Analysis
-
max time kernel
149s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2023 09:08
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.77d814a38abc3c61439c7796212d2690.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.77d814a38abc3c61439c7796212d2690.exe
Resource
win10v2004-20231130-en
General
-
Target
NEAS.77d814a38abc3c61439c7796212d2690.exe
-
Size
132KB
-
MD5
77d814a38abc3c61439c7796212d2690
-
SHA1
6e7f140b67172dc1aa5537f20105b92386cadc9d
-
SHA256
ec27f1ca119792f6402223cf375a176989f9f90058d22d2d6c55a62ba97df612
-
SHA512
33f86812587623fe148d86b60146a162ad4db1cbe8dbe5d92bed917fc92352fd6343a801141df2f36f458f24f3d5fe5545d1e80d4ff89c418d6fea4f68d7d708
-
SSDEEP
3072:tY9CUT62/UOVMgJsgJMgJogJwgJ0zqgJ01J3RgJ01JygJ01JK8gJ01JK2gJ01JKf:tY9C8QyFJlJFJRJZJqJyJ3CJyJbJyJWP
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation NEAS.77d814a38abc3c61439c7796212d2690.exe -
Executes dropped EXE 1 IoCs
pid Process 4344 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3112 wrote to memory of 4344 3112 NEAS.77d814a38abc3c61439c7796212d2690.exe 89 PID 3112 wrote to memory of 4344 3112 NEAS.77d814a38abc3c61439c7796212d2690.exe 89 PID 3112 wrote to memory of 4344 3112 NEAS.77d814a38abc3c61439c7796212d2690.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.77d814a38abc3c61439c7796212d2690.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.77d814a38abc3c61439c7796212d2690.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:4344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD52b97e1cb24b0f3f1a120576c04622e58
SHA12264499064afca0c3b0e3235f5a191c466bbe475
SHA25618a37e4bf9884409a0f1e97ba656803d01e727f9b50741a4e95c93185ec10096
SHA512257bf4a902ea60f8b90c8adf29d1391193de5d4fe2fe91e3343b766a1aa35bdd1613d5d55b16ba3c100f0ee2f7e376af9d5b6380558e64bc22241dae41e5b94f
-
Filesize
132KB
MD52b97e1cb24b0f3f1a120576c04622e58
SHA12264499064afca0c3b0e3235f5a191c466bbe475
SHA25618a37e4bf9884409a0f1e97ba656803d01e727f9b50741a4e95c93185ec10096
SHA512257bf4a902ea60f8b90c8adf29d1391193de5d4fe2fe91e3343b766a1aa35bdd1613d5d55b16ba3c100f0ee2f7e376af9d5b6380558e64bc22241dae41e5b94f
-
Filesize
132KB
MD52b97e1cb24b0f3f1a120576c04622e58
SHA12264499064afca0c3b0e3235f5a191c466bbe475
SHA25618a37e4bf9884409a0f1e97ba656803d01e727f9b50741a4e95c93185ec10096
SHA512257bf4a902ea60f8b90c8adf29d1391193de5d4fe2fe91e3343b766a1aa35bdd1613d5d55b16ba3c100f0ee2f7e376af9d5b6380558e64bc22241dae41e5b94f