9f72804b2a85b0248511e037f21e57ad419159b45233524b0e463c9a6b6009a8

Analysis

max time kernel
138s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 11:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

890d4521f44c5a800f0ced19c4b8f897.exe
Size

315KB
MD5

890d4521f44c5a800f0ced19c4b8f897
SHA1

550ca8aee79905198bbfba561eaba4353c74707e
SHA256

9f72804b2a85b0248511e037f21e57ad419159b45233524b0e463c9a6b6009a8
SHA512

43dac91c5690d8746c3b87d705c47dcc2849c0f05a82b35b3c91817d0cbdf628051238bca2fdba2648a32445d94ae60e1f1647565f4bb5256aea3f32ad50dc76
SSDEEP

6144:zjvi99MYokgYE16ygGvVSJvi3DMU974RM71:H29MYTgf65KIJviTMU974S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2576	sihost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2692	schtasks.exe
2352	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2352	2240	890d4521f44c5a800f0ced19c4b8f897.exe	29
PID 2240 wrote to memory of 2352	2240	890d4521f44c5a800f0ced19c4b8f897.exe	29
PID 2240 wrote to memory of 2352	2240	890d4521f44c5a800f0ced19c4b8f897.exe	29
PID 2240 wrote to memory of 2352	2240	890d4521f44c5a800f0ced19c4b8f897.exe	29
PID 2380 wrote to memory of 2576	2380	taskeng.exe	31
PID 2380 wrote to memory of 2576	2380	taskeng.exe	31
PID 2380 wrote to memory of 2576	2380	taskeng.exe	31
PID 2380 wrote to memory of 2576	2380	taskeng.exe	31
PID 2576 wrote to memory of 2692	2576	sihost.exe	33
PID 2576 wrote to memory of 2692	2576	sihost.exe	33
PID 2576 wrote to memory of 2692	2576	sihost.exe	33
PID 2576 wrote to memory of 2692	2576	sihost.exe	33

C:\Users\Admin\AppData\Local\Temp\890d4521f44c5a800f0ced19c4b8f897.exe
"C:\Users\Admin\AppData\Local\Temp\890d4521f44c5a800f0ced19c4b8f897.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2352

C:\Windows\system32\taskeng.exe
taskeng.exe {EA30268C-46BB-46E6-87F4-645CD66F5A70} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

Filesize
13KB

MD5
77514bd74cf2f7eb6e3be6dc87767663

SHA1
5ccadf3cdc35d76f2fbbdd10f50bb216a2a1f10f

SHA256
abba652d5a0b823d82c4bee36c9a5a1840c9755cf5d60d909eab4bf54855632e

SHA512
2d6c65672d1216b9aff47870da01f02a0c47ee488a2ed03e51a09fefb6c305d8ec7f0c4f9ebf4ea197b2a0b6075ec9a9172903fbdec38bbf7fe95996becd65ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

Filesize
1KB

MD5
23b07c20b7926697998767c116ee92f8

SHA1
6a3d0f940f32f2f05c6c2a27b231bc05ee9d7669

SHA256
0ddbdb2994fe43bf809699546cb6aadb249f375bf7aaf0f2cc06ec4b4c28621a

SHA512
09795f4c7815d8cd52b05099b513f0b4670fe89d82ca232b7b63dd4ec28c9a98f7521f1e128bfbdd9ccf4a9e72a0835ec02b01942a91c87b591f044259bf4b3d

Download Submit
memory/2240-3-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2240-2-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/2240-5-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/2576-9-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2576-10-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/2576-13-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads