682a12ca752f2bdd16cd9ab3de71e44147307eaa88e2a7ced2bc8c28f267cd91

Analysis

max time kernel
128s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
Size

261KB
MD5

df1be8e4c58f3cf6d724a80a3d18ba60
SHA1

b64044ca47c4b3efeb3d1a388d5bb5a22627b748
SHA256

682a12ca752f2bdd16cd9ab3de71e44147307eaa88e2a7ced2bc8c28f267cd91
SHA512

5d9022825369ebcebf36565cfdc0bdb855239ee29d220e5e0828e1b762a2e051e4d96077242081db1f9b6a97a270ffdf13d36462bca1bb82a738ac713a9abae0
SSDEEP

3072:SVHgCc4xGvbwcU9KQ2BBAHmaPxiVojb5EGW:TCc4xGxWKQ2Bonxa

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.byethost12.com
Port:
21
Username:
b12_8082975
Password:
951753zx

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1972	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
2432	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\d268e381\jusched.exe	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
File created	C:\Program Files (x86)\d268e381\d268e381	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1972	2432	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe	28
PID 2432 wrote to memory of 1972	2432	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe	28
PID 2432 wrote to memory of 1972	2432	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe	28
PID 2432 wrote to memory of 1972	2432	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\d268e381\jusched.exe
  "C:\Program Files (x86)\d268e381\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\d268e381\d268e381

Filesize
17B

MD5
134c1d489094d6d3399f65b0e9aebc1f

SHA1
612a57fbe6ed3ab9c15b39451171d813314a28d5

SHA256
54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

SHA512
b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

Download Submit
C:\Program Files (x86)\d268e381\jusched.exe

Filesize
261KB

MD5
400e34855ec57a36e7ede50b6ec8f080

SHA1
3b922f5d45df992794bc0a1cf81e4138f63bc84e

SHA256
2b00be5aad2c657bafd140f57030ac79aee24d5087363e50b9e66074ce256e92

SHA512
13351574f6ff98e8ff777f76568504152e10bc4cdcd058796c812b9a906d7cbe1b7478ad217493bb7ae4ddbd32da56b8ce5374595b568c671a6cd29e4c7f8ecb

Download Submit
C:\Program Files (x86)\d268e381\jusched.exe

Filesize
261KB

MD5
400e34855ec57a36e7ede50b6ec8f080

SHA1
3b922f5d45df992794bc0a1cf81e4138f63bc84e

SHA256
2b00be5aad2c657bafd140f57030ac79aee24d5087363e50b9e66074ce256e92

SHA512
13351574f6ff98e8ff777f76568504152e10bc4cdcd058796c812b9a906d7cbe1b7478ad217493bb7ae4ddbd32da56b8ce5374595b568c671a6cd29e4c7f8ecb

Download Submit
\Program Files (x86)\d268e381\jusched.exe

Filesize
261KB

MD5
400e34855ec57a36e7ede50b6ec8f080

SHA1
3b922f5d45df992794bc0a1cf81e4138f63bc84e

SHA256
2b00be5aad2c657bafd140f57030ac79aee24d5087363e50b9e66074ce256e92

SHA512
13351574f6ff98e8ff777f76568504152e10bc4cdcd058796c812b9a906d7cbe1b7478ad217493bb7ae4ddbd32da56b8ce5374595b568c671a6cd29e4c7f8ecb

Download Submit
\Program Files (x86)\d268e381\jusched.exe

Filesize
261KB

MD5
400e34855ec57a36e7ede50b6ec8f080

SHA1
3b922f5d45df992794bc0a1cf81e4138f63bc84e

SHA256
2b00be5aad2c657bafd140f57030ac79aee24d5087363e50b9e66074ce256e92

SHA512
13351574f6ff98e8ff777f76568504152e10bc4cdcd058796c812b9a906d7cbe1b7478ad217493bb7ae4ddbd32da56b8ce5374595b568c671a6cd29e4c7f8ecb

Download Submit
memory/1972-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2432-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2432-7-0x0000000002320000-0x0000000002375000-memory.dmp

Filesize
340KB

Download
memory/2432-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2432-12-0x0000000002320000-0x0000000002375000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads