d6efb5e23cd8124846e34b9adf07e1f12b1e2f06d5a5f7c05b712b26d4c71709

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
Size

145KB
MD5

d8362873ab63b6d1228a8b981b16fa1f
SHA1

9b1872d88a7dabbc6ea63c67e3f9b064b3b98e82
SHA256

d6efb5e23cd8124846e34b9adf07e1f12b1e2f06d5a5f7c05b712b26d4c71709
SHA512

8abd8ab4446d9b273d2324f19379633f1d21ae928224191a3f22043f1cc5dd3d18149de03dde8f90fbc4d9f95374285e91891d2e58108f282ba93320783e846a
SSDEEP

768:P/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfL/G:PRsvcdcQjosnvnZ6LQ1E/G

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1720	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
2412	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe
1720	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1720	2412	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe	28
PID 2412 wrote to memory of 1720	2412	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe	28
PID 2412 wrote to memory of 1720	2412	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe	28
PID 2412 wrote to memory of 1720	2412	NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d8362873ab63b6d1228a8b981b16fa1f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
145KB

MD5
061d5a989b78b0d4bb35342966d675e4

SHA1
f9a4ea03c814350fceb76a2ded18b27a4d5887d3

SHA256
a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b

SHA512
e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34

Download Submit
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
145KB

MD5
061d5a989b78b0d4bb35342966d675e4

SHA1
f9a4ea03c814350fceb76a2ded18b27a4d5887d3

SHA256
a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b

SHA512
e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34

Download Submit
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
145KB

MD5
061d5a989b78b0d4bb35342966d675e4

SHA1
f9a4ea03c814350fceb76a2ded18b27a4d5887d3

SHA256
a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b

SHA512
e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34

Download Submit
\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
145KB

MD5
061d5a989b78b0d4bb35342966d675e4

SHA1
f9a4ea03c814350fceb76a2ded18b27a4d5887d3

SHA256
a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b

SHA512
e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34

Download Submit
\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
145KB

MD5
061d5a989b78b0d4bb35342966d675e4

SHA1
f9a4ea03c814350fceb76a2ded18b27a4d5887d3

SHA256
a96743d735f0b122748a2f93ac0857e514aa9a7e575d0539a2688aaf1a04104b

SHA512
e5866e159ca16a4054adbd6173754e10e5ce34c2bad827d512f36c18e787a3535af4870328f1e96034e218ba8a6aee5bf3a64fc621eed2f37c97558b27ad9d34

Download Submit
memory/2412-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-12-0x00000000044F0000-0x000000000451F000-memory.dmp

Filesize
188KB

Download
memory/2412-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-7-0x00000000044F0000-0x000000000451F000-memory.dmp

Filesize
188KB

Download