37c7ba11c821061ff557b01c363bfd7ec1ed21d5c61c658e050f7c06b8b15d73

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe
Size

202KB
MD5

a4e4b05456d5f436ce91362048f5bd88
SHA1

a7a99b3258d136788ee9737a3b5d848b723c90ed
SHA256

37c7ba11c821061ff557b01c363bfd7ec1ed21d5c61c658e050f7c06b8b15d73
SHA512

9e037944c99e3892e4857958c54d0ef44a7d7d8098e046e7df01e5fc2d2e1796f2bd8fd6683de00100357f48b7ca117b99691fd24291456dc3c0121a11728e18
SSDEEP

1536:bXBmHj/428VMTwvY3vT3ZpTha581w8WlmoL8vA:bXgE28mTwvY73Zhha5IvoL8o

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.alizametal.com.tr
Port:
21
Username:
alizametal.com.tr
Password:
hd611

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ab9c289d\jusched.exe	NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe
File created	C:\Program Files (x86)\ab9c289d\ab9c289d	NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe
File created	C:\Program Files (x86)\ab9c289d\info_a	NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2200	2576	NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe	95
PID 2576 wrote to memory of 2200	2576	NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe	95
PID 2576 wrote to memory of 2200	2576	NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a4e4b05456d5f436ce91362048f5bd88_JC.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\ab9c289d\jusched.exe
  "C:\Program Files (x86)\ab9c289d\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ab9c289d\ab9c289d

Filesize
17B

MD5
ff323a10557ed49cf5c59a277579ae45

SHA1
de64360ad4e3ea906b3b1e733975e75faa5a584e

SHA256
d8ba4de3c9ce2f2ee152b3905563f84af1d21df3e66065f3d549f25619bde779

SHA512
13747cad49a2aebb312975df6c8d6168994370ca680ce0996bfcf6f4bf5832e9468cfe6c35917bf069d0283add81b59b565d4dfa59dc3b25a9a7ace093912a39

Download Submit
C:\Program Files (x86)\ab9c289d\info_a

Filesize
12B

MD5
f87339493c88bcfe1b092017cad18653

SHA1
718cd856429570c02105efbbe7390d087870e20d

SHA256
a191694fa44e9b50a08c6cc85b5ed1f6348ae509660734f3c46fd78b6df43860

SHA512
1ac5a4edcffaf2e3b711225479ed45366dbca7b2d8fdfa1a08583c0e8e904397f18d4d40b065e771aefe82e043fa42cff768103d06555c5280e803c458e2ccd4

Download Submit
C:\Program Files (x86)\ab9c289d\jusched.exe

Filesize
202KB

MD5
25098f0251f820be9949b856908a4f52

SHA1
d36096dda055f7a10d3592bb88802ed1f8c29f33

SHA256
ae60e88acf2258ccaee4c996606368ca4fd4eb110299c0817b562e4213b61cba

SHA512
1f5839b87ea0d5b05c3ee26e0c3e438ce1942fc9449c0ab3035abcc4d9c0c8ddf9c4299f8603c61ef7df9ff56bf10303461cfe614c45d2138d25a0ba8ea42559

Download Submit
C:\Program Files (x86)\ab9c289d\jusched.exe

Filesize
202KB

MD5
25098f0251f820be9949b856908a4f52

SHA1
d36096dda055f7a10d3592bb88802ed1f8c29f33

SHA256
ae60e88acf2258ccaee4c996606368ca4fd4eb110299c0817b562e4213b61cba

SHA512
1f5839b87ea0d5b05c3ee26e0c3e438ce1942fc9449c0ab3035abcc4d9c0c8ddf9c4299f8603c61ef7df9ff56bf10303461cfe614c45d2138d25a0ba8ea42559

Download Submit
C:\Program Files (x86)\ab9c289d\jusched.exe

Filesize
202KB

MD5
25098f0251f820be9949b856908a4f52

SHA1
d36096dda055f7a10d3592bb88802ed1f8c29f33

SHA256
ae60e88acf2258ccaee4c996606368ca4fd4eb110299c0817b562e4213b61cba

SHA512
1f5839b87ea0d5b05c3ee26e0c3e438ce1942fc9449c0ab3035abcc4d9c0c8ddf9c4299f8603c61ef7df9ff56bf10303461cfe614c45d2138d25a0ba8ea42559

Download Submit