e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5

Analysis

max time kernel
133s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 01:19

Target

e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5.exe
Size

33KB
MD5

0b3442caaf8c0123f91c753368aa6fb0
SHA1

ccdb436973983005519e9c385f6363f940f206e7
SHA256

e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5
SHA512

87f15431680b22124cc3e3fb365393b828d80b77cea7888663560a3cf082cad8c4256f2842cb81096dd0d63bb9491e5f31958bb7a1486fe17127d6f23199da36
SSDEEP

768:byXfyVZ7AKAa40a7Xk25eHIvzhQddmeyJq3sZAui:byv+7P/40GLaIrhQddmeyJ1yx

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3616	plusidup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3616	2708	e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5.exe	83
PID 2708 wrote to memory of 3616	2708	e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5.exe	83
PID 2708 wrote to memory of 3616	2708	e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5.exe	83

C:\Users\Admin\AppData\Local\Temp\e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5.exe
"C:\Users\Admin\AppData\Local\Temp\e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\plusidup.exe
  C:\Users\Admin\AppData\Local\Temp\plusidup.exe
  2⤵
  - Executes dropped EXE
  PID:3616

C:\Users\Admin\AppData\Local\Temp\ID37E3.tmp

Filesize
206B

MD5
42755f54bb0f569129b5ff2e3d3be3e2

SHA1
62afb7acc7f5eb129aabe47cf63fde6c0527ab9e

SHA256
80112eab15a327fd0f94194f9e641e9bf7a66b2a6739631f3cc60332fcd21667

SHA512
f19d195f762019b22145623534f95507c4fb264b5e9906d7c1787cc7027ebc5bdda07183504f51bf99ef0a4351688018436d528682a8c7dd80bde2439b3f90a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\plusidup.exe

Filesize
33KB

MD5
0b3442caaf8c0123f91c753368aa6fb0

SHA1
ccdb436973983005519e9c385f6363f940f206e7

SHA256
e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5

SHA512
87f15431680b22124cc3e3fb365393b828d80b77cea7888663560a3cf082cad8c4256f2842cb81096dd0d63bb9491e5f31958bb7a1486fe17127d6f23199da36

Download Submit
C:\Users\Admin\AppData\Local\Temp\plusidup.exe

Filesize
33KB

MD5
0b3442caaf8c0123f91c753368aa6fb0

SHA1
ccdb436973983005519e9c385f6363f940f206e7

SHA256
e2888fc6d0b4fc7314076f940b1afd735212d2ef528d07c7dca6f04bdeec5eb5

SHA512
87f15431680b22124cc3e3fb365393b828d80b77cea7888663560a3cf082cad8c4256f2842cb81096dd0d63bb9491e5f31958bb7a1486fe17127d6f23199da36

Download Submit
memory/2708-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3616-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download