119637eb8e712f2c99c0bbbbd05fe44d202642e4a800e070d1377d960ea9ef85

Analysis

max time kernel
151s
max time network
182s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
07-11-2023 20:22

Target

NEAS.e8c7f1809000bb408a147b894f4bc1c0.exe
Size

81KB
MD5

e8c7f1809000bb408a147b894f4bc1c0
SHA1

d9b602ae799597e86c2679c9535c8e6c924da7c4
SHA256

119637eb8e712f2c99c0bbbbd05fe44d202642e4a800e070d1377d960ea9ef85
SHA512

bc315a359b8d84742ac5b7827b09f4c6e03db73d5138e7a2a7587652c660d8f836440b276539290f128962c8fd31d01a55a3151993cf3792353aa214519e2218
SSDEEP

1536:ZbZIzUxJrU6HkhEoO6Bk8Zy9e9+HGtTXsg4A:ZbpxJrFCnyY9+AXsg4A

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1940	wavitoh.exe

Loads dropped DLL 1 IoCs

pid	Process
1296	NEAS.e8c7f1809000bb408a147b894f4bc1c0.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1940	1296	NEAS.e8c7f1809000bb408a147b894f4bc1c0.exe	28
PID 1296 wrote to memory of 1940	1296	NEAS.e8c7f1809000bb408a147b894f4bc1c0.exe	28
PID 1296 wrote to memory of 1940	1296	NEAS.e8c7f1809000bb408a147b894f4bc1c0.exe	28
PID 1296 wrote to memory of 1940	1296	NEAS.e8c7f1809000bb408a147b894f4bc1c0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.e8c7f1809000bb408a147b894f4bc1c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e8c7f1809000bb408a147b894f4bc1c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\AppData\Local\Temp\wavitoh.exe
  C:\Users\Admin\AppData\Local\Temp\wavitoh.exe
  2⤵
  - Executes dropped EXE
  PID:1940

C:\Users\Admin\AppData\Local\Temp\wavitoh.exe

Filesize
81KB

MD5
cf185675242fee9a5c52cca3c11615ff

SHA1
269cc89b3bb89e0ab0d957b8392db722287b8bd8

SHA256
26da492c7c8f52564af245880f36d904c2bfad6fef6f98ab7cfa8406f9bdaf57

SHA512
64d38041e3f73885e19a72bdcaea360ae57bd81a7fa6eef3a65383fbb144845238396c34aa7682915891233de309d314f44da3e83b5703dfb6c871a7ca32d769

Download Submit
C:\Users\Admin\AppData\Local\Temp\wavitoh.exe

Filesize
81KB

MD5
cf185675242fee9a5c52cca3c11615ff

SHA1
269cc89b3bb89e0ab0d957b8392db722287b8bd8

SHA256
26da492c7c8f52564af245880f36d904c2bfad6fef6f98ab7cfa8406f9bdaf57

SHA512
64d38041e3f73885e19a72bdcaea360ae57bd81a7fa6eef3a65383fbb144845238396c34aa7682915891233de309d314f44da3e83b5703dfb6c871a7ca32d769

Download Submit
\Users\Admin\AppData\Local\Temp\wavitoh.exe

Filesize
81KB

MD5
cf185675242fee9a5c52cca3c11615ff

SHA1
269cc89b3bb89e0ab0d957b8392db722287b8bd8

SHA256
26da492c7c8f52564af245880f36d904c2bfad6fef6f98ab7cfa8406f9bdaf57

SHA512
64d38041e3f73885e19a72bdcaea360ae57bd81a7fa6eef3a65383fbb144845238396c34aa7682915891233de309d314f44da3e83b5703dfb6c871a7ca32d769

Download Submit
memory/1296-3-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/1296-8-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/1940-7-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download