Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:10 UTC
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.644d40a303585dbab155029e69ca93f0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.644d40a303585dbab155029e69ca93f0.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.644d40a303585dbab155029e69ca93f0.exe
-
Size
1.3MB
-
MD5
644d40a303585dbab155029e69ca93f0
-
SHA1
36c212c927e22937e8f7d0f0c17d9760d19bccc0
-
SHA256
65722379adb9a6497e28c5aaed8af37aacc04c5b44c14b538a89091b59ce5ce2
-
SHA512
f9761d8d750aa5cb5edf54eeda1f59143a18907d30916d6a39751a95c59b172dc7cc208d869f9b15b4949a341f36295a061d9c244b72b9235bc747790ebf6d66
-
SSDEEP
24576:6wEh5JwhOP7OU8titDdB0DPXytaN+lE2wAdAyq7meznmSFeXGMt/xwCqaLw0IUo:6XSho88RdeitaAKbabXGMtpRNLw0IUo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2180 sxe8474.tmp -
Loads dropped DLL 2 IoCs
pid Process 2864 NEAS.644d40a303585dbab155029e69ca93f0.exe 2864 NEAS.644d40a303585dbab155029e69ca93f0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2180 2864 NEAS.644d40a303585dbab155029e69ca93f0.exe 85 PID 2864 wrote to memory of 2180 2864 NEAS.644d40a303585dbab155029e69ca93f0.exe 85 PID 2864 wrote to memory of 2180 2864 NEAS.644d40a303585dbab155029e69ca93f0.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.644d40a303585dbab155029e69ca93f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.644d40a303585dbab155029e69ca93f0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\sxe8474.tmp"C:\Users\Admin\AppData\Local\Temp\sxe8474.tmp"2⤵
- Executes dropped EXE
PID:2180
-
Network
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.1.85.104.in-addr.arpaIN PTRResponse198.1.85.104.in-addr.arpaIN PTRa104-85-1-198deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.111.26.67.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 122631
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BB78681F9E9A40539DBC482C41D05093 Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
date: Wed, 01 Nov 2023 17:55:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 106065
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E3EFFFF060E142FF9A50B321513351A9 Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
date: Wed, 01 Nov 2023 17:55:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301027_1P8EBE4G3UJALA1HE&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301027_1P8EBE4G3UJALA1HE&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 345225
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B1899BD0001F442AB12EEC602BB61C6B Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
date: Wed, 01 Nov 2023 17:55:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 316678
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FCE9A8A14186435F8EF8432D77AB0C7D Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
date: Wed, 01 Nov 2023 17:55:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 239387
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 398E4B7E316642A5890A8797F7751D03 Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
date: Wed, 01 Nov 2023 17:55:44 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301460_1LJMCN8XKMH4PYVSW&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301460_1LJMCN8XKMH4PYVSW&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 296112
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9A453961C8F045E88BC71E35B90A5C52 Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:46Z
date: Wed, 01 Nov 2023 17:55:45 GMT
-
1.2kB 8.3kB 16 14
-
1.2kB 8.3kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301460_1LJMCN8XKMH4PYVSW&pid=21.2&w=1080&h=1920&c=4tls, http260.2kB 1.5MB 1083 1080
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301027_1P8EBE4G3UJALA1HE&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301460_1LJMCN8XKMH4PYVSW&pid=21.2&w=1080&h=1920&c=4HTTP Response
200
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
198.1.85.104.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.111.26.67.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5bd815b61f9948f93aface4033fbb4423
SHA1b5391484009b39053fc8b1bba63d444969bafcfa
SHA256b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76
SHA512a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71
-
Filesize
15KB
MD5bd815b61f9948f93aface4033fbb4423
SHA1b5391484009b39053fc8b1bba63d444969bafcfa
SHA256b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76
SHA512a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71
-
Filesize
3.8MB
MD5243f215d03ddf12e6821ac05baa421e7
SHA139b29859050e7929497631c3753e026ded40b38b
SHA2564e061597af4079474ae1e12da8f330d3df5fdce436c24e3acdffe6bbeacb034f
SHA512571af157c208150b37b83ba748898157c0f1d8f7997e623e7f4efd076a7ba0dc2c5c4347b396904469b062f0849ef9411b8bc894dfe495c868622a1c80e7ba09
-
Filesize
3.8MB
MD5243f215d03ddf12e6821ac05baa421e7
SHA139b29859050e7929497631c3753e026ded40b38b
SHA2564e061597af4079474ae1e12da8f330d3df5fdce436c24e3acdffe6bbeacb034f
SHA512571af157c208150b37b83ba748898157c0f1d8f7997e623e7f4efd076a7ba0dc2c5c4347b396904469b062f0849ef9411b8bc894dfe495c868622a1c80e7ba09