e1641ea6d6652d726900216b94dd17ad59127879bd6de37bed55b8d9005049d0

Analysis

max time kernel
152s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 06:07

Target

42f25d8b16c1f6e6816c16d5200d09f4.exe
Size

101KB
MD5

42f25d8b16c1f6e6816c16d5200d09f4
SHA1

12d31cd7b317c8dfb81f042ad29cc38456486c2b
SHA256

e1641ea6d6652d726900216b94dd17ad59127879bd6de37bed55b8d9005049d0
SHA512

2f0ef3203e395b791093a300596fd3d69ce554e7ac8ad5589ed7ec1973d2a28716a034b18b73f9f066075953d2ef2bbf606d8850678e175882768220dfd0b4de
SSDEEP

1536:6ewZnxbj25f+rPfK5kL9EhuVshhyXT5YXRtqcspaDwx1pP:DwBxbCB+DR9RV35YXRnspIG1x

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
976	vadftol.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	icanhazip.com

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 976	1252	42f25d8b16c1f6e6816c16d5200d09f4.exe	43
PID 1252 wrote to memory of 976	1252	42f25d8b16c1f6e6816c16d5200d09f4.exe	43
PID 1252 wrote to memory of 976	1252	42f25d8b16c1f6e6816c16d5200d09f4.exe	43

C:\Users\Admin\AppData\Local\Temp\42f25d8b16c1f6e6816c16d5200d09f4.exe
"C:\Users\Admin\AppData\Local\Temp\42f25d8b16c1f6e6816c16d5200d09f4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\vadftol.exe
  C:\Users\Admin\AppData\Local\Temp\vadftol.exe
  2⤵
  - Executes dropped EXE
  PID:976

C:\Users\Admin\AppData\Local\Temp\vadftol.exe

Filesize
22KB

MD5
d434a26d20cb1d1d5c3e7b7bc27cb9c9

SHA1
5c6c4d49e54f5b1101cc2b2b47eddca057460c87

SHA256
ffc85b90d2e9afbe4eef8bbef177111f9282a54032d1837b6d67fa21d44c3d15

SHA512
bdb253d902963e99ffba7035c3c90385cdb23702bfcff15b4c26ec5fdc9e7e5a9df96e66a15549572bc218bf4e8fe8e08911b4836116c8e4926a097d37aca97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vadftol.exe

Filesize
49KB

MD5
efcbeb7fdcc81e63b613e1b0fd05ea8c

SHA1
17449efbf1d94c8b00e623e2e7161ba33a8b55c2

SHA256
a1464c2902dd6d902a6caacade2777655f1f7c39a81d3fafde3c6ec14388b4b7

SHA512
f72a57e29f000e14b4447e81ebd1c21b310942484a1c8d3247b1ec4170ef5097d635a295d160410b555db97a082f12586aac0184f0083cf437c5710070918436

Download Submit
memory/976-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/976-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1252-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1252-1-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1252-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download