08aad1aca4f18420fb1a7afab63f5123bcbb25b83615f36031be54bf46c10207

Analysis

max time kernel
156s
max time network
187s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
12/11/2023, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e6cff92963143c0a40f154daafb450dd.exe
Size

426KB
MD5

e6cff92963143c0a40f154daafb450dd
SHA1

01699630505ec41243a352389ba1bdece6ceb72d
SHA256

08aad1aca4f18420fb1a7afab63f5123bcbb25b83615f36031be54bf46c10207
SHA512

2a9d036b43459762d7dfd7024e5b8141f36581a76ea49dfcb97c8bd8a283acccc5c751ccf228357912360c62d53211e965b06f575514fbf392cc9495e3a5fdf9
SSDEEP

1536:vZ/fgEAqJlV+n1EgGHo7P1YPx28VayonYseB/Y:v1gEZl0nt/P1YPx/oni/Y

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.alizametal.com.tr
Port:
21
Username:
alizametal.com.tr
Password:
hd611

Extracted

Credentials

Protocol: ftp
Host:
ftp.yesimcopy.com
Port:
21
Username:
yesimcopy1
Password:
825cyf

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2616	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	NEAS.e6cff92963143c0a40f154daafb450dd.exe
2380	NEAS.e6cff92963143c0a40f154daafb450dd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\9155172f\jusched.exe	NEAS.e6cff92963143c0a40f154daafb450dd.exe
File created	C:\Program Files (x86)\9155172f\9155172f	NEAS.e6cff92963143c0a40f154daafb450dd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.e6cff92963143c0a40f154daafb450dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2616	2380	NEAS.e6cff92963143c0a40f154daafb450dd.exe	30
PID 2380 wrote to memory of 2616	2380	NEAS.e6cff92963143c0a40f154daafb450dd.exe	30
PID 2380 wrote to memory of 2616	2380	NEAS.e6cff92963143c0a40f154daafb450dd.exe	30
PID 2380 wrote to memory of 2616	2380	NEAS.e6cff92963143c0a40f154daafb450dd.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.e6cff92963143c0a40f154daafb450dd.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e6cff92963143c0a40f154daafb450dd.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files (x86)\9155172f\jusched.exe
  "C:\Program Files (x86)\9155172f\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\9155172f\9155172f

Filesize
17B

MD5
80e7928b124479791c52c09d831495f6

SHA1
94c8cb5ce4b1c1e70a2802efc22395c1003fc8bd

SHA256
a6bb92ad6bdd253818b2660e9befc8e3689b3bee61233f7a67a6ca0695acab12

SHA512
5183e48a8dc4f64277b7a0303f97b704ffa63dcc7256aaddb69994ef108f2f2922d9ec9a62eda403eed6c4f66dd719297c9d24e997f662eded63a49810493d2d

Download Submit
C:\Program Files (x86)\9155172f\jusched.exe

Filesize
426KB

MD5
d8f8457250b933b98aec67f12022cdb2

SHA1
2e824cc2c04341416cf0a4cb6a170eaeb5b67c34

SHA256
656ba6bcd5ac2e2228edce724519fd702a7652743d193f41a6c60338c696df86

SHA512
e6dfb0d3e8f274834e5dbefdb533f641a43fac61cfe95199a81a203381182ad8783f19c3a68abc0b07145ddc7c3ea0b70207ed9ede64d2aa61f20fa562f69ea4

Download Submit
C:\Program Files (x86)\9155172f\jusched.exe

Filesize
426KB

MD5
d8f8457250b933b98aec67f12022cdb2

SHA1
2e824cc2c04341416cf0a4cb6a170eaeb5b67c34

SHA256
656ba6bcd5ac2e2228edce724519fd702a7652743d193f41a6c60338c696df86

SHA512
e6dfb0d3e8f274834e5dbefdb533f641a43fac61cfe95199a81a203381182ad8783f19c3a68abc0b07145ddc7c3ea0b70207ed9ede64d2aa61f20fa562f69ea4

Download Submit
\Program Files (x86)\9155172f\jusched.exe

Filesize
426KB

MD5
d8f8457250b933b98aec67f12022cdb2

SHA1
2e824cc2c04341416cf0a4cb6a170eaeb5b67c34

SHA256
656ba6bcd5ac2e2228edce724519fd702a7652743d193f41a6c60338c696df86

SHA512
e6dfb0d3e8f274834e5dbefdb533f641a43fac61cfe95199a81a203381182ad8783f19c3a68abc0b07145ddc7c3ea0b70207ed9ede64d2aa61f20fa562f69ea4

Download Submit
\Program Files (x86)\9155172f\jusched.exe

Filesize
426KB

MD5
d8f8457250b933b98aec67f12022cdb2

SHA1
2e824cc2c04341416cf0a4cb6a170eaeb5b67c34

SHA256
656ba6bcd5ac2e2228edce724519fd702a7652743d193f41a6c60338c696df86

SHA512
e6dfb0d3e8f274834e5dbefdb533f641a43fac61cfe95199a81a203381182ad8783f19c3a68abc0b07145ddc7c3ea0b70207ed9ede64d2aa61f20fa562f69ea4

Download Submit
memory/2380-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2380-7-0x0000000002540000-0x00000000025A8000-memory.dmp

Filesize
416KB

Download
memory/2380-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2616-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads