Analysis
-
max time kernel
111s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-01-2023 19:36
Static task
static1
Behavioral task
behavioral1
Sample
taskshostw.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
taskshostw.exe
Resource
win10v2004-20221111-en
General
-
Target
taskshostw.exe
-
Size
245KB
-
MD5
e538f67d529d672c55304f3c9ad05392
-
SHA1
f7ff40a1901d51dd6222b420bbece575b46b2cd2
-
SHA256
124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
-
SHA512
22344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
SSDEEP
3072:eTIu4ZQ8M2A1vA7m5+C6ZoEHBAnpK37nXz8o1008Q75wPsoB74tyJhvSK/KkMc/X:LHA1vweOR8CTwPnLKkM/u
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
taskshostw.exetaskshostw.exepid process 276 taskshostw.exe 396 taskshostw.exe -
Drops startup file 1 IoCs
Processes:
taskshostw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskshostw.exe taskshostw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskshostw.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 taskshostw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier taskshostw.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskshostw.exetaskshostw.exetaskshostw.exedescription pid process Token: SeDebugPrivilege 980 taskshostw.exe Token: SeDebugPrivilege 980 taskshostw.exe Token: SeDebugPrivilege 276 taskshostw.exe Token: SeDebugPrivilege 396 taskshostw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
taskshostw.exetaskeng.exedescription pid process target process PID 980 wrote to memory of 1496 980 taskshostw.exe schtasks.exe PID 980 wrote to memory of 1496 980 taskshostw.exe schtasks.exe PID 980 wrote to memory of 1496 980 taskshostw.exe schtasks.exe PID 1624 wrote to memory of 276 1624 taskeng.exe taskshostw.exe PID 1624 wrote to memory of 276 1624 taskeng.exe taskshostw.exe PID 1624 wrote to memory of 276 1624 taskeng.exe taskshostw.exe PID 1624 wrote to memory of 396 1624 taskeng.exe taskshostw.exe PID 1624 wrote to memory of 396 1624 taskeng.exe taskshostw.exe PID 1624 wrote to memory of 396 1624 taskeng.exe taskshostw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\taskshostw.exe"C:\Users\Admin\AppData\Local\Temp\taskshostw.exe"1⤵
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "taskshostw" /tr "C:\Users\Admin\AppData\Roaming\taskshostw.exe"2⤵
- Creates scheduled task(s)
PID:1496
-
C:\Windows\system32\taskeng.exetaskeng.exe {55AFD7DD-29A3-44F0-9DB6-396D04EFB098} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\taskshostw.exeC:\Users\Admin\AppData\Roaming\taskshostw.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:276 -
C:\Users\Admin\AppData\Roaming\taskshostw.exeC:\Users\Admin\AppData\Roaming\taskshostw.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6
-
Filesize
245KB
MD5e538f67d529d672c55304f3c9ad05392
SHA1f7ff40a1901d51dd6222b420bbece575b46b2cd2
SHA256124c17b099d8c09db4bd82b5ef3d41cea61727a480abfd56a943208d858ea8cf
SHA51222344125223dcc5d66a5d0a6b860e547b408123d75e3d8f698fa45b9ea33e7a736ccaa7ae4e32a0989a9d0637db16443502e7bd56beb8093bb6c09a0289361c6