dd9868ea8d3b0729c778f64b58d4d91d0e01a2bbdabadca2ca28840bd67cc755

Analysis

max time kernel
165s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe
Size

38KB
MD5

b11ac43b338324ed63350e4c92fcc5c0
SHA1

bbabd36122af716f47637cfb9afce6f9205a7463
SHA256

dd9868ea8d3b0729c778f64b58d4d91d0e01a2bbdabadca2ca28840bd67cc755
SHA512

db0f00d2abb7ba6c37c971c93323bbc205dc9092b91a399147808d11d162f0f7f3109d23730d518f20e5e7fde3ed82f7ab8f37e2752cbafce31f028fd37421aa
SSDEEP

768:kflivXrVKpVhKvtxwYHwVFoeAQ5mucwUKzda:alqrVKprVuQ57zc

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe
2132	NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\115f5d31\jusched.exe	NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe
File created	C:\Program Files (x86)\115f5d31\115f5d31	NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe
1696	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1696	2132	NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe	27
PID 2132 wrote to memory of 1696	2132	NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe	27
PID 2132 wrote to memory of 1696	2132	NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe	27
PID 2132 wrote to memory of 1696	2132	NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b11ac43b338324ed63350e4c92fcc5c0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Program Files (x86)\115f5d31\jusched.exe
  "C:\Program Files (x86)\115f5d31\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\115f5d31\115f5d31

Filesize
13B

MD5
f253efe302d32ab264a76e0ce65be769

SHA1
768685ca582abd0af2fbb57ca37752aa98c9372b

SHA256
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

SHA512
1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

Download Submit
C:\Program Files (x86)\115f5d31\jusched.exe

Filesize
38KB

MD5
c086ecea09b8b9d69f4f3d4b3cc908ae

SHA1
ad8c23632bf3be09827fcf8e338fb26c3394e7a5

SHA256
98fd35a7be59ff736eaa9c18984a83914e88fd2dac73ec7b1248f20eed2c065a

SHA512
e01d98211599810ba0fd7cb6a6d2ea2f3f1ca9f8619278b8e56ad78330d597fda55b7229841bee23fc6848e7ec1c45f9c4fc1576677c0c7e934d8b1ad86a0f1c

Download Submit
C:\Program Files (x86)\115f5d31\jusched.exe

Filesize
38KB

MD5
c086ecea09b8b9d69f4f3d4b3cc908ae

SHA1
ad8c23632bf3be09827fcf8e338fb26c3394e7a5

SHA256
98fd35a7be59ff736eaa9c18984a83914e88fd2dac73ec7b1248f20eed2c065a

SHA512
e01d98211599810ba0fd7cb6a6d2ea2f3f1ca9f8619278b8e56ad78330d597fda55b7229841bee23fc6848e7ec1c45f9c4fc1576677c0c7e934d8b1ad86a0f1c

Download Submit
\Program Files (x86)\115f5d31\jusched.exe

Filesize
38KB

MD5
c086ecea09b8b9d69f4f3d4b3cc908ae

SHA1
ad8c23632bf3be09827fcf8e338fb26c3394e7a5

SHA256
98fd35a7be59ff736eaa9c18984a83914e88fd2dac73ec7b1248f20eed2c065a

SHA512
e01d98211599810ba0fd7cb6a6d2ea2f3f1ca9f8619278b8e56ad78330d597fda55b7229841bee23fc6848e7ec1c45f9c4fc1576677c0c7e934d8b1ad86a0f1c

Download Submit
\Program Files (x86)\115f5d31\jusched.exe

Filesize
38KB

MD5
c086ecea09b8b9d69f4f3d4b3cc908ae

SHA1
ad8c23632bf3be09827fcf8e338fb26c3394e7a5

SHA256
98fd35a7be59ff736eaa9c18984a83914e88fd2dac73ec7b1248f20eed2c065a

SHA512
e01d98211599810ba0fd7cb6a6d2ea2f3f1ca9f8619278b8e56ad78330d597fda55b7229841bee23fc6848e7ec1c45f9c4fc1576677c0c7e934d8b1ad86a0f1c

Download Submit
memory/1696-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2132-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2132-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2132-6-0x0000000000680000-0x000000000069D000-memory.dmp

Filesize
116KB

Download