fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908

Analysis

max time kernel
65s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
Size

255KB
MD5

44c9807aa44621e88c03a0942a434030
SHA1

e29314c86afe3d59bb86b09a537f8113cc98d553
SHA256

fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908
SHA512

59b4988563ac7f5170253771610a70b349bb7ed50f4523d337441ee083623c2018ccc787f966a7aa88d8464125d476f664d2773864d25d63cf3ef250550d64d8
SSDEEP

6144:8nhGHSKB6XHABgukwVEfXym375ZtSZXiu04:8nhNDa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost28.exe

pid process

2004 svchost28.exe
Loads dropped DLL 4 IoCs

Processes:

fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exesvchost28.exe

pid process

1692 fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
2004 svchost28.exe
2004 svchost28.exe
2004 svchost28.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ifconfig.me

pid	process
2004	svchost28.exe

pid	process
1692	fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
2004	svchost28.exe
2004	svchost28.exe
2004	svchost28.exe

flow	ioc
5	ifconfig.me

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe

description	pid	process	target process
PID 1692 wrote to memory of 2004	1692	fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe	svchost28.exe
PID 1692 wrote to memory of 2004	1692	fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe	svchost28.exe
PID 1692 wrote to memory of 2004	1692	fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe	svchost28.exe
PID 1692 wrote to memory of 2004	1692	fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe	svchost28.exe

C:\Users\Admin\AppData\Local\Temp\fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
"C:\Users\Admin\AppData\Local\Temp\fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\svchost28.exe
"C:\Users\Admin\AppData\Local\Temp\svchost28.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EASendMail20.dll
Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST28.EXE
Filesize
25KB

MD5
7cd436c3c9559344d908a01344661904

SHA1
04be3e0986bb2a6cf79072264cbb103d3ba9d070

SHA256
8dbfcdcb70f5f7f0ee8597d76f184e94257320cf28a84fcefbd5169a0cbdcc4d

SHA512
6db633ad3480d23a1e252b40cd7e2f569c7c3b4cd882df4ca2de3eeb3750de548c02461d0b0fef2ef4dd115f30ceb79f0c3911237bba8c377eec30a230d5ad58

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost28.exe
Filesize
25KB

MD5
7cd436c3c9559344d908a01344661904

SHA1
04be3e0986bb2a6cf79072264cbb103d3ba9d070

SHA256
8dbfcdcb70f5f7f0ee8597d76f184e94257320cf28a84fcefbd5169a0cbdcc4d

SHA512
6db633ad3480d23a1e252b40cd7e2f569c7c3b4cd882df4ca2de3eeb3750de548c02461d0b0fef2ef4dd115f30ceb79f0c3911237bba8c377eec30a230d5ad58

Download Submit
\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLL
Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLL
Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLL
Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
\Users\Admin\AppData\Local\Temp\SVCHOST28.EXE
Filesize
25KB

MD5
7cd436c3c9559344d908a01344661904

SHA1
04be3e0986bb2a6cf79072264cbb103d3ba9d070

SHA256
8dbfcdcb70f5f7f0ee8597d76f184e94257320cf28a84fcefbd5169a0cbdcc4d

SHA512
6db633ad3480d23a1e252b40cd7e2f569c7c3b4cd882df4ca2de3eeb3750de548c02461d0b0fef2ef4dd115f30ceb79f0c3911237bba8c377eec30a230d5ad58

Download Submit
memory/2004-55-0x0000000000000000-mapping.dmp

Download
memory/2004-58-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/2004-59-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-64-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download