fa884c3d8c88bda57208bc3f485b1a2526056319a665c4e6f16692b65b03f994

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:32

Target

NEAS.ce8eac37a80a0ef29e5f1dfa58ba6d60.exe
Size

71KB
MD5

ce8eac37a80a0ef29e5f1dfa58ba6d60
SHA1

49acd4af6edc9fda9cef10fc1d0c4358b978bb3a
SHA256

fa884c3d8c88bda57208bc3f485b1a2526056319a665c4e6f16692b65b03f994
SHA512

df0dda25bf0fa300c1d036aab6039c088b287d7c03c53e6803c5b78cab43aaadad65fed10e80d9b85037d7e5033f7397ac9b6354d09b608a6a934ae477ef244e
SSDEEP

1536:1DCFitszeGOsk8sne5u3SRtLsUEu5bc3TfaCQ0wN2wut:1DCoszVO1n+cShrmpW0

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2004	elevasg.exe

Loads dropped DLL 1 IoCs

pid	Process
1452	NEAS.ce8eac37a80a0ef29e5f1dfa58ba6d60.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2004	1452	NEAS.ce8eac37a80a0ef29e5f1dfa58ba6d60.exe	28
PID 1452 wrote to memory of 2004	1452	NEAS.ce8eac37a80a0ef29e5f1dfa58ba6d60.exe	28
PID 1452 wrote to memory of 2004	1452	NEAS.ce8eac37a80a0ef29e5f1dfa58ba6d60.exe	28
PID 1452 wrote to memory of 2004	1452	NEAS.ce8eac37a80a0ef29e5f1dfa58ba6d60.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.ce8eac37a80a0ef29e5f1dfa58ba6d60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ce8eac37a80a0ef29e5f1dfa58ba6d60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\elevasg.exe
  C:\Users\Admin\AppData\Local\Temp\elevasg.exe
  2⤵
  - Executes dropped EXE
  PID:2004

C:\Users\Admin\AppData\Local\Temp\elevasg.exe

Filesize
72KB

MD5
8ffe2f9f16da45900d016421c354bcad

SHA1
26081b94bd0faca5087aaae98c2ad1a51fd6b439

SHA256
fc03455eedfad22c50c32c98beb84ca478ff86aa042df5b703240eec8eeb6f3c

SHA512
a2026846b5d1efa40e5238ed4560446706a5efcccf0dc48949123612142279c47ff12c4a321f7f857d71a63452725c330009be66dd20c937112f4b2638da26e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\elevasg.exe

Filesize
72KB

MD5
8ffe2f9f16da45900d016421c354bcad

SHA1
26081b94bd0faca5087aaae98c2ad1a51fd6b439

SHA256
fc03455eedfad22c50c32c98beb84ca478ff86aa042df5b703240eec8eeb6f3c

SHA512
a2026846b5d1efa40e5238ed4560446706a5efcccf0dc48949123612142279c47ff12c4a321f7f857d71a63452725c330009be66dd20c937112f4b2638da26e1

Download Submit
\Users\Admin\AppData\Local\Temp\elevasg.exe

Filesize
72KB

MD5
8ffe2f9f16da45900d016421c354bcad

SHA1
26081b94bd0faca5087aaae98c2ad1a51fd6b439

SHA256
fc03455eedfad22c50c32c98beb84ca478ff86aa042df5b703240eec8eeb6f3c

SHA512
a2026846b5d1efa40e5238ed4560446706a5efcccf0dc48949123612142279c47ff12c4a321f7f857d71a63452725c330009be66dd20c937112f4b2638da26e1

Download Submit
memory/1452-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2004-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download