53bb901ee95ab4a46fd55a5e0932240ea9fcce41902ad3c3a52668dca63c5dbb

Analysis

max time kernel
129s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.60fd3774785fc3c17b13e07b373c7510.exe
Size

426KB
MD5

60fd3774785fc3c17b13e07b373c7510
SHA1

c80fa5eb61e58911719b8c191a9d4951198d4229
SHA256

53bb901ee95ab4a46fd55a5e0932240ea9fcce41902ad3c3a52668dca63c5dbb
SHA512

fbb536df747d1af490d0f56557e1630e99223a05dc57582506867a13b9021a0c29b3355ca524d11bd914780fb27a0eb7ebd0209113e13529e119938ab369281d
SSDEEP

3072:kChJgYMm4xf9cU9KQ2BxA59SPM2OoSn240YK0FN8lpSUyKncAxi2n:MYMm4xiWKQ2BiCMtZK03kNcATn

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.60fd3774785fc3c17b13e07b373c7510.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\132c4cd0\jusched.exe	NEAS.60fd3774785fc3c17b13e07b373c7510.exe
File created	C:\Program Files (x86)\132c4cd0\132c4cd0	NEAS.60fd3774785fc3c17b13e07b373c7510.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.60fd3774785fc3c17b13e07b373c7510.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 2332	3160	NEAS.60fd3774785fc3c17b13e07b373c7510.exe	91
PID 3160 wrote to memory of 2332	3160	NEAS.60fd3774785fc3c17b13e07b373c7510.exe	91
PID 3160 wrote to memory of 2332	3160	NEAS.60fd3774785fc3c17b13e07b373c7510.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.60fd3774785fc3c17b13e07b373c7510.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.60fd3774785fc3c17b13e07b373c7510.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files (x86)\132c4cd0\jusched.exe
  "C:\Program Files (x86)\132c4cd0\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\132c4cd0\132c4cd0

Filesize
17B

MD5
89931a70501a3362b6823b53523f5a77

SHA1
88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

SHA256
d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

SHA512
8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

Download Submit
C:\Program Files (x86)\132c4cd0\jusched.exe

Filesize
426KB

MD5
31d45389f8c536b9f7a9185ff625ec1b

SHA1
1b9eeaa132ac284406e0a02b5d9d83f4db16697c

SHA256
7098d805b074487d74c6591ffb7e0920f6f33fcc5d6153618dc866b7661b4c9a

SHA512
678eeb472dfaa5e103fcb08ccbbc825569cd54b0fddd3d47d4f9910b9d8d57fb2d0b6c9319fd287e0ae02ccd667106b3915c72a5ca1f4477fe199e8577755e29

Download Submit
C:\Program Files (x86)\132c4cd0\jusched.exe

Filesize
426KB

MD5
31d45389f8c536b9f7a9185ff625ec1b

SHA1
1b9eeaa132ac284406e0a02b5d9d83f4db16697c

SHA256
7098d805b074487d74c6591ffb7e0920f6f33fcc5d6153618dc866b7661b4c9a

SHA512
678eeb472dfaa5e103fcb08ccbbc825569cd54b0fddd3d47d4f9910b9d8d57fb2d0b6c9319fd287e0ae02ccd667106b3915c72a5ca1f4477fe199e8577755e29

Download Submit
C:\Program Files (x86)\132c4cd0\jusched.exe

Filesize
426KB

MD5
31d45389f8c536b9f7a9185ff625ec1b

SHA1
1b9eeaa132ac284406e0a02b5d9d83f4db16697c

SHA256
7098d805b074487d74c6591ffb7e0920f6f33fcc5d6153618dc866b7661b4c9a

SHA512
678eeb472dfaa5e103fcb08ccbbc825569cd54b0fddd3d47d4f9910b9d8d57fb2d0b6c9319fd287e0ae02ccd667106b3915c72a5ca1f4477fe199e8577755e29

Download Submit
memory/2332-13-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2332-17-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3160-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3160-15-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download