9bac726f9b63e77073f3d60b0b6fbe6c99dcd3283015776eb8f86ff5eb9cfe74

Analysis

max time kernel
151s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c1cebf71c4eb05385868564c2f76e210.exe
Size

236KB
MD5

c1cebf71c4eb05385868564c2f76e210
SHA1

19ac4fe654a8b5d3518ba443b383d8595b9b60e0
SHA256

9bac726f9b63e77073f3d60b0b6fbe6c99dcd3283015776eb8f86ff5eb9cfe74
SHA512

7205b28c890a58e9f4758ce082973ba240d9a6a715e26cd0729708deee5c0c3c5bf88d975dbb4e0b0fcb5a865a650aa3c1f1816957ca56c81af65bc8d080300f
SSDEEP

1536:QXs9wrnUh4d7ygVpn0uv77P11gqu87LhofgKdBWpC:QXYw4+dGgLn0sP11gqdofguj

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.alizametal.com.tr
Port:
21
Username:
alizametal.com.tr
Password:
hd611

Extracted

Credentials

Protocol: ftp
Host:
ftp.yesimcopy.com
Port:
21
Username:
yesimcopy1
Password:
825cyf

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.c1cebf71c4eb05385868564c2f76e210.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\d5ef05ed\jusched.exe	NEAS.c1cebf71c4eb05385868564c2f76e210.exe
File created	C:\Program Files (x86)\d5ef05ed\d5ef05ed	NEAS.c1cebf71c4eb05385868564c2f76e210.exe
File created	C:\Program Files (x86)\d5ef05ed\info_a	NEAS.c1cebf71c4eb05385868564c2f76e210.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.c1cebf71c4eb05385868564c2f76e210.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 2500	3724	NEAS.c1cebf71c4eb05385868564c2f76e210.exe	85
PID 3724 wrote to memory of 2500	3724	NEAS.c1cebf71c4eb05385868564c2f76e210.exe	85
PID 3724 wrote to memory of 2500	3724	NEAS.c1cebf71c4eb05385868564c2f76e210.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.c1cebf71c4eb05385868564c2f76e210.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c1cebf71c4eb05385868564c2f76e210.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Program Files (x86)\d5ef05ed\jusched.exe
  "C:\Program Files (x86)\d5ef05ed\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\d5ef05ed\d5ef05ed

Filesize
17B

MD5
6ff89798e0e63d75115c777af43a2cd9

SHA1
e8b994ccbbe64951afe91fc3dd377f88fe6c9ba8

SHA256
3b3947957c6e0abb19d91b256521bdb3826d88d9b7b53995e177a58cebf0d479

SHA512
46557f9bf6f5c5b3316891a9b623a7d11d8d8ff1973ca84cfbcf8d898746f2dbded7fee837c9a70c2e36f9b46a357fe2ba53585bf5307950d2fef6ee1dcb28a3

Download Submit
C:\Program Files (x86)\d5ef05ed\info_a

Filesize
12B

MD5
3f764b1af05ee55933141c78e8b22ca1

SHA1
4f99e7c69d2f81d3459a93c7822ef7fb393e5f56

SHA256
935eb0f52ad7a373377436d8945313e22b9401cbd69f47134597c7c23fba63f8

SHA512
e62d8df9628e19b3705421c728953d32df4f04ba788c2ff47e1d731ee3af51ec507e858637e5bbb054830f10b56568a01857be077d2ca4ca00f10cdc1f1de61c

Download Submit
C:\Program Files (x86)\d5ef05ed\jusched.exe

Filesize
236KB

MD5
6595da22a4ab1fb4ce5062daa392ce77

SHA1
e1ea61ca9118c87b3c754beae3eb26b403513f24

SHA256
047e97f8ab64203dd35a736df18a1d04b3934574f5d6a0855202eab1090b3146

SHA512
6f08e6f1ee0af3f06be781dc16c785a63eb314daf77fad4c02ae56d9d75fabd1001c67ceb28d732c3003c211fe289b0c130deb5805cb58039d87bc646db25773

Download Submit
C:\Program Files (x86)\d5ef05ed\jusched.exe

Filesize
236KB

MD5
6595da22a4ab1fb4ce5062daa392ce77

SHA1
e1ea61ca9118c87b3c754beae3eb26b403513f24

SHA256
047e97f8ab64203dd35a736df18a1d04b3934574f5d6a0855202eab1090b3146

SHA512
6f08e6f1ee0af3f06be781dc16c785a63eb314daf77fad4c02ae56d9d75fabd1001c67ceb28d732c3003c211fe289b0c130deb5805cb58039d87bc646db25773

Download Submit
C:\Program Files (x86)\d5ef05ed\jusched.exe

Filesize
236KB

MD5
6595da22a4ab1fb4ce5062daa392ce77

SHA1
e1ea61ca9118c87b3c754beae3eb26b403513f24

SHA256
047e97f8ab64203dd35a736df18a1d04b3934574f5d6a0855202eab1090b3146

SHA512
6f08e6f1ee0af3f06be781dc16c785a63eb314daf77fad4c02ae56d9d75fabd1001c67ceb28d732c3003c211fe289b0c130deb5805cb58039d87bc646db25773

Download Submit
memory/2500-15-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2500-19-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3724-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3724-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads