1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b

Analysis

max time kernel
136s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 13:55

Target

1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b.exe
Size

68KB
MD5

a34ddff35c1ebc8a35475f8d781359f0
SHA1

c8bb26f25582b556441cb5cd9795e841ebdda141
SHA256

1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b
SHA512

60c8524d7b460722f0199a035e75327fa7f480f38d371a37f4630b98ecf8cc1259c91e688cab6313bf8d57deade514809a034150c80c741f3f380b4aeabd0dc0
SSDEEP

1536:wiL3Q+cBU/qUx3EkntVkohiEd6/eTTaYXxXDFKmda30Lr:XLgDBUbTnuEd6IaYXxhKmdMcr

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
944	vadftol.exe

Loads dropped DLL 1 IoCs

pid	Process
1696	1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 944	1696	1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b.exe	27
PID 1696 wrote to memory of 944	1696	1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b.exe	27
PID 1696 wrote to memory of 944	1696	1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b.exe	27
PID 1696 wrote to memory of 944	1696	1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b.exe	27

C:\Users\Admin\AppData\Local\Temp\1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b.exe
"C:\Users\Admin\AppData\Local\Temp\1b9551cd1fc39145d88ea42db3a9dc183ac06dab597bc61a964ebab8baca198b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\vadftol.exe
  C:\Users\Admin\AppData\Local\Temp\vadftol.exe
  2⤵
  - Executes dropped EXE
  PID:944

C:\Users\Admin\AppData\Local\Temp\vadftol.exe

Filesize
68KB

MD5
345736217a6d2ad058b790a32be343b8

SHA1
147c1a5477f5ca43ddcd5d3ea84f4cc7f87691a0

SHA256
06eb5d7c5258963e323fbcf592e21bc9fb5712f898f78bda049170872f94f6b7

SHA512
8b6c85d578393119a65d74e3e53a31b20b9e67ceca7b26fd9d0e6eae6368304f60c57ed27150ef939510c4a0e1bffa2fd4e31277d36964647b6cd3c0b67890d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vadftol.exe

Filesize
68KB

MD5
345736217a6d2ad058b790a32be343b8

SHA1
147c1a5477f5ca43ddcd5d3ea84f4cc7f87691a0

SHA256
06eb5d7c5258963e323fbcf592e21bc9fb5712f898f78bda049170872f94f6b7

SHA512
8b6c85d578393119a65d74e3e53a31b20b9e67ceca7b26fd9d0e6eae6368304f60c57ed27150ef939510c4a0e1bffa2fd4e31277d36964647b6cd3c0b67890d9

Download Submit
\Users\Admin\AppData\Local\Temp\vadftol.exe

Filesize
68KB

MD5
345736217a6d2ad058b790a32be343b8

SHA1
147c1a5477f5ca43ddcd5d3ea84f4cc7f87691a0

SHA256
06eb5d7c5258963e323fbcf592e21bc9fb5712f898f78bda049170872f94f6b7

SHA512
8b6c85d578393119a65d74e3e53a31b20b9e67ceca7b26fd9d0e6eae6368304f60c57ed27150ef939510c4a0e1bffa2fd4e31277d36964647b6cd3c0b67890d9

Download Submit
memory/944-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/944-60-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download