e01bddee0cf6c5445204fbe3f064920162377801753adc61b6c9506f9d3db161

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c3b14779d0c045f02c663e4593524cd0.exe
Size

108KB
MD5

c3b14779d0c045f02c663e4593524cd0
SHA1

9b216017d1e6e2e573c8521105f93804e906ecb9
SHA256

e01bddee0cf6c5445204fbe3f064920162377801753adc61b6c9506f9d3db161
SHA512

7143581d6709445a76af2b9a9800ff05ae78c18b3f208ab39e7f49061c9d590205096267d92ef4337a5c732be6b50f9c49a314d10419bc29097a7093cf5eb83d
SSDEEP

1536:0M+yNStPY+z0mHkGDcIXQfTGWbh8UH9SZ47Qn/yo9dBK2jjB:tUlY+zlDcIXeTNH9SZ4uNB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3000	olacweegim.exe

Loads dropped DLL 1 IoCs

pid	Process
1280	NEAS.c3b14779d0c045f02c663e4593524cd0.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 3000	1280	NEAS.c3b14779d0c045f02c663e4593524cd0.exe	28
PID 1280 wrote to memory of 3000	1280	NEAS.c3b14779d0c045f02c663e4593524cd0.exe	28
PID 1280 wrote to memory of 3000	1280	NEAS.c3b14779d0c045f02c663e4593524cd0.exe	28
PID 1280 wrote to memory of 3000	1280	NEAS.c3b14779d0c045f02c663e4593524cd0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.c3b14779d0c045f02c663e4593524cd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c3b14779d0c045f02c663e4593524cd0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\olacweegim.exe
  C:\Users\Admin\AppData\Local\Temp\olacweegim.exe
  2⤵
  - Executes dropped EXE
  PID:3000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\olacweegim.exe

Filesize
108KB

MD5
10eeffd29faa547373add6253bf7495c

SHA1
1f041b79c189f0f474d08d5927729a76b3619cf5

SHA256
6f1c1d993fb0381d2363d3f7e8c57fb268afefe60b48116368753d048d883bbe

SHA512
0f62ba332f11e92bfd4b12b2b3d416845c42dc65e61353bb47e56ffcf903944ba4f02f4e5a078a5bf25c8409ae10c3ca0be933ea63349903dbc7f270ddd1603b

Download Submit
C:\Users\Admin\AppData\Local\Temp\olacweegim.exe

Filesize
108KB

MD5
10eeffd29faa547373add6253bf7495c

SHA1
1f041b79c189f0f474d08d5927729a76b3619cf5

SHA256
6f1c1d993fb0381d2363d3f7e8c57fb268afefe60b48116368753d048d883bbe

SHA512
0f62ba332f11e92bfd4b12b2b3d416845c42dc65e61353bb47e56ffcf903944ba4f02f4e5a078a5bf25c8409ae10c3ca0be933ea63349903dbc7f270ddd1603b

Download Submit
\Users\Admin\AppData\Local\Temp\olacweegim.exe

Filesize
108KB

MD5
10eeffd29faa547373add6253bf7495c

SHA1
1f041b79c189f0f474d08d5927729a76b3619cf5

SHA256
6f1c1d993fb0381d2363d3f7e8c57fb268afefe60b48116368753d048d883bbe

SHA512
0f62ba332f11e92bfd4b12b2b3d416845c42dc65e61353bb47e56ffcf903944ba4f02f4e5a078a5bf25c8409ae10c3ca0be933ea63349903dbc7f270ddd1603b

Download Submit
memory/1280-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1280-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1280-7-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3000-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3000-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download