Managed XDR

taskhost.exe — malware analysis report

File info

Filename
taskhost.exe
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
749.8 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
1c912c0684f6e95ff92a00e0d7fc623d137e3819
SHA256
a1e0845470f94b4b5932bbb31ffa44f6073a06cc30f5b12098413ce3931b2e64
MD5
0563b9335cf4948dd27b2b3ef98fb38a

Signatures

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_vmware_files: Detects VMware through the presence of specific files
T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.001 antivm_vbox_files: Detects VirtualBox through the presence of a file
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1036 system_procname: Created a process named as a common system process
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_vmware_files: Detects VMware through the presence of specific files
T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.001 antivm_vbox_files: Detects VirtualBox through the presence of a file
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1082 has_wmi: Executes one or several WMI requests
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Other

suspicious_process: Spawns a suspicious process
no_graphical_activity: No graphic activity
require_administrator: Requests administrator privileges
creates_suspended_process: Creates suspended process
origin_langid: Unconventional language of the executable file
pe_overlay: PE file contains overlay