Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
17/11/2023, 16:58
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
-
Size
145KB
-
MD5
d8362873ab63b6d1228a8b981b16fa1f
-
SHA1
9b1872d88a7dabbc6ea63c67e3f9b064b3b98e82
-
SHA256
d6efb5e23cd8124846e34b9adf07e1f12b1e2f06d5a5f7c05b712b26d4c71709
-
SHA512
8abd8ab4446d9b273d2324f19379633f1d21ae928224191a3f22043f1cc5dd3d18149de03dde8f90fbc4d9f95374285e91891d2e58108f282ba93320783e846a
-
SSDEEP
768:P/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfL/G:PRsvcdcQjosnvnZ6LQ1E/G
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1720 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 2412 NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe 2412 NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe 1720 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1720 2412 NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe 28 PID 2412 wrote to memory of 1720 2412 NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe 28 PID 2412 wrote to memory of 1720 2412 NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe 28 PID 2412 wrote to memory of 1720 2412 NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD5061d5a989b78b0d4bb35342966d675e4
SHA1f9a4ea03c814350fceb76a2ded18b27a4d5887d3
SHA256a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b
SHA512e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34
-
Filesize
145KB
MD5061d5a989b78b0d4bb35342966d675e4
SHA1f9a4ea03c814350fceb76a2ded18b27a4d5887d3
SHA256a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b
SHA512e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34
-
Filesize
145KB
MD5061d5a989b78b0d4bb35342966d675e4
SHA1f9a4ea03c814350fceb76a2ded18b27a4d5887d3
SHA256a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b
SHA512e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34
-
Filesize
145KB
MD5061d5a989b78b0d4bb35342966d675e4
SHA1f9a4ea03c814350fceb76a2ded18b27a4d5887d3
SHA256a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b
SHA512e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34
-
Filesize
145KB
MD5061d5a989b78b0d4bb35342966d675e4
SHA1f9a4ea03c814350fceb76a2ded18b27a4d5887d3
SHA256a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b
SHA512e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34