170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 21:02

Target

170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b.exe
Size

59KB
MD5

6a82d83d561949f77a0b4e9d529ec19e
SHA1

80baddf85b8de653f3257590513c94452e133de1
SHA256

170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b
SHA512

e048c61cfe4eb3c75abf882505fed53b799811570723e40a6f5d615cd5572d8340d63417c829b1b7447027c2a1367d316c31371e5c3c9c3d898c9e78537268d6
SSDEEP

1536:0M6478/JKvXnLI0Cu9VwH5pFrwL2hrvZaMtHQrwzg:tV7IJKfku9CH5wf

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2888	ekrakdeep.exe

Loads dropped DLL 1 IoCs

pid	Process
1796	170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2888	1796	170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b.exe	28
PID 1796 wrote to memory of 2888	1796	170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b.exe	28
PID 1796 wrote to memory of 2888	1796	170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b.exe	28
PID 1796 wrote to memory of 2888	1796	170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b.exe	28

C:\Users\Admin\AppData\Local\Temp\170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b.exe
"C:\Users\Admin\AppData\Local\Temp\170bc2d2ea2cd61c564157788dede16026e4d51fe162503306c8f01c204e154b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\ekrakdeep.exe
  C:\Users\Admin\AppData\Local\Temp\ekrakdeep.exe
  2⤵
  - Executes dropped EXE
  PID:2888

C:\Users\Admin\AppData\Local\Temp\ekrakdeep.exe

Filesize
60KB

MD5
da2e9dab096e5f8d39e13c75698db385

SHA1
850154c8e86a025294cdde0fd16019e4b2a50bcb

SHA256
041c7f526a7c580c5f7ee865e3ade423626aedeb50fd31bb527d54c713cef5ea

SHA512
6466f3d7947e6ff95e9da20b28c204281a34c6c6a0b88fc65add52b5633541c44b5ba42976c7a4eb3fa183282194036404f3047c5bf49d1adeb65b47700e0570

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekrakdeep.exe

Filesize
10KB

MD5
742db5af7c2b2325e8d51e40a1013a31

SHA1
3723fa2c9f54214088f74796f0a453a0d6eaaf66

SHA256
9ac0c0df973cade9a697dbbd454e33d3a17b5c211fa8a6b6ac7d3216a5c73cb3

SHA512
4f26dc42ec39ab1f668290a4442e13cf4363f72ea97367a953f5dd1324b88ef0270970c7bbbf74cb91e8cf1b7af8661288931857545322d6cee6638340e868ae

Download Submit
\Users\Admin\AppData\Local\Temp\ekrakdeep.exe

Filesize
54KB

MD5
d4337fe762bc5c985ec2436efceed20c

SHA1
4382ad1fe3f964b246fbd38baf9cf7d848e8068c

SHA256
6f6912f15065dd786c95ab2bdc3825c811246ac18e1f143f1502b177c0278dd4

SHA512
640147ba09bb8d6cc66c4650a78753ee8b2ffd817a597a31d74d81085d9665c5c0109f87426d39ebfac3ed09d42df670ccfe57ab8068ba126465cae02d4102f3

Download Submit
memory/1796-2-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1796-0-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2888-9-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2888-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download