Managed XDR

taskhost.exe — malware analysis report

File info

Filename
taskhost.exe
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
749.9 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
c712694bf243003cca29d047c0ba529c2617d84b
SHA256
50045c9093865d34b4003aeac3cf0b55280bf194d07d77a125b69fd4966953a5
MD5
7c459220f193b78f0fca1774a9a26b95

Signatures

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_vmware_files: Detects VMware through the presence of specific files
T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.001 antivm_vbox_files: Detects VirtualBox through the presence of a file
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1036 system_procname: Created a process named as a common system process
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_vmware_files: Detects VMware through the presence of specific files
T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.001 antivm_vbox_files: Detects VirtualBox through the presence of a file
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1082 has_wmi: Executes one or several WMI requests
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Other

suspicious_process: Spawns a suspicious process
no_graphical_activity: No graphic activity
require_administrator: Requests administrator privileges
creates_suspended_process: Creates suspended process
origin_langid: Unconventional language of the executable file
pe_overlay: PE file contains overlay