e01bddee0cf6c5445204fbe3f064920162377801753adc61b6c9506f9d3db161

Analysis

max time kernel
158s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:38

Target

NEAS.c3b14779d0c045f02c663e4593524cd0.exe
Size

108KB
MD5

c3b14779d0c045f02c663e4593524cd0
SHA1

9b216017d1e6e2e573c8521105f93804e906ecb9
SHA256

e01bddee0cf6c5445204fbe3f064920162377801753adc61b6c9506f9d3db161
SHA512

7143581d6709445a76af2b9a9800ff05ae78c18b3f208ab39e7f49061c9d590205096267d92ef4337a5c732be6b50f9c49a314d10419bc29097a7093cf5eb83d
SSDEEP

1536:0M+yNStPY+z0mHkGDcIXQfTGWbh8UH9SZ47Qn/yo9dBK2jjB:tUlY+zlDcIXeTNH9SZ4uNB

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
5092	olacweegim.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	checkip.dyndns.org

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 5092	3088	NEAS.c3b14779d0c045f02c663e4593524cd0.exe	86
PID 3088 wrote to memory of 5092	3088	NEAS.c3b14779d0c045f02c663e4593524cd0.exe	86
PID 3088 wrote to memory of 5092	3088	NEAS.c3b14779d0c045f02c663e4593524cd0.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.c3b14779d0c045f02c663e4593524cd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c3b14779d0c045f02c663e4593524cd0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\olacweegim.exe
  C:\Users\Admin\AppData\Local\Temp\olacweegim.exe
  2⤵
  - Executes dropped EXE
  PID:5092

C:\Users\Admin\AppData\Local\Temp\olacweegim.exe

Filesize
108KB

MD5
10eeffd29faa547373add6253bf7495c

SHA1
1f041b79c189f0f474d08d5927729a76b3619cf5

SHA256
6f1c1d993fb0381d2363d3f7e8c57fb268afefe60b48116368753d048d883bbe

SHA512
0f62ba332f11e92bfd4b12b2b3d416845c42dc65e61353bb47e56ffcf903944ba4f02f4e5a078a5bf25c8409ae10c3ca0be933ea63349903dbc7f270ddd1603b

Download Submit
C:\Users\Admin\AppData\Local\Temp\olacweegim.exe

Filesize
108KB

MD5
10eeffd29faa547373add6253bf7495c

SHA1
1f041b79c189f0f474d08d5927729a76b3619cf5

SHA256
6f1c1d993fb0381d2363d3f7e8c57fb268afefe60b48116368753d048d883bbe

SHA512
0f62ba332f11e92bfd4b12b2b3d416845c42dc65e61353bb47e56ffcf903944ba4f02f4e5a078a5bf25c8409ae10c3ca0be933ea63349903dbc7f270ddd1603b

Download Submit
memory/3088-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3088-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3088-6-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5092-7-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download