1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 21:44

Target

1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076.exe
Size

33KB
MD5

953879f31f528b8e6b7fd2bbcf5f2c10
SHA1

ad4484261501b4ea0a89ce235d32c9bf3176b26e
SHA256

1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076
SHA512

81af562163560234de85e335ac1ef8b38f21c9053ee7f1e4b5e911d0a8fdff07595d0d5acc214125ae9c4fdcee3560c1c2820fb35c463aec08b362a5d143afaa
SSDEEP

768:0KbY6Uwo3pPT1+4CFYdMhiXG6hTWvYDS/JLt+3RJQ:n2he4CFYVJhTWvYDS/JLt+ha

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
3036	Nikorabip.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	icanhazip.com

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 3036	676	1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076.exe	82
PID 676 wrote to memory of 3036	676	1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076.exe	82
PID 676 wrote to memory of 3036	676	1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076.exe	82

C:\Users\Admin\AppData\Local\Temp\1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076.exe
"C:\Users\Admin\AppData\Local\Temp\1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\Nikorabip.exe
  C:\Users\Admin\AppData\Local\Temp\Nikorabip.exe
  2⤵
  - Executes dropped EXE
  PID:3036

C:\Users\Admin\AppData\Local\Temp\Nikorabip.exe

Filesize
33KB

MD5
953879f31f528b8e6b7fd2bbcf5f2c10

SHA1
ad4484261501b4ea0a89ce235d32c9bf3176b26e

SHA256
1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076

SHA512
81af562163560234de85e335ac1ef8b38f21c9053ee7f1e4b5e911d0a8fdff07595d0d5acc214125ae9c4fdcee3560c1c2820fb35c463aec08b362a5d143afaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nikorabip.exe

Filesize
33KB

MD5
953879f31f528b8e6b7fd2bbcf5f2c10

SHA1
ad4484261501b4ea0a89ce235d32c9bf3176b26e

SHA256
1a204de3ae362e37c0e81f1e2e5cbc00b518ad35c98573b3e0ab3cbdc2a4a076

SHA512
81af562163560234de85e335ac1ef8b38f21c9053ee7f1e4b5e911d0a8fdff07595d0d5acc214125ae9c4fdcee3560c1c2820fb35c463aec08b362a5d143afaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nksetup.log

Filesize
206B

MD5
a09880d2aaa70aefe98ded208e29011f

SHA1
b11b9d39ed0a337cf6060274ee7681b758f6cccc

SHA256
c8fb951c4bcc8aaa66f70dd8174b027eda2118c33432acb59a1dec945e437cbd

SHA512
1ca62378cd098ebe5691a85294b6e712977ec410388b0ccb761f83f5e4449d7350d7b31f46314be6efd91a8e84ea6fdf399a7aa9af0daa07f3749676f31acc3d

Download Submit
memory/676-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3036-137-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download