188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 15:57

Target

188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3.exe
Size

116KB
MD5

8d20d5762f58849e0f7e650d8acd689c
SHA1

922a5091490a82c841f30a8b0025ac506195aa4a
SHA256

188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3
SHA512

ade4f41ee7a10a19ab85a3dd2f1145c852e60f2e6309957a5b3fc93f3d3e4f89dc705a79c3abe7db320a9cafb452690db5a6f57235decd565d479467b6d589ec
SSDEEP

1536:ot2a6pJxWSGfp5Y9QMoM10G8DhV9nhfU3QKSSZBtnGHSes:ot4lR2MoM1vGh3UQ5lHS

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
5024	kohanwere.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	icanhazip.com

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 5024	2276	188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3.exe	82
PID 2276 wrote to memory of 5024	2276	188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3.exe	82
PID 2276 wrote to memory of 5024	2276	188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3.exe	82

C:\Users\Admin\AppData\Local\Temp\188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3.exe
"C:\Users\Admin\AppData\Local\Temp\188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\kohanwere.exe
  C:\Users\Admin\AppData\Local\Temp\kohanwere.exe
  2⤵
  - Executes dropped EXE
  PID:5024

C:\Users\Admin\AppData\Local\Temp\k29B5.tmp

Filesize
206B

MD5
9b9b5969db93c1680f3f1f75257bafee

SHA1
6e5802322c0526395511c416fbd1de6a0a0afb43

SHA256
f8cbbc07c4bd09cf51a034aa0a537481fae7bfe0fb98beeac70cc8b15de7049f

SHA512
e6e30b5a9d6566df1866d51c04a5327f0609f2920f608436d66838f0e661bcf3dbdb0ca332e6215d81287e0b12eb017d7d754a2f016b805433317c6174458acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kohanwere.exe

Filesize
116KB

MD5
8d20d5762f58849e0f7e650d8acd689c

SHA1
922a5091490a82c841f30a8b0025ac506195aa4a

SHA256
188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3

SHA512
ade4f41ee7a10a19ab85a3dd2f1145c852e60f2e6309957a5b3fc93f3d3e4f89dc705a79c3abe7db320a9cafb452690db5a6f57235decd565d479467b6d589ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\kohanwere.exe

Filesize
116KB

MD5
8d20d5762f58849e0f7e650d8acd689c

SHA1
922a5091490a82c841f30a8b0025ac506195aa4a

SHA256
188febad9d26b0e617c56149038619cc81765fc9df0018fa3922d741d16dcff3

SHA512
ade4f41ee7a10a19ab85a3dd2f1145c852e60f2e6309957a5b3fc93f3d3e4f89dc705a79c3abe7db320a9cafb452690db5a6f57235decd565d479467b6d589ec

Download Submit
memory/2276-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5024-133-0x0000000000000000-mapping.dmp

Download
memory/5024-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download