Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 14:10 UTC

General

  • Target

    NEAS.644d40a303585dbab155029e69ca93f0.exe

  • Size

    1.3MB

  • MD5

    644d40a303585dbab155029e69ca93f0

  • SHA1

    36c212c927e22937e8f7d0f0c17d9760d19bccc0

  • SHA256

    65722379adb9a6497e28c5aaed8af37aacc04c5b44c14b538a89091b59ce5ce2

  • SHA512

    f9761d8d750aa5cb5edf54eeda1f59143a18907d30916d6a39751a95c59b172dc7cc208d869f9b15b4949a341f36295a061d9c244b72b9235bc747790ebf6d66

  • SSDEEP

    24576:6wEh5JwhOP7OU8titDdB0DPXytaN+lE2wAdAyq7meznmSFeXGMt/xwCqaLw0IUo:6XSho88RdeitaAKbabXGMtpRNLw0IUo

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.644d40a303585dbab155029e69ca93f0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.644d40a303585dbab155029e69ca93f0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Users\Admin\AppData\Local\Temp\sxe8474.tmp
      "C:\Users\Admin\AppData\Local\Temp\sxe8474.tmp"
      2⤵
      • Executes dropped EXE
      PID:2180

Network

  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.1.85.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.1.85.104.in-addr.arpa
    IN PTR
    Response
    198.1.85.104.in-addr.arpa
    IN PTR
    a104-85-1-198deploystaticakamaitechnologiescom
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.111.26.67.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.111.26.67.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 122631
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BB78681F9E9A40539DBC482C41D05093 Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
    date: Wed, 01 Nov 2023 17:55:44 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 106065
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E3EFFFF060E142FF9A50B321513351A9 Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
    date: Wed, 01 Nov 2023 17:55:44 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301027_1P8EBE4G3UJALA1HE&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301027_1P8EBE4G3UJALA1HE&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 345225
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B1899BD0001F442AB12EEC602BB61C6B Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
    date: Wed, 01 Nov 2023 17:55:44 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 316678
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: FCE9A8A14186435F8EF8432D77AB0C7D Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
    date: Wed, 01 Nov 2023 17:55:44 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 239387
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 398E4B7E316642A5890A8797F7751D03 Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:45Z
    date: Wed, 01 Nov 2023 17:55:44 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301460_1LJMCN8XKMH4PYVSW&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301460_1LJMCN8XKMH4PYVSW&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 296112
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9A453961C8F045E88BC71E35B90A5C52 Ref B: DUS30EDGE0412 Ref C: 2023-11-01T17:55:46Z
    date: Wed, 01 Nov 2023 17:55:45 GMT
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301460_1LJMCN8XKMH4PYVSW&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    60.2kB
    1.5MB
    1083
    1080

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317300978_1LR278M4882TDZIMW&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301411_15MW0N7QKPVBOUCK9&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301027_1P8EBE4G3UJALA1HE&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301162_1G7DYX5FX2938M3TM&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301571_1RETF70DD01UVNE0Z&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301460_1LJMCN8XKMH4PYVSW&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200
  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    198.1.85.104.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    198.1.85.104.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    254.111.26.67.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    254.111.26.67.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sxe8414.tmp

    Filesize

    15KB

    MD5

    bd815b61f9948f93aface4033fbb4423

    SHA1

    b5391484009b39053fc8b1bba63d444969bafcfa

    SHA256

    b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

    SHA512

    a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

  • C:\Users\Admin\AppData\Local\Temp\sxe8414.tmp

    Filesize

    15KB

    MD5

    bd815b61f9948f93aface4033fbb4423

    SHA1

    b5391484009b39053fc8b1bba63d444969bafcfa

    SHA256

    b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

    SHA512

    a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

  • C:\Users\Admin\AppData\Local\Temp\sxe8474.tmp

    Filesize

    3.8MB

    MD5

    243f215d03ddf12e6821ac05baa421e7

    SHA1

    39b29859050e7929497631c3753e026ded40b38b

    SHA256

    4e061597af4079474ae1e12da8f330d3df5fdce436c24e3acdffe6bbeacb034f

    SHA512

    571af157c208150b37b83ba748898157c0f1d8f7997e623e7f4efd076a7ba0dc2c5c4347b396904469b062f0849ef9411b8bc894dfe495c868622a1c80e7ba09

  • C:\Users\Admin\AppData\Local\Temp\sxe8474.tmp

    Filesize

    3.8MB

    MD5

    243f215d03ddf12e6821ac05baa421e7

    SHA1

    39b29859050e7929497631c3753e026ded40b38b

    SHA256

    4e061597af4079474ae1e12da8f330d3df5fdce436c24e3acdffe6bbeacb034f

    SHA512

    571af157c208150b37b83ba748898157c0f1d8f7997e623e7f4efd076a7ba0dc2c5c4347b396904469b062f0849ef9411b8bc894dfe495c868622a1c80e7ba09

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.