Overview

overview

10

Static

static

3

NEAS.cf743...70.exe

windows7-x64

10

NEAS.cf743...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2023 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.cf743ae6c4f72d57c6797bd9229d1d70.exe

  • Size

    1.8MB

  • MD5

    cf743ae6c4f72d57c6797bd9229d1d70

  • SHA1

    99890128c080c44853e04981a86c9168f43ec50b

  • SHA256

    270766047e1292c04959cee166a016eab36a90ae9740b2d7d98a6d5e32054e33

  • SHA512

    2c8d80a5b7b9a3772010e18706d0bb0341942b318156068c880261a90bcd77303dce02c3e7560fad5c5034199b26371372226f2a81415d972e0e1c790abbe9d5

  • SSDEEP

    24576:Xh8jiLnYT5mG3MMQ+bLPTCvsbRXstS9pVH:Xh8jiLnYT5mG8H+nTOsbRXstS9pVH

Score
10/10
upatredownloader

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

    downloaderupatre
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.cf743ae6c4f72d57c6797bd9229d1d70.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.cf743ae6c4f72d57c6797bd9229d1d70.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    Filesize

    1.8MB

    MD5

    cf0a00a8aef5ef3979b0243b8a4ba99a

    SHA1

    8848063ed319e2ff9d6cd37125bff40ac3234932

    SHA256

    3e9ff765f9117017d13978b2c581d11d3570ab0acf323913a9535f1576f0da5a

    SHA512

    fb6ac862f63adf3d65f468036e002031aa8c500717f9733b15b466614a62c2a64f9973559e4e393f88cd76271ef6dd6ca11dc4b55e9a683b67d75c5bfe58f12d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    Filesize

    1.8MB

    MD5

    cf0a00a8aef5ef3979b0243b8a4ba99a

    SHA1

    8848063ed319e2ff9d6cd37125bff40ac3234932

    SHA256

    3e9ff765f9117017d13978b2c581d11d3570ab0acf323913a9535f1576f0da5a

    SHA512

    fb6ac862f63adf3d65f468036e002031aa8c500717f9733b15b466614a62c2a64f9973559e4e393f88cd76271ef6dd6ca11dc4b55e9a683b67d75c5bfe58f12d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    Filesize

    1.8MB

    MD5

    cf0a00a8aef5ef3979b0243b8a4ba99a

    SHA1

    8848063ed319e2ff9d6cd37125bff40ac3234932

    SHA256

    3e9ff765f9117017d13978b2c581d11d3570ab0acf323913a9535f1576f0da5a

    SHA512

    fb6ac862f63adf3d65f468036e002031aa8c500717f9733b15b466614a62c2a64f9973559e4e393f88cd76271ef6dd6ca11dc4b55e9a683b67d75c5bfe58f12d

    Download Submit