00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 18:07

Target

00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef.exe
Size

54KB
MD5

63ed976529961a40fd82a1f8a86b4a72
SHA1

2e2f572edae5b7f665b2998f178727a25445d63a
SHA256

00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef
SHA512

a5403375c189ce05f0b489589f50823035e9b250fdff4d490ec6f663e6f45b1a45c5a15e27334404ef68cb91070045378606439876e8f6d9484d16b25e02c4c9
SSDEEP

1536:0AfXclvQUl4AS0j6zEiI84zezXggSQdwC:08clvQUuI84zezwgv

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2216	vusjeson.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2216	1972	00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef.exe	28
PID 1972 wrote to memory of 2216	1972	00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef.exe	28
PID 1972 wrote to memory of 2216	1972	00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef.exe	28
PID 1972 wrote to memory of 2216	1972	00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef.exe	28

C:\Users\Admin\AppData\Local\Temp\00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef.exe
"C:\Users\Admin\AppData\Local\Temp\00eac7be0da7582399e99795feed1b2788048793e9cd001dcca76517ed776eef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\vusjeson.exe
  C:\Users\Admin\AppData\Local\Temp\vusjeson.exe
  2⤵
  - Executes dropped EXE
  PID:2216

\Users\Admin\AppData\Local\Temp\vusjeson.exe

Filesize
55KB

MD5
523f549ce2114e1ab67462cdc161f70f

SHA1
4f3e11f66a1e158a7fd931db59afb833fc0562b6

SHA256
715406f7661ab4b86e3e1957f8135b5a00037f1c30ba596af5e17cabe8df1a7f

SHA512
3b5cc307821d1123f1e2f3ead31460a3c8eca578cad0696fe3691fe6d6fd8c308cd89daa021a37d78e0f685c73321cbad764252ace5d0c416f0ed542e0acaa42

Download Submit
memory/1972-1-0x0000000000403000-0x0000000000405000-memory.dmp

Filesize
8KB

Download
memory/2216-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download