26e8a33e9b1a5c28e2ef437b76f61092a938be3cdc33eeeafdcbfad720db889f

Analysis

max time kernel
143s
max time network
152s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.43930932fb920113068324333c8ce380.exe
Size

44KB
MD5

43930932fb920113068324333c8ce380
SHA1

be7fab5a556d57d496b9ec816559676a194e26ee
SHA256

26e8a33e9b1a5c28e2ef437b76f61092a938be3cdc33eeeafdcbfad720db889f
SHA512

e0a70358ec950c4517cf9757961aec67a7219ac5b7d8fbf6df1c50844bb2c09a392fd16a22ba237da52737e14de62e49aa80255317757379ded22e030debb5f6
SSDEEP

768:GyGdGZFGkI4W35hE49sUFFzBeGSPQJ5HzaW8Bv8nKgcjDG7q8wHG:GyGd+M35hE49sUFFzBFj0G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1168	foodwic.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	NEAS.43930932fb920113068324333c8ce380.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1168	1956	NEAS.43930932fb920113068324333c8ce380.exe	28
PID 1956 wrote to memory of 1168	1956	NEAS.43930932fb920113068324333c8ce380.exe	28
PID 1956 wrote to memory of 1168	1956	NEAS.43930932fb920113068324333c8ce380.exe	28
PID 1956 wrote to memory of 1168	1956	NEAS.43930932fb920113068324333c8ce380.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.43930932fb920113068324333c8ce380.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.43930932fb920113068324333c8ce380.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\foodwic.exe
  C:\Users\Admin\AppData\Local\Temp\foodwic.exe
  2⤵
  - Executes dropped EXE
  PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\foodwic.exe

Filesize
44KB

MD5
4c56e693df8485edfc5be52e5111761a

SHA1
797606d806c41a40df232021bbb07e66789f3f3d

SHA256
7cb2f48c7906335dca57a59d5029be3d1f96c7ff6720929d8b6ccaf4f4ecd270

SHA512
c349688d28c04572fd8d179c5b3ac744fb7490f1de46c2a0011d344d5f07728bed6b0f0e78c0e85d3fbfcedd11f305e9de8a273e09f63578bd1c37ea83b5bfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\foodwic.exe

Filesize
44KB

MD5
4c56e693df8485edfc5be52e5111761a

SHA1
797606d806c41a40df232021bbb07e66789f3f3d

SHA256
7cb2f48c7906335dca57a59d5029be3d1f96c7ff6720929d8b6ccaf4f4ecd270

SHA512
c349688d28c04572fd8d179c5b3ac744fb7490f1de46c2a0011d344d5f07728bed6b0f0e78c0e85d3fbfcedd11f305e9de8a273e09f63578bd1c37ea83b5bfc1

Download Submit
\Users\Admin\AppData\Local\Temp\foodwic.exe

Filesize
44KB

MD5
4c56e693df8485edfc5be52e5111761a

SHA1
797606d806c41a40df232021bbb07e66789f3f3d

SHA256
7cb2f48c7906335dca57a59d5029be3d1f96c7ff6720929d8b6ccaf4f4ecd270

SHA512
c349688d28c04572fd8d179c5b3ac744fb7490f1de46c2a0011d344d5f07728bed6b0f0e78c0e85d3fbfcedd11f305e9de8a273e09f63578bd1c37ea83b5bfc1

Download Submit
memory/1168-6-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1168-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1168-9-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1168-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1956-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download