1d79d314c6911b28d44ae25b2e56c04c945a7a7b0683a433115b03ead1c023c3

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 05:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe
Size

205KB
MD5

b0267eb7b3a36dc486f1fa0b998d0430
SHA1

bc389d0d47bd1a7b5123b3cf979a214d468c8e3e
SHA256

1d79d314c6911b28d44ae25b2e56c04c945a7a7b0683a433115b03ead1c023c3
SHA512

abdb5c49ee9a1cb5b0be80c280be4c8242d2c411a35beac584a9a3f65b8f75965a504d7a9eab1735937a90c99b1b60da2319102d35039af5dacabeb18c06f397
SSDEEP

3072:pePgCctxGv4QcU9KQ2BBA2waPxhtmollN:lCctxGsWKQ2Bx5xvhN

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\c32e40df\jusched.exe	NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe
File created	C:\Program Files (x86)\c32e40df\c32e40df	NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2608	1540	NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe	95
PID 1540 wrote to memory of 2608	1540	NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe	95
PID 1540 wrote to memory of 2608	1540	NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b0267eb7b3a36dc486f1fa0b998d0430_JC.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files (x86)\c32e40df\jusched.exe
  "C:\Program Files (x86)\c32e40df\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\c32e40df\c32e40df

Filesize
17B

MD5
552bb86ed2797d3fd12ac0d273afaf75

SHA1
6e8633f9c24590779acbd3dd14c60f856320bc0a

SHA256
3ef9ff5da8272fd1b14c83f12c8d28fd9dbf32d56bcb714921032b02557fe789

SHA512
dab57227de02f4667cc8e2ec47566088b473caa0387caffbdfde37f3400da7d4f67dd222e83a4fa93592694bbcff7c52a2bcec074868baf221bc47d9370c8d2c

Download Submit
C:\Program Files (x86)\c32e40df\jusched.exe

Filesize
205KB

MD5
394627fdb124ae53891633683d3dd51f

SHA1
af4d45d43efee9091acc083498db2734b234f9b6

SHA256
e9ae1baabccb41f1e3872da33923480e366addd2cbfb8cd764ee4a0bff2c2025

SHA512
ae50e4dd1aff9b435d6e5ba023e2f11b4a06087956c6c5de8a5d59b9598b3a628d2bd33738bf42aaa62364764cefb55bdd016343cf80908fffe4616e2eb4ad8a

Download Submit
C:\Program Files (x86)\c32e40df\jusched.exe

Filesize
205KB

MD5
394627fdb124ae53891633683d3dd51f

SHA1
af4d45d43efee9091acc083498db2734b234f9b6

SHA256
e9ae1baabccb41f1e3872da33923480e366addd2cbfb8cd764ee4a0bff2c2025

SHA512
ae50e4dd1aff9b435d6e5ba023e2f11b4a06087956c6c5de8a5d59b9598b3a628d2bd33738bf42aaa62364764cefb55bdd016343cf80908fffe4616e2eb4ad8a

Download Submit
C:\Program Files (x86)\c32e40df\jusched.exe

Filesize
205KB

MD5
394627fdb124ae53891633683d3dd51f

SHA1
af4d45d43efee9091acc083498db2734b234f9b6

SHA256
e9ae1baabccb41f1e3872da33923480e366addd2cbfb8cd764ee4a0bff2c2025

SHA512
ae50e4dd1aff9b435d6e5ba023e2f11b4a06087956c6c5de8a5d59b9598b3a628d2bd33738bf42aaa62364764cefb55bdd016343cf80908fffe4616e2eb4ad8a

Download Submit