Analysis
-
max time kernel
65s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:58
Static task
static1
Behavioral task
behavioral1
Sample
fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
Resource
win10v2004-20221111-en
General
-
Target
fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
-
Size
255KB
-
MD5
44c9807aa44621e88c03a0942a434030
-
SHA1
e29314c86afe3d59bb86b09a537f8113cc98d553
-
SHA256
fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908
-
SHA512
59b4988563ac7f5170253771610a70b349bb7ed50f4523d337441ee083623c2018ccc787f966a7aa88d8464125d476f664d2773864d25d63cf3ef250550d64d8
-
SSDEEP
6144:8nhGHSKB6XHABgukwVEfXym375ZtSZXiu04:8nhNDa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost28.exepid process 2004 svchost28.exe -
Loads dropped DLL 4 IoCs
Processes:
fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exesvchost28.exepid process 1692 fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe 2004 svchost28.exe 2004 svchost28.exe 2004 svchost28.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ifconfig.me -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exedescription pid process target process PID 1692 wrote to memory of 2004 1692 fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe svchost28.exe PID 1692 wrote to memory of 2004 1692 fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe svchost28.exe PID 1692 wrote to memory of 2004 1692 fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe svchost28.exe PID 1692 wrote to memory of 2004 1692 fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe svchost28.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe"C:\Users\Admin\AppData\Local\Temp\fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost28.exe"C:\Users\Admin\AppData\Local\Temp\svchost28.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EASendMail20.dllFilesize
188KB
MD5b337796d31768c809ea7377f81ca3cbb
SHA18134af8f80102d863d64f90d7d0264edc9abcabc
SHA256c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0
SHA5120a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a
-
C:\Users\Admin\AppData\Local\Temp\SVCHOST28.EXEFilesize
25KB
MD57cd436c3c9559344d908a01344661904
SHA104be3e0986bb2a6cf79072264cbb103d3ba9d070
SHA2568dbfcdcb70f5f7f0ee8597d76f184e94257320cf28a84fcefbd5169a0cbdcc4d
SHA5126db633ad3480d23a1e252b40cd7e2f569c7c3b4cd882df4ca2de3eeb3750de548c02461d0b0fef2ef4dd115f30ceb79f0c3911237bba8c377eec30a230d5ad58
-
C:\Users\Admin\AppData\Local\Temp\svchost28.exeFilesize
25KB
MD57cd436c3c9559344d908a01344661904
SHA104be3e0986bb2a6cf79072264cbb103d3ba9d070
SHA2568dbfcdcb70f5f7f0ee8597d76f184e94257320cf28a84fcefbd5169a0cbdcc4d
SHA5126db633ad3480d23a1e252b40cd7e2f569c7c3b4cd882df4ca2de3eeb3750de548c02461d0b0fef2ef4dd115f30ceb79f0c3911237bba8c377eec30a230d5ad58
-
\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLLFilesize
188KB
MD5b337796d31768c809ea7377f81ca3cbb
SHA18134af8f80102d863d64f90d7d0264edc9abcabc
SHA256c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0
SHA5120a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a
-
\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLLFilesize
188KB
MD5b337796d31768c809ea7377f81ca3cbb
SHA18134af8f80102d863d64f90d7d0264edc9abcabc
SHA256c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0
SHA5120a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a
-
\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLLFilesize
188KB
MD5b337796d31768c809ea7377f81ca3cbb
SHA18134af8f80102d863d64f90d7d0264edc9abcabc
SHA256c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0
SHA5120a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a
-
\Users\Admin\AppData\Local\Temp\SVCHOST28.EXEFilesize
25KB
MD57cd436c3c9559344d908a01344661904
SHA104be3e0986bb2a6cf79072264cbb103d3ba9d070
SHA2568dbfcdcb70f5f7f0ee8597d76f184e94257320cf28a84fcefbd5169a0cbdcc4d
SHA5126db633ad3480d23a1e252b40cd7e2f569c7c3b4cd882df4ca2de3eeb3750de548c02461d0b0fef2ef4dd115f30ceb79f0c3911237bba8c377eec30a230d5ad58
-
memory/2004-55-0x0000000000000000-mapping.dmp
-
memory/2004-58-0x0000000076651000-0x0000000076653000-memory.dmpFilesize
8KB
-
memory/2004-59-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB
-
memory/2004-64-0x0000000074B90000-0x000000007513B000-memory.dmpFilesize
5.7MB