6f7a008a023a9b1ecd9f6c689aa3addd590e5848b33fd0df734d577bbee1ea71

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 19:40

Target

NEAS.1bb33586e65eb27ec57e1c86a50feb80.exe
Size

73KB
MD5

1bb33586e65eb27ec57e1c86a50feb80
SHA1

68ed8432d30b90015df54a0020327028ebe3da72
SHA256

6f7a008a023a9b1ecd9f6c689aa3addd590e5848b33fd0df734d577bbee1ea71
SHA512

5580aa4451b9485a39256471d01b6264b0f624b24c4ef8ff69ac0450d220a0052d865d7e3c94246626c910c99f12405464e91512df603c5f7064c7af46678eba
SSDEEP

1536:FjHZ2rfOTrOUkrhe9drWVoLmcYXV/O16nvaHWDRin:XOOT39drW6LmcYXVlnvk7

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2056	antifahib.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	NEAS.1bb33586e65eb27ec57e1c86a50feb80.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2056	3040	NEAS.1bb33586e65eb27ec57e1c86a50feb80.exe	28
PID 3040 wrote to memory of 2056	3040	NEAS.1bb33586e65eb27ec57e1c86a50feb80.exe	28
PID 3040 wrote to memory of 2056	3040	NEAS.1bb33586e65eb27ec57e1c86a50feb80.exe	28
PID 3040 wrote to memory of 2056	3040	NEAS.1bb33586e65eb27ec57e1c86a50feb80.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.1bb33586e65eb27ec57e1c86a50feb80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1bb33586e65eb27ec57e1c86a50feb80.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\antifahib.exe
  C:\Users\Admin\AppData\Local\Temp\antifahib.exe
  2⤵
  - Executes dropped EXE
  PID:2056

C:\Users\Admin\AppData\Local\Temp\antifahib.exe

Filesize
73KB

MD5
01a158c0b1d7faafd64cc4412ed0a3a9

SHA1
e14350b2a1f5da3ed7dd60973f24339297853670

SHA256
34f4f7c55ff6280ddbabb07f391f6ca43916297109abf90bbaf7d572357c1fca

SHA512
c84717ed4dbe1067f432a550e7f9d07833f682983cef6a9111bf431b24a3e70fd49e4aede62517659937ddf462146a8138d8ccbf3f880ad95b3b30bf1888a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\antifahib.exe

Filesize
73KB

MD5
01a158c0b1d7faafd64cc4412ed0a3a9

SHA1
e14350b2a1f5da3ed7dd60973f24339297853670

SHA256
34f4f7c55ff6280ddbabb07f391f6ca43916297109abf90bbaf7d572357c1fca

SHA512
c84717ed4dbe1067f432a550e7f9d07833f682983cef6a9111bf431b24a3e70fd49e4aede62517659937ddf462146a8138d8ccbf3f880ad95b3b30bf1888a23d

Download Submit
\Users\Admin\AppData\Local\Temp\antifahib.exe

Filesize
73KB

MD5
01a158c0b1d7faafd64cc4412ed0a3a9

SHA1
e14350b2a1f5da3ed7dd60973f24339297853670

SHA256
34f4f7c55ff6280ddbabb07f391f6ca43916297109abf90bbaf7d572357c1fca

SHA512
c84717ed4dbe1067f432a550e7f9d07833f682983cef6a9111bf431b24a3e70fd49e4aede62517659937ddf462146a8138d8ccbf3f880ad95b3b30bf1888a23d

Download Submit
memory/2056-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download