76dcf200e3eec37187c1b030640ebc917484759251d1482b5e686dd8b0586c7c

Analysis

max time kernel
152s
max time network
159s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe
Size

222KB
MD5

c26bf98909aaac7add74c54fcda32d77
SHA1

b6ed6bedc040de687ad1bea5a2751fee7c654141
SHA256

76dcf200e3eec37187c1b030640ebc917484759251d1482b5e686dd8b0586c7c
SHA512

c910e79f63ec3d88b3ba6b0eea7f725a8ee069b38b938335ccd7b11b7648abe2aa551677050e7fea29ae1d856a04ddf78e28655a24961a6d6c15c41ef6086d91
SSDEEP

3072:UVHgCc4xGvbwcU9KQ2BBAHmaPxiVoSb5Exrz:BCc4xGxWKQ2Bonxn

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe
3016	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\a673f5dd\jusched.exe	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe
File created	C:\Program Files (x86)\a673f5dd\a673f5dd	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1708	3016	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe	28
PID 3016 wrote to memory of 1708	3016	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe	28
PID 3016 wrote to memory of 1708	3016	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe	28
PID 3016 wrote to memory of 1708	3016	NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c26bf98909aaac7add74c54fcda32d77_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\a673f5dd\jusched.exe
  "C:\Program Files (x86)\a673f5dd\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\a673f5dd\a673f5dd

Filesize
17B

MD5
134c1d489094d6d3399f65b0e9aebc1f

SHA1
612a57fbe6ed3ab9c15b39451171d813314a28d5

SHA256
54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

SHA512
b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

Download Submit
C:\Program Files (x86)\a673f5dd\jusched.exe

Filesize
222KB

MD5
987b4fa83b4a6e35e1cb1695ef780aab

SHA1
c71337b28c5e7f203432a3a5b07fbe3201833222

SHA256
66de89fe0268c01d2e808939a2406c651436ba0470184c170e01db32a4f0cc7e

SHA512
830555756913250774ba9a4b39308c34dfafd359cbc55e39d4347a5f9d22251853d56b92c1ff87f86b20c0145bb768848aa0b209475bc67815f74b4f909c21f3

Download Submit
C:\Program Files (x86)\a673f5dd\jusched.exe

Filesize
222KB

MD5
987b4fa83b4a6e35e1cb1695ef780aab

SHA1
c71337b28c5e7f203432a3a5b07fbe3201833222

SHA256
66de89fe0268c01d2e808939a2406c651436ba0470184c170e01db32a4f0cc7e

SHA512
830555756913250774ba9a4b39308c34dfafd359cbc55e39d4347a5f9d22251853d56b92c1ff87f86b20c0145bb768848aa0b209475bc67815f74b4f909c21f3

Download Submit
\Program Files (x86)\a673f5dd\jusched.exe

Filesize
222KB

MD5
987b4fa83b4a6e35e1cb1695ef780aab

SHA1
c71337b28c5e7f203432a3a5b07fbe3201833222

SHA256
66de89fe0268c01d2e808939a2406c651436ba0470184c170e01db32a4f0cc7e

SHA512
830555756913250774ba9a4b39308c34dfafd359cbc55e39d4347a5f9d22251853d56b92c1ff87f86b20c0145bb768848aa0b209475bc67815f74b4f909c21f3

Download Submit
\Program Files (x86)\a673f5dd\jusched.exe

Filesize
222KB

MD5
987b4fa83b4a6e35e1cb1695ef780aab

SHA1
c71337b28c5e7f203432a3a5b07fbe3201833222

SHA256
66de89fe0268c01d2e808939a2406c651436ba0470184c170e01db32a4f0cc7e

SHA512
830555756913250774ba9a4b39308c34dfafd359cbc55e39d4347a5f9d22251853d56b92c1ff87f86b20c0145bb768848aa0b209475bc67815f74b4f909c21f3

Download Submit
memory/1708-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1708-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3016-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3016-7-0x0000000001EA0000-0x0000000001EE6000-memory.dmp

Filesize
280KB

Download
memory/3016-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download