PID 2352 wrote to memory of 3732	2352	e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13.exe	conhost.exe
PID 3732 wrote to memory of 364	3732	conhost.exe	cmd.exe
PID 3732 wrote to memory of 364	3732	conhost.exe	cmd.exe
PID 364 wrote to memory of 1032	364	cmd.exe	schtasks.exe
PID 364 wrote to memory of 1032	364	cmd.exe	schtasks.exe
PID 3732 wrote to memory of 1124	3732	conhost.exe	cmd.exe
PID 3732 wrote to memory of 1124	3732	conhost.exe	cmd.exe
PID 1124 wrote to memory of 3508	1124	cmd.exe	services32.exe
PID 1124 wrote to memory of 3508	1124	cmd.exe	services32.exe
PID 3508 wrote to memory of 1308	3508	services32.exe	conhost.exe
PID 3508 wrote to memory of 1308	3508	services32.exe	conhost.exe
PID 3508 wrote to memory of 1308	3508	services32.exe	conhost.exe
PID 1308 wrote to memory of 3956	1308	conhost.exe	sihost32.exe
PID 1308 wrote to memory of 3956	1308	conhost.exe	sihost32.exe
PID 3956 wrote to memory of 1360	3956	sihost32.exe	conhost.exe
PID 3956 wrote to memory of 1360	3956	sihost32.exe	conhost.exe
PID 3956 wrote to memory of 1360	3956	sihost32.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13.exe
"C:\Users\Admin\AppData\Local\Temp\e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13.exe"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
4⤵
- Creates scheduled task(s)
PID:1032

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost32"
7⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
6733235581266050463695a927a6ec22

SHA1
f5ca60fed481f4c99a249a1722d793b516bc618f

SHA256
2f2576aaff601d5821574f0a1f41d41cadf98faaf11108b32055c177ebbc7e02

SHA512
f3b7238b4479f2edb668e46335c2227c60a4a5294374947ce9cff155e997d7f46cbd2e97cb2efd7fdedfee8a9131aa59d11b0622d0cba5320e7d0debaa7f69e4

Download Submit
C:\Windows\System32\services32.exe
MD5
bf15384858eb653a37c2c52cfb8093bf

SHA1
5c8479f7a5695587c9c8ef6aa235a2089a4b286b

SHA256
e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13

SHA512
eaab580e50d02228b58ede0fa632cdf909086aebf51bf4513c4b6ea4ae24506a3df390d9f615fb36f8d02b69160595ba6c5542b0681de6a5f2ae0a938566552e

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
6733235581266050463695a927a6ec22

SHA1
f5ca60fed481f4c99a249a1722d793b516bc618f

SHA256
2f2576aaff601d5821574f0a1f41d41cadf98faaf11108b32055c177ebbc7e02

SHA512
f3b7238b4479f2edb668e46335c2227c60a4a5294374947ce9cff155e997d7f46cbd2e97cb2efd7fdedfee8a9131aa59d11b0622d0cba5320e7d0debaa7f69e4

Download Submit
C:\Windows\system32\services32.exe
MD5
bf15384858eb653a37c2c52cfb8093bf

SHA1
5c8479f7a5695587c9c8ef6aa235a2089a4b286b

SHA256
e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13

SHA512
eaab580e50d02228b58ede0fa632cdf909086aebf51bf4513c4b6ea4ae24506a3df390d9f615fb36f8d02b69160595ba6c5542b0681de6a5f2ae0a938566552e

Download Submit
memory/364-128-0x0000000000000000-mapping.dmp

Download
memory/1032-129-0x0000000000000000-mapping.dmp

Download
memory/1124-130-0x0000000000000000-mapping.dmp

Download
memory/1308-155-0x0000021C76E50000-0x0000021C76E52000-memory.dmp

Filesize
8KB

Download
memory/1308-136-0x0000021C76E50000-0x0000021C76E52000-memory.dmp

Filesize
8KB

Download
memory/1308-153-0x0000021C79333000-0x0000021C79335000-memory.dmp

Filesize
8KB

Download
memory/1308-154-0x0000021C79336000-0x0000021C79337000-memory.dmp

Filesize
4KB

Download
memory/1308-145-0x0000021C76E50000-0x0000021C76E52000-memory.dmp

Filesize
8KB

Download
memory/1308-144-0x0000021C76E50000-0x0000021C76E52000-memory.dmp

Filesize
8KB

Download
memory/1308-152-0x0000021C79330000-0x0000021C79332000-memory.dmp

Filesize
8KB

Download
memory/1308-142-0x0000021C76E50000-0x0000021C76E52000-memory.dmp

Filesize
8KB

Download
memory/1308-139-0x0000021C76E50000-0x0000021C76E52000-memory.dmp

Filesize
8KB

Download
memory/1308-138-0x0000021C76E50000-0x0000021C76E52000-memory.dmp

Filesize
8KB

Download
memory/1308-137-0x0000021C76E50000-0x0000021C76E52000-memory.dmp

Filesize
8KB

Download
memory/1360-163-0x000001BDCDCC0000-0x000001BDCDCC2000-memory.dmp

Filesize
8KB

Download
memory/1360-158-0x000001BDCDCC0000-0x000001BDCDCC2000-memory.dmp

Filesize
8KB

Download
memory/1360-159-0x000001BDCDCC0000-0x000001BDCDCC2000-memory.dmp

Filesize
8KB

Download
memory/1360-160-0x000001BDCDCF0000-0x000001BDCDCF3000-memory.dmp

Filesize
12KB

Download
memory/1360-162-0x000001BDCDCC0000-0x000001BDCDCC2000-memory.dmp

Filesize
8KB

Download
memory/1360-165-0x000001BDCF7A0000-0x000001BDCF7A2000-memory.dmp

Filesize
8KB

Download
memory/1360-164-0x000001BDCDB40000-0x000001BDCDB46000-memory.dmp

Filesize
24KB

Download
memory/1360-156-0x000001BDCDCC0000-0x000001BDCDCC2000-memory.dmp

Filesize
8KB

Download
memory/1360-157-0x000001BDCDCC0000-0x000001BDCDCC2000-memory.dmp

Filesize
8KB

Download
memory/1360-167-0x000001BDCF7A6000-0x000001BDCF7A7000-memory.dmp

Filesize
4KB

Download
memory/1360-166-0x000001BDCF7A3000-0x000001BDCF7A5000-memory.dmp

Filesize
8KB

Download
memory/3508-132-0x0000000000000000-mapping.dmp

Download
memory/3732-119-0x0000023398E10000-0x0000023398FFD000-memory.dmp

Filesize
1.9MB

Download
memory/3732-123-0x0000023380060000-0x0000023380062000-memory.dmp

Filesize
8KB

Download
memory/3732-116-0x0000023380060000-0x0000023380062000-memory.dmp

Filesize
8KB

Download
memory/3732-117-0x0000023380060000-0x0000023380062000-memory.dmp

Filesize
8KB

Download
memory/3732-126-0x0000023398C03000-0x0000023398C05000-memory.dmp

Filesize
8KB

Download
memory/3732-118-0x0000023380060000-0x0000023380062000-memory.dmp

Filesize
8KB

Download
memory/3732-125-0x0000023398C00000-0x0000023398C02000-memory.dmp

Filesize
8KB

Download
memory/3732-121-0x0000023380060000-0x0000023380062000-memory.dmp

Filesize
8KB

Download
memory/3732-131-0x0000023380060000-0x0000023380062000-memory.dmp

Filesize
8KB

Download
memory/3732-122-0x00000233800C0000-0x00000233800C1000-memory.dmp

Filesize
4KB

Download
memory/3732-115-0x0000023380060000-0x0000023380062000-memory.dmp

Filesize
8KB

Download
memory/3732-124-0x00000233FE160000-0x00000233FE351000-memory.dmp

Filesize
1.9MB

Download
memory/3732-127-0x0000023398C06000-0x0000023398C07000-memory.dmp

Filesize
4KB

Download
memory/3956-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads