dd61fae6ce5dd470ab46efbf22a8410c509bba92d1abcabb77bad94dfce71177

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe
Size

361KB
MD5

324196d2e1b5e012a2b332d698b34a60
SHA1

a0704f34878977868e47a925794d893923a6168d
SHA256

dd61fae6ce5dd470ab46efbf22a8410c509bba92d1abcabb77bad94dfce71177
SHA512

2e06d7c4968e174587477cb26b73b7d821a76a7d6aa3caa168d06520522dd1de0c0a30563124810ce0aa5da725b278e7ad43c0f9b9a5b973102771ff5fcba679
SSDEEP

3072:aePgCctxGv4QcU9KQ2BBA2waPxhtmollC7HF8haJrbU8yV24/7WubFnxA:eCctxGsWKQ2Bx5xvhCZsQ/4PnxA

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\e000def\jusched.exe	NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe
File created	C:\Program Files (x86)\e000def\e000def	NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2440	212	NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe	95
PID 212 wrote to memory of 2440	212	NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe	95
PID 212 wrote to memory of 2440	212	NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.324196d2e1b5e012a2b332d698b34a60_JC.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files (x86)\e000def\jusched.exe
  "C:\Program Files (x86)\e000def\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\e000def\e000def

Filesize
17B

MD5
552bb86ed2797d3fd12ac0d273afaf75

SHA1
6e8633f9c24590779acbd3dd14c60f856320bc0a

SHA256
3ef9ff5da8272fd1b14c83f12c8d28fd9dbf32d56bcb714921032b02557fe789

SHA512
dab57227de02f4667cc8e2ec47566088b473caa0387caffbdfde37f3400da7d4f67dd222e83a4fa93592694bbcff7c52a2bcec074868baf221bc47d9370c8d2c

Download Submit
C:\Program Files (x86)\e000def\jusched.exe

Filesize
361KB

MD5
9468cdff21288d179aa1e69ac40c732e

SHA1
f0ec25bf0c50c8071cd8038266edf2079239edbd

SHA256
7e7a9d4a50efb05763c93c98f3370fea6edbe7f19df584c53d9ab6cb645264d6

SHA512
2bd1a5b3deef1638bbc2841634e9f87dea598903a8ac13ff3c50b077bb0aed1031f5fa15cfffb4d043f519cef7c3522ef0453d591ea4b551d8e6616099277ecb

Download Submit
C:\Program Files (x86)\e000def\jusched.exe

Filesize
361KB

MD5
9468cdff21288d179aa1e69ac40c732e

SHA1
f0ec25bf0c50c8071cd8038266edf2079239edbd

SHA256
7e7a9d4a50efb05763c93c98f3370fea6edbe7f19df584c53d9ab6cb645264d6

SHA512
2bd1a5b3deef1638bbc2841634e9f87dea598903a8ac13ff3c50b077bb0aed1031f5fa15cfffb4d043f519cef7c3522ef0453d591ea4b551d8e6616099277ecb

Download Submit
C:\Program Files (x86)\e000def\jusched.exe

Filesize
361KB

MD5
9468cdff21288d179aa1e69ac40c732e

SHA1
f0ec25bf0c50c8071cd8038266edf2079239edbd

SHA256
7e7a9d4a50efb05763c93c98f3370fea6edbe7f19df584c53d9ab6cb645264d6

SHA512
2bd1a5b3deef1638bbc2841634e9f87dea598903a8ac13ff3c50b077bb0aed1031f5fa15cfffb4d043f519cef7c3522ef0453d591ea4b551d8e6616099277ecb

Download Submit
memory/212-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/212-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2440-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2440-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download