fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908

Analysis

max time kernel
257s
max time network
281s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
Size

255KB
MD5

44c9807aa44621e88c03a0942a434030
SHA1

e29314c86afe3d59bb86b09a537f8113cc98d553
SHA256

fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908
SHA512

59b4988563ac7f5170253771610a70b349bb7ed50f4523d337441ee083623c2018ccc787f966a7aa88d8464125d476f664d2773864d25d63cf3ef250550d64d8
SSDEEP

6144:8nhGHSKB6XHABgukwVEfXym375ZtSZXiu04:8nhNDa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost28.exe

pid process

3656 svchost28.exe
Loads dropped DLL 4 IoCs

Processes:

svchost28.exe

pid process

3656 svchost28.exe
3656 svchost28.exe
3656 svchost28.exe
3656 svchost28.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

67 ifconfig.me
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost28.exe

description pid process

Token: SeDebugPrivilege 3656 svchost28.exe

pid	process
3656	svchost28.exe

pid	process
3656	svchost28.exe
3656	svchost28.exe
3656	svchost28.exe
3656	svchost28.exe

flow	ioc
67	ifconfig.me

description	pid	process
Token: SeDebugPrivilege	3656	svchost28.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe

description	pid	process	target process
PID 1492 wrote to memory of 3656	1492	fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe	svchost28.exe
PID 1492 wrote to memory of 3656	1492	fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe	svchost28.exe
PID 1492 wrote to memory of 3656	1492	fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe	svchost28.exe

C:\Users\Admin\AppData\Local\Temp\fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe
"C:\Users\Admin\AppData\Local\Temp\fe49c5d18165c52674962d40149be194cbd2c373f130de73b6e98fd9dc536908.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\svchost28.exe
"C:\Users\Admin\AppData\Local\Temp\svchost28.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLL

Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLL

Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLL

Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EASENDMAIL20.DLL

Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EASendMail20.dll

Filesize
188KB

MD5
b337796d31768c809ea7377f81ca3cbb

SHA1
8134af8f80102d863d64f90d7d0264edc9abcabc

SHA256
c5464b2a721d073b5588afa8483d53f4939127bd88f10deb3a094bcc1b0297e0

SHA512
0a3d45e55dcec482e05a689b4b9cbe66f566641ade27003ca5f9428154ef0e58f91b4f0322aa749d7839e8b10aeb89ce29bcc2fcc28006dc271db585477fd12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST28.EXE

Filesize
25KB

MD5
7cd436c3c9559344d908a01344661904

SHA1
04be3e0986bb2a6cf79072264cbb103d3ba9d070

SHA256
8dbfcdcb70f5f7f0ee8597d76f184e94257320cf28a84fcefbd5169a0cbdcc4d

SHA512
6db633ad3480d23a1e252b40cd7e2f569c7c3b4cd882df4ca2de3eeb3750de548c02461d0b0fef2ef4dd115f30ceb79f0c3911237bba8c377eec30a230d5ad58

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost28.exe

Filesize
25KB

MD5
7cd436c3c9559344d908a01344661904

SHA1
04be3e0986bb2a6cf79072264cbb103d3ba9d070

SHA256
8dbfcdcb70f5f7f0ee8597d76f184e94257320cf28a84fcefbd5169a0cbdcc4d

SHA512
6db633ad3480d23a1e252b40cd7e2f569c7c3b4cd882df4ca2de3eeb3750de548c02461d0b0fef2ef4dd115f30ceb79f0c3911237bba8c377eec30a230d5ad58

Download Submit
memory/3656-132-0x0000000000000000-mapping.dmp

Download
memory/3656-135-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download
memory/3656-136-0x0000000074730000-0x0000000074CE1000-memory.dmp

Filesize
5.7MB

Download