682a12ca752f2bdd16cd9ab3de71e44147307eaa88e2a7ced2bc8c28f267cd91

Analysis

max time kernel
153s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
Size

261KB
MD5

df1be8e4c58f3cf6d724a80a3d18ba60
SHA1

b64044ca47c4b3efeb3d1a388d5bb5a22627b748
SHA256

682a12ca752f2bdd16cd9ab3de71e44147307eaa88e2a7ced2bc8c28f267cd91
SHA512

5d9022825369ebcebf36565cfdc0bdb855239ee29d220e5e0828e1b762a2e051e4d96077242081db1f9b6a97a270ffdf13d36462bca1bb82a738ac713a9abae0
SSDEEP

3072:SVHgCc4xGvbwcU9KQ2BBAHmaPxiVojb5EGW:TCc4xGxWKQ2Bonxa

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.byethost12.com
Port:
21
Username:
b12_8082975
Password:
951753zx

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe

Executes dropped EXE 1 IoCs

pid	Process
5080	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\9f41eaf3\jusched.exe	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
File created	C:\Program Files (x86)\9f41eaf3\9f41eaf3	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 5080	3924	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe	88
PID 3924 wrote to memory of 5080	3924	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe	88
PID 3924 wrote to memory of 5080	3924	NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe	88

C:\Users\Admin\AppData\Local\Temp\NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.df1be8e4c58f3cf6d724a80a3d18ba60.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Program Files (x86)\9f41eaf3\jusched.exe
  "C:\Program Files (x86)\9f41eaf3\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\9f41eaf3\9f41eaf3

Filesize
17B

MD5
134c1d489094d6d3399f65b0e9aebc1f

SHA1
612a57fbe6ed3ab9c15b39451171d813314a28d5

SHA256
54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

SHA512
b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

Download Submit
C:\Program Files (x86)\9f41eaf3\jusched.exe

Filesize
261KB

MD5
e0012399e421f9e07f9887594eacfb58

SHA1
0f7f93fccdcc659a7976f740ecb5b9a9850dce04

SHA256
fb98fca500d82434d51cf56467fc26d0a47533ef221f74437171d5c23f55af5d

SHA512
ebfa92e3f512ccff0f6bcf481388f7fad57ccf37605c28afa101fcd3ac22ed3d4e57ffcd51f2226732c406975a35b9d4ac1b07660b92df871d9892ebab9b22ac

Download Submit
C:\Program Files (x86)\9f41eaf3\jusched.exe

Filesize
261KB

MD5
e0012399e421f9e07f9887594eacfb58

SHA1
0f7f93fccdcc659a7976f740ecb5b9a9850dce04

SHA256
fb98fca500d82434d51cf56467fc26d0a47533ef221f74437171d5c23f55af5d

SHA512
ebfa92e3f512ccff0f6bcf481388f7fad57ccf37605c28afa101fcd3ac22ed3d4e57ffcd51f2226732c406975a35b9d4ac1b07660b92df871d9892ebab9b22ac

Download Submit
C:\Program Files (x86)\9f41eaf3\jusched.exe

Filesize
261KB

MD5
e0012399e421f9e07f9887594eacfb58

SHA1
0f7f93fccdcc659a7976f740ecb5b9a9850dce04

SHA256
fb98fca500d82434d51cf56467fc26d0a47533ef221f74437171d5c23f55af5d

SHA512
ebfa92e3f512ccff0f6bcf481388f7fad57ccf37605c28afa101fcd3ac22ed3d4e57ffcd51f2226732c406975a35b9d4ac1b07660b92df871d9892ebab9b22ac

Download Submit
memory/3924-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3924-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3924-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5080-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5080-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads