ee1cff60cacc0e22438051583be0646e5494f91a26a75f0babe61b60a56e75a5

Analysis

max time kernel
128s
max time network
156s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dc6e8dc64e5f4776363ace6a07073850.exe
Size

261KB
MD5

dc6e8dc64e5f4776363ace6a07073850
SHA1

671776f05a372d133378b179ba9cf45db28b5942
SHA256

ee1cff60cacc0e22438051583be0646e5494f91a26a75f0babe61b60a56e75a5
SHA512

fcfc30048402b2700eac93395f220691d31507a50d6c5a3178d3e3e6546865e3f512ab54aa9db832216458441babca29fafaf5fb80bfac6b9c2376c5594f9b28
SSDEEP

3072:SVHgCc4xGvbwcU9KQ2BBAHmaPxiVojb5EGm:TCc4xGxWKQ2Bonxi

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1168	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe
1168	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\b4821990\jusched.exe	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe
File created	C:\Program Files (x86)\b4821990\b4821990	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2824	1168	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe	30
PID 1168 wrote to memory of 2824	1168	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe	30
PID 1168 wrote to memory of 2824	1168	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe	30
PID 1168 wrote to memory of 2824	1168	NEAS.dc6e8dc64e5f4776363ace6a07073850.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.dc6e8dc64e5f4776363ace6a07073850.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dc6e8dc64e5f4776363ace6a07073850.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files (x86)\b4821990\jusched.exe
  "C:\Program Files (x86)\b4821990\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\b4821990\b4821990

Filesize
17B

MD5
134c1d489094d6d3399f65b0e9aebc1f

SHA1
612a57fbe6ed3ab9c15b39451171d813314a28d5

SHA256
54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

SHA512
b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

Download Submit
C:\Program Files (x86)\b4821990\jusched.exe

Filesize
261KB

MD5
27a833990d9b533af38c7da4ef50c869

SHA1
3391e6da0b144679ac97c1f2d71b847c07c3fc4f

SHA256
a728f50d900b5a5420c5c0a3a1d5b848d4005d9dd72b01c6ab2a5bf221d12c16

SHA512
b9bc34bd5d2c63b74c849b65e33fa9bc8cf088cc864263442dcb213606828eaacb59fdb4a4cfe289c62ec29a0e0bea33231edf76eee3da6eff60e05d9e9d1168

Download Submit
C:\Program Files (x86)\b4821990\jusched.exe

Filesize
261KB

MD5
27a833990d9b533af38c7da4ef50c869

SHA1
3391e6da0b144679ac97c1f2d71b847c07c3fc4f

SHA256
a728f50d900b5a5420c5c0a3a1d5b848d4005d9dd72b01c6ab2a5bf221d12c16

SHA512
b9bc34bd5d2c63b74c849b65e33fa9bc8cf088cc864263442dcb213606828eaacb59fdb4a4cfe289c62ec29a0e0bea33231edf76eee3da6eff60e05d9e9d1168

Download Submit
\Program Files (x86)\b4821990\jusched.exe

Filesize
261KB

MD5
27a833990d9b533af38c7da4ef50c869

SHA1
3391e6da0b144679ac97c1f2d71b847c07c3fc4f

SHA256
a728f50d900b5a5420c5c0a3a1d5b848d4005d9dd72b01c6ab2a5bf221d12c16

SHA512
b9bc34bd5d2c63b74c849b65e33fa9bc8cf088cc864263442dcb213606828eaacb59fdb4a4cfe289c62ec29a0e0bea33231edf76eee3da6eff60e05d9e9d1168

Download Submit
\Program Files (x86)\b4821990\jusched.exe

Filesize
261KB

MD5
27a833990d9b533af38c7da4ef50c869

SHA1
3391e6da0b144679ac97c1f2d71b847c07c3fc4f

SHA256
a728f50d900b5a5420c5c0a3a1d5b848d4005d9dd72b01c6ab2a5bf221d12c16

SHA512
b9bc34bd5d2c63b74c849b65e33fa9bc8cf088cc864263442dcb213606828eaacb59fdb4a4cfe289c62ec29a0e0bea33231edf76eee3da6eff60e05d9e9d1168

Download Submit
memory/1168-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1168-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1168-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1168-8-0x0000000002690000-0x00000000026E5000-memory.dmp

Filesize
340KB

Download
memory/2824-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download