Overview

overview

10

Static

static

3

NEAS.61c77...e0.exe

windows7-x64

10

NEAS.61c77...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2023, 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.61c7745413c711672c98d4fcc040b0e0.exe

  • Size

    340KB

  • MD5

    61c7745413c711672c98d4fcc040b0e0

  • SHA1

    1103dc26335f9a15a3b0f84bc3aca4f915bde918

  • SHA256

    b79e0e14f8e1456d9acc029ef06ebfa3185028aafe991cccbcae5c00aec2ceae

  • SHA512

    8b8e2f7bd8523e56e8b38bb62f505920706c69b607c706578a6a2e45f46a4b750d30cfc1be4c1534d2be972e7b843c6debb0db59a6d8950b769ca7af7301a62a

  • SSDEEP

    3072:0ChJgYMm4xf9cU9KQ2BxA59SPMpOojn23z0:8YMm4xiWKQ2BiCMIz0

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.61c7745413c711672c98d4fcc040b0e0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.61c7745413c711672c98d4fcc040b0e0.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Program Files (x86)\2fdbb54f\jusched.exe
      "C:\Program Files (x86)\2fdbb54f\jusched.exe"
      2⤵
      • Executes dropped EXE
      PID:4640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\2fdbb54f\2fdbb54f
    Filesize

    17B

    MD5

    89931a70501a3362b6823b53523f5a77

    SHA1

    88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

    SHA256

    d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

    SHA512

    8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

    Download Submit

  • C:\Program Files (x86)\2fdbb54f\jusched.exe
    Filesize

    340KB

    MD5

    4ba6810225b4b070a286e7f313736a06

    SHA1

    d6b441b5b9c0335dc5da565bb8e50170ad153ae5

    SHA256

    88b0fb6811c9e07cf074257fd8e7f7f763ae55c0450236f799594de72a3c78e6

    SHA512

    832f2401d7dee80ac0f66caf42dae804a09ce9a3e7a9e2dcc50d5167c36eb9cae265873a97b9c9d9961b8538c77fd6013d9bc81a50d78fc7366c08d73512af64

    Download Submit

  • C:\Program Files (x86)\2fdbb54f\jusched.exe
    Filesize

    340KB

    MD5

    4ba6810225b4b070a286e7f313736a06

    SHA1

    d6b441b5b9c0335dc5da565bb8e50170ad153ae5

    SHA256

    88b0fb6811c9e07cf074257fd8e7f7f763ae55c0450236f799594de72a3c78e6

    SHA512

    832f2401d7dee80ac0f66caf42dae804a09ce9a3e7a9e2dcc50d5167c36eb9cae265873a97b9c9d9961b8538c77fd6013d9bc81a50d78fc7366c08d73512af64

    Download Submit

  • C:\Program Files (x86)\2fdbb54f\jusched.exe
    Filesize

    340KB

    MD5

    4ba6810225b4b070a286e7f313736a06

    SHA1

    d6b441b5b9c0335dc5da565bb8e50170ad153ae5

    SHA256

    88b0fb6811c9e07cf074257fd8e7f7f763ae55c0450236f799594de72a3c78e6

    SHA512

    832f2401d7dee80ac0f66caf42dae804a09ce9a3e7a9e2dcc50d5167c36eb9cae265873a97b9c9d9961b8538c77fd6013d9bc81a50d78fc7366c08d73512af64

    Download Submit

  • memory/2260-0-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/2260-15-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/4640-14-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/4640-17-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download