5fa2b362de42586f08af6fb4445a58868601845840ac4064475dc353b84c2665

General

Target

NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe
Size

208KB
MD5

0bbbc5e47937e28aecce4004803806b0
SHA1

e96287b7731a41d7c723677247c402f5d82620eb
SHA256

5fa2b362de42586f08af6fb4445a58868601845840ac4064475dc353b84c2665
SHA512

d79c7bb89aa6ab22fc07834fc780fed504c669e35a0bcb8abb62050f0cbcf828016bc383d573485c00005239d3895860fa522abdd928315f9e62818d4a0d33ad
SSDEEP

3072:Hhemx1BYz3aXICXibLJ8W/viu5Mt1/pisTMyFocq4NLthEjQT6j:HAeBYz3aXICXsGA3mj/pisPqQEj1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1132	JTBF.exe

Loads dropped DLL 2 IoCs

pid	Process
1080	cmd.exe
1080	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\JTBF.exe	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe
File opened for modification	C:\windows\SysWOW64\JTBF.exe	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe
File created	C:\windows\SysWOW64\JTBF.exe.bat	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2952	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe
1132	JTBF.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2952	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe
2952	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe
1132	JTBF.exe
1132	JTBF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1080	2952	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe	28
PID 2952 wrote to memory of 1080	2952	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe	28
PID 2952 wrote to memory of 1080	2952	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe	28
PID 2952 wrote to memory of 1080	2952	NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe	28
PID 1080 wrote to memory of 1132	1080	cmd.exe	30
PID 1080 wrote to memory of 1132	1080	cmd.exe	30
PID 1080 wrote to memory of 1132	1080	cmd.exe	30
PID 1080 wrote to memory of 1132	1080	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0bbbc5e47937e28aecce4004803806b0_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\JTBF.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\windows\SysWOW64\JTBF.exe
    C:\windows\system32\JTBF.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\JTBF.exe

Filesize
208KB

MD5
381d0033f66d58afc734a110723a58ca

SHA1
7a5483371ecee9a0462d83f7f727a710a64bb021

SHA256
70a6f696a64cbb8d3cc5607e3921deebf4cc14dedc12ba6a1f6901d4f71dc552

SHA512
54fb32553cc66995e0fbe7714835d3e6479e71c0272d3b04cb9ce855b4787c3556e1640a8095ec04408caf4660d4eb548fdfd9ad69ed00a1fe66fce3f041a800

Download Submit
C:\Windows\SysWOW64\JTBF.exe.bat

Filesize
72B

MD5
dba8544594dc970b2d87a0c6e0736637

SHA1
0227b9b3fcc4de93d9ee16a56bd3e3778c2bf747

SHA256
6161ab91f5bc830092324b5803fb9c759843a8931fb918c6b70ba55fdf882fea

SHA512
f19a268c3de4b1b74a14f88629399e63a47e9a5a84c3ec9cc18b6a8dc237edd17e040750ba3afb8037134245c67b06d86cf9c25a6eab1b92cebf90c58f7956e3

Download Submit
C:\windows\SysWOW64\JTBF.exe

Filesize
208KB

MD5
381d0033f66d58afc734a110723a58ca

SHA1
7a5483371ecee9a0462d83f7f727a710a64bb021

SHA256
70a6f696a64cbb8d3cc5607e3921deebf4cc14dedc12ba6a1f6901d4f71dc552

SHA512
54fb32553cc66995e0fbe7714835d3e6479e71c0272d3b04cb9ce855b4787c3556e1640a8095ec04408caf4660d4eb548fdfd9ad69ed00a1fe66fce3f041a800

Download Submit
C:\windows\SysWOW64\JTBF.exe.bat

Filesize
72B

MD5
dba8544594dc970b2d87a0c6e0736637

SHA1
0227b9b3fcc4de93d9ee16a56bd3e3778c2bf747

SHA256
6161ab91f5bc830092324b5803fb9c759843a8931fb918c6b70ba55fdf882fea

SHA512
f19a268c3de4b1b74a14f88629399e63a47e9a5a84c3ec9cc18b6a8dc237edd17e040750ba3afb8037134245c67b06d86cf9c25a6eab1b92cebf90c58f7956e3

Download Submit
\Windows\SysWOW64\JTBF.exe

Filesize
208KB

MD5
381d0033f66d58afc734a110723a58ca

SHA1
7a5483371ecee9a0462d83f7f727a710a64bb021

SHA256
70a6f696a64cbb8d3cc5607e3921deebf4cc14dedc12ba6a1f6901d4f71dc552

SHA512
54fb32553cc66995e0fbe7714835d3e6479e71c0272d3b04cb9ce855b4787c3556e1640a8095ec04408caf4660d4eb548fdfd9ad69ed00a1fe66fce3f041a800

Download Submit
\Windows\SysWOW64\JTBF.exe

Filesize
208KB

MD5
381d0033f66d58afc734a110723a58ca

SHA1
7a5483371ecee9a0462d83f7f727a710a64bb021

SHA256
70a6f696a64cbb8d3cc5607e3921deebf4cc14dedc12ba6a1f6901d4f71dc552

SHA512
54fb32553cc66995e0fbe7714835d3e6479e71c0272d3b04cb9ce855b4787c3556e1640a8095ec04408caf4660d4eb548fdfd9ad69ed00a1fe66fce3f041a800

Download Submit
memory/1080-15-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/1080-18-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/1080-22-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/1132-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2952-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2952-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing