Overview

overview

10

Static

static

3

NEAS.ab3a4...JC.exe

windows7-x64

10

NEAS.ab3a4...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    222s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2023 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.ab3a4b6ee8495919f40a51dfa6293270_JC.exe

  • Size

    62KB

  • MD5

    ab3a4b6ee8495919f40a51dfa6293270

  • SHA1

    1872c71ab54dbf50db7b02dd3b1eda12172bb54a

  • SHA256

    dac9083e2232dd56a7f28b9ec3a35a155a4d7dd88e9d1d16ecc56e9e86c252e0

  • SHA512

    9aa26f908e9511796edb24d7a7ba75a0c34cfe76bee4a701db9455ae04b77dc1aa066a404fbd89982af2f8919a383ad1733dd03d360f91e73956fb8663f4427b

  • SSDEEP

    1536:5Y9jw/dUT62rGdiUOWWrMffJ+AxM+I+ceWgKU:5Y9CUT62/UOVMffJ+AW+I+cE

Score
10/10
upatredownloader

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

    downloaderupatre
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.ab3a4b6ee8495919f40a51dfa6293270_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.ab3a4b6ee8495919f40a51dfa6293270_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    Filesize

    62KB

    MD5

    fabd9a7c8a166a29070501cbf2dd370d

    SHA1

    15c76047ac9dc7d9ea19a675d1ef3f9a5aa656ab

    SHA256

    6579cf2df4e70b62e39365bf3ba20a3274849e90df30f566c011e5011e30343d

    SHA512

    c223e4952bb567f970f5a08d82cb0c58a545af3c7c7b4dc74600f8bee72a0cf830fe10ea3d8d1b5d5d8e7fbe63cb723981b882b7a1ab92326f105d4fd3b4a6a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    Filesize

    62KB

    MD5

    fabd9a7c8a166a29070501cbf2dd370d

    SHA1

    15c76047ac9dc7d9ea19a675d1ef3f9a5aa656ab

    SHA256

    6579cf2df4e70b62e39365bf3ba20a3274849e90df30f566c011e5011e30343d

    SHA512

    c223e4952bb567f970f5a08d82cb0c58a545af3c7c7b4dc74600f8bee72a0cf830fe10ea3d8d1b5d5d8e7fbe63cb723981b882b7a1ab92326f105d4fd3b4a6a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    Filesize

    62KB

    MD5

    fabd9a7c8a166a29070501cbf2dd370d

    SHA1

    15c76047ac9dc7d9ea19a675d1ef3f9a5aa656ab

    SHA256

    6579cf2df4e70b62e39365bf3ba20a3274849e90df30f566c011e5011e30343d

    SHA512

    c223e4952bb567f970f5a08d82cb0c58a545af3c7c7b4dc74600f8bee72a0cf830fe10ea3d8d1b5d5d8e7fbe63cb723981b882b7a1ab92326f105d4fd3b4a6a0

    Download Submit

  • memory/1892-0-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1892-1-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1892-6-0x0000000000530000-0x0000000000531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1892-8-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2268-17-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download