18e708cb84cabf4dec525ea16569fd45f6d7787fe905123752473cffa7c5ce0c

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2023 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.341dedc9f376bf051dc164b9def2e350.exe
Size

218KB
MD5

341dedc9f376bf051dc164b9def2e350
SHA1

a56b51a1bceea109d516e3b7a2c8127e8fa2efff
SHA256

18e708cb84cabf4dec525ea16569fd45f6d7787fe905123752473cffa7c5ce0c
SHA512

542c45d4e9d37d65b5ba70a6c685fe5fcd1a23da9863e026b70c689a21d0ac514819c5248efd42f66e0ad7ec4743ae08ee41e7742fb09b9731a6c38afe1e32f3
SSDEEP

1536:AvVQb4cLIkN+4Weat2RKLjWlC48Pp9JAcjZSrowPYJZBd8Laz:AvVQLIkLWeaA8KlCph9YrowPYJZALk

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	NEAS.341dedc9f376bf051dc164b9def2e350.exe

Executes dropped EXE 1 IoCs

pid	Process
504	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\355998e2\jusched.exe	NEAS.341dedc9f376bf051dc164b9def2e350.exe
File created	C:\Program Files (x86)\355998e2\355998e2	NEAS.341dedc9f376bf051dc164b9def2e350.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	NEAS.341dedc9f376bf051dc164b9def2e350.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 504	3784	NEAS.341dedc9f376bf051dc164b9def2e350.exe	93
PID 3784 wrote to memory of 504	3784	NEAS.341dedc9f376bf051dc164b9def2e350.exe	93
PID 3784 wrote to memory of 504	3784	NEAS.341dedc9f376bf051dc164b9def2e350.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.341dedc9f376bf051dc164b9def2e350.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.341dedc9f376bf051dc164b9def2e350.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Program Files (x86)\355998e2\jusched.exe
  "C:\Program Files (x86)\355998e2\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\355998e2\355998e2

Filesize
17B

MD5
7bdf61d37c9adf3e1c6937107016091f

SHA1
56b8e0c454f9dd16d508a04b3afa7e458453ac41

SHA256
4c57d86c256214baa0a5a3322ef5cdd575210455b7e964ad60382bd9d4be12e0

SHA512
ff4fc1a427c84f47042375749f45ee6edea73b902ae977f14243ebceb7b9a28f41fe5dd404e3ea381754d9122202bc6b61ed0152b20a1c1be76c225dd20861d1

Download Submit
C:\Program Files (x86)\355998e2\jusched.exe

Filesize
218KB

MD5
2cefa360ae5cb6950ace36e7ae733369

SHA1
f6e04366fbacc45bed9537f044d3b73c5690647e

SHA256
f38914acfbae1b73b5754c34e896ca6824f45b3bf775e9c63351338d2ac9b0de

SHA512
dcc20809635afa186a57def7d7b50c8995726a38eb2244049fbba47b600a0b48679f538b8a5238463ee509c6ce88bfad45af4369fddb21b48adc58de458d6895

Download Submit
C:\Program Files (x86)\355998e2\jusched.exe

Filesize
218KB

MD5
2cefa360ae5cb6950ace36e7ae733369

SHA1
f6e04366fbacc45bed9537f044d3b73c5690647e

SHA256
f38914acfbae1b73b5754c34e896ca6824f45b3bf775e9c63351338d2ac9b0de

SHA512
dcc20809635afa186a57def7d7b50c8995726a38eb2244049fbba47b600a0b48679f538b8a5238463ee509c6ce88bfad45af4369fddb21b48adc58de458d6895

Download Submit
C:\Program Files (x86)\355998e2\jusched.exe

Filesize
218KB

MD5
2cefa360ae5cb6950ace36e7ae733369

SHA1
f6e04366fbacc45bed9537f044d3b73c5690647e

SHA256
f38914acfbae1b73b5754c34e896ca6824f45b3bf775e9c63351338d2ac9b0de

SHA512
dcc20809635afa186a57def7d7b50c8995726a38eb2244049fbba47b600a0b48679f538b8a5238463ee509c6ce88bfad45af4369fddb21b48adc58de458d6895

Download Submit
memory/504-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/504-16-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3784-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3784-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download