cd80bceaa136b8e65c69382a3362f9a4798c24237010a1b4d04ba984d769367b

Analysis

max time kernel
146s
max time network
157s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6c116796940cff6cc49e8726a4399900.exe
Size

41KB
MD5

6c116796940cff6cc49e8726a4399900
SHA1

07811099d9460eb773c633deca208f4156cbf946
SHA256

cd80bceaa136b8e65c69382a3362f9a4798c24237010a1b4d04ba984d769367b
SHA512

17d10e768eaced483b5118613c6e7924d6539e20f5cfeef3d90c42d5b8b4ed2e49bfbf795f1c8e83c2e86e66912683fa4dd83c02ba06495f7125a8bcc49de1db
SSDEEP

768:s+pWrOOfbMUI4ybFrcUtxLKxouHd5slovvlLuzTUy:s+pWrvI+UFrjxWxo45slovte7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2488	dylkemi.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	NEAS.6c116796940cff6cc49e8726a4399900.exe
2904	NEAS.6c116796940cff6cc49e8726a4399900.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2488	2904	NEAS.6c116796940cff6cc49e8726a4399900.exe	28
PID 2904 wrote to memory of 2488	2904	NEAS.6c116796940cff6cc49e8726a4399900.exe	28
PID 2904 wrote to memory of 2488	2904	NEAS.6c116796940cff6cc49e8726a4399900.exe	28
PID 2904 wrote to memory of 2488	2904	NEAS.6c116796940cff6cc49e8726a4399900.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.6c116796940cff6cc49e8726a4399900.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6c116796940cff6cc49e8726a4399900.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\dylkemi.exe
  C:\Users\Admin\AppData\Local\Temp\dylkemi.exe
  2⤵
  - Executes dropped EXE
  PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dylkemi.exe

Filesize
41KB

MD5
d0faee5097d2f4dd9527e2f35e2cc177

SHA1
79018c6d3afd8e4d2a7435ff14a7aab332736c12

SHA256
a80779248d38b6ddb4bd37c4b1d27363aa397c66a2e22a03bffdb12241b9a337

SHA512
31c91336ec6debfbb72e3c956cdcfad7216d8ea2e7c5f3b11d3ddc59bf11ea1b746247c57ce7d9af45417822a3b75aa4f44304f44e65a9092a182533c61ee441

Download Submit
C:\Users\Admin\AppData\Local\Temp\dylkemi.exe

Filesize
41KB

MD5
d0faee5097d2f4dd9527e2f35e2cc177

SHA1
79018c6d3afd8e4d2a7435ff14a7aab332736c12

SHA256
a80779248d38b6ddb4bd37c4b1d27363aa397c66a2e22a03bffdb12241b9a337

SHA512
31c91336ec6debfbb72e3c956cdcfad7216d8ea2e7c5f3b11d3ddc59bf11ea1b746247c57ce7d9af45417822a3b75aa4f44304f44e65a9092a182533c61ee441

Download Submit
C:\Users\Admin\AppData\Local\Temp\dylkemi.exe

Filesize
41KB

MD5
d0faee5097d2f4dd9527e2f35e2cc177

SHA1
79018c6d3afd8e4d2a7435ff14a7aab332736c12

SHA256
a80779248d38b6ddb4bd37c4b1d27363aa397c66a2e22a03bffdb12241b9a337

SHA512
31c91336ec6debfbb72e3c956cdcfad7216d8ea2e7c5f3b11d3ddc59bf11ea1b746247c57ce7d9af45417822a3b75aa4f44304f44e65a9092a182533c61ee441

Download Submit
\Users\Admin\AppData\Local\Temp\dylkemi.exe

Filesize
41KB

MD5
d0faee5097d2f4dd9527e2f35e2cc177

SHA1
79018c6d3afd8e4d2a7435ff14a7aab332736c12

SHA256
a80779248d38b6ddb4bd37c4b1d27363aa397c66a2e22a03bffdb12241b9a337

SHA512
31c91336ec6debfbb72e3c956cdcfad7216d8ea2e7c5f3b11d3ddc59bf11ea1b746247c57ce7d9af45417822a3b75aa4f44304f44e65a9092a182533c61ee441

Download Submit
\Users\Admin\AppData\Local\Temp\dylkemi.exe

Filesize
41KB

MD5
d0faee5097d2f4dd9527e2f35e2cc177

SHA1
79018c6d3afd8e4d2a7435ff14a7aab332736c12

SHA256
a80779248d38b6ddb4bd37c4b1d27363aa397c66a2e22a03bffdb12241b9a337

SHA512
31c91336ec6debfbb72e3c956cdcfad7216d8ea2e7c5f3b11d3ddc59bf11ea1b746247c57ce7d9af45417822a3b75aa4f44304f44e65a9092a182533c61ee441

Download Submit
memory/2488-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2904-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download