07f8c94a943d14c0691d3dd5a36037f63cac62f378ec80338c52995e357e8e12

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe
Size

426KB
MD5

f96d72c2ec720db9b8cca7ce9f403390
SHA1

212f374f6de532eab335d9efd95d02d7df6c704c
SHA256

07f8c94a943d14c0691d3dd5a36037f63cac62f378ec80338c52995e357e8e12
SHA512

675bef417900d5ce1c78d7373c4efc977e700c8f1be2b7ef95f08083adfaf2757f1eb5394fd13eafef67b2470dd1b59b952c3f5667ec9736f58e8dbf3c2b75af
SSDEEP

3072:0ChJgYMm4xf9cU9KQ2BxA59SPMsOo6n2f0YK0FN8lpSUyKncAxi2/:8YMm4xiWKQ2BiCMMZK03kNcAT/

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe

Executes dropped EXE 1 IoCs

pid	Process
4352	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\87b6dc2f\jusched.exe	NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe
File created	C:\Program Files (x86)\87b6dc2f\87b6dc2f	NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4352	4228	NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe	95
PID 4228 wrote to memory of 4352	4228	NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe	95
PID 4228 wrote to memory of 4352	4228	NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f96d72c2ec720db9b8cca7ce9f403390.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Program Files (x86)\87b6dc2f\jusched.exe
  "C:\Program Files (x86)\87b6dc2f\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\87b6dc2f\87b6dc2f

Filesize
17B

MD5
89931a70501a3362b6823b53523f5a77

SHA1
88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

SHA256
d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

SHA512
8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

Download Submit
C:\Program Files (x86)\87b6dc2f\jusched.exe

Filesize
426KB

MD5
7321b4aa7bf6cc655acbf838da93b322

SHA1
b511c21b719f81bfcea94273c1a6909d1fe16879

SHA256
e1fa3f503298e3ca9336cba676328cbd4dd3e8f23cc8bb5be670699fc9be7e5c

SHA512
d4f113014b8193e7d057c1b0eddaf8c178c432c5ec9117573d090662d1e9bd908ea669d3124499585287c363e1954b8a39d33b4c6165466d6e0d5e263eacea2b

Download Submit
C:\Program Files (x86)\87b6dc2f\jusched.exe

Filesize
426KB

MD5
7321b4aa7bf6cc655acbf838da93b322

SHA1
b511c21b719f81bfcea94273c1a6909d1fe16879

SHA256
e1fa3f503298e3ca9336cba676328cbd4dd3e8f23cc8bb5be670699fc9be7e5c

SHA512
d4f113014b8193e7d057c1b0eddaf8c178c432c5ec9117573d090662d1e9bd908ea669d3124499585287c363e1954b8a39d33b4c6165466d6e0d5e263eacea2b

Download Submit
C:\Program Files (x86)\87b6dc2f\jusched.exe

Filesize
426KB

MD5
7321b4aa7bf6cc655acbf838da93b322

SHA1
b511c21b719f81bfcea94273c1a6909d1fe16879

SHA256
e1fa3f503298e3ca9336cba676328cbd4dd3e8f23cc8bb5be670699fc9be7e5c

SHA512
d4f113014b8193e7d057c1b0eddaf8c178c432c5ec9117573d090662d1e9bd908ea669d3124499585287c363e1954b8a39d33b4c6165466d6e0d5e263eacea2b

Download Submit
memory/4228-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4228-15-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4352-14-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download