Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2023 09:44
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.97b76194d56f463022d67ae45e135bf0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.97b76194d56f463022d67ae45e135bf0.exe
Resource
win10v2004-20231127-en
General
-
Target
NEAS.97b76194d56f463022d67ae45e135bf0.exe
-
Size
67KB
-
MD5
97b76194d56f463022d67ae45e135bf0
-
SHA1
db62297ce097c51c8a7c0bc9011f99613cd7211a
-
SHA256
a314e298d1c149d920cee6ee3f3af428092923cdb05bee3b62195e55a63fbb0b
-
SHA512
5729ec63b682714ccf5230e7d969036142817b428ffbb62cf9e09402138083062f9ee202f0ab6200ccac3c4efcd13c25337bf843f0959f83a5ac7c0d3feb53b8
-
SSDEEP
768:v+xAURMDKRji3xVfIs3rtC5bdFrCZa2fCOoj5ZuLHXMZLXPJHPLk182440yqspTH:vCWDKUlsCZD1mh8txVQnlRIFYK4Ncp1N
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation NEAS.97b76194d56f463022d67ae45e135bf0.exe -
Executes dropped EXE 1 IoCs
pid Process 2208 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3480 wrote to memory of 2208 3480 NEAS.97b76194d56f463022d67ae45e135bf0.exe 88 PID 3480 wrote to memory of 2208 3480 NEAS.97b76194d56f463022d67ae45e135bf0.exe 88 PID 3480 wrote to memory of 2208 3480 NEAS.97b76194d56f463022d67ae45e135bf0.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.97b76194d56f463022d67ae45e135bf0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.97b76194d56f463022d67ae45e135bf0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2208
-
Network
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.a-0001.a-msedge.netg-bing-com.a-0001.a-msedge.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3E764E53AAA26D6234065D8FABEA6C41; domain=.bing.com; expires=Fri, 27-Dec-2024 09:44:35 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F6E827D9112A42EF8DEC5FEC4C314CA1 Ref B: BRU30EDGE0812 Ref C: 2023-12-03T09:44:35Z
date: Sun, 03 Dec 2023 09:44:35 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3E764E53AAA26D6234065D8FABEA6C41
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2037DF2F87D44102A52758AEDFE0698D Ref B: BRU30EDGE0812 Ref C: 2023-12-03T09:44:35Z
date: Sun, 03 Dec 2023 09:44:35 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid=Remote address:204.79.197.200:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3E764E53AAA26D6234065D8FABEA6C41
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 15CB2D82CF6B423B870B19ED9A0FC608 Ref B: BRU30EDGE0812 Ref C: 2023-12-03T09:44:35Z
date: Sun, 03 Dec 2023 09:44:35 GMT
-
Remote address:8.8.8.8:53Request226.235.55.23.in-addr.arpaIN PTRResponse226.235.55.23.in-addr.arpaIN PTRa23-55-235-226deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request226.173.246.72.in-addr.arpaIN PTRResponse226.173.246.72.in-addr.arpaIN PTRa72-246-173-226deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 210177
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E7258B6FFC5842C5A3F9A56682666F9C Ref B: AMS04EDGE3420 Ref C: 2023-12-03T09:44:36Z
date: Sun, 03 Dec 2023 09:44:36 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 416984
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6E0542F5AE8540108600F4192E5BD2FC Ref B: AMS04EDGE3420 Ref C: 2023-12-03T09:44:36Z
date: Sun, 03 Dec 2023 09:44:36 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 408529
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D8FBE0C4B9854204BE12116250710B72 Ref B: AMS04EDGE3420 Ref C: 2023-12-03T09:44:36Z
date: Sun, 03 Dec 2023 09:44:36 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 212527
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6827F55C394246F1820E92E9FF582BEA Ref B: AMS04EDGE3420 Ref C: 2023-12-03T09:44:36Z
date: Sun, 03 Dec 2023 09:44:36 GMT
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.160.77.104.in-addr.arpaIN PTRResponse23.160.77.104.in-addr.arpaIN PTRa104-77-160-23deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request50.238.32.23.in-addr.arpaIN PTRResponse50.238.32.23.in-addr.arpaIN PTRa23-32-238-50deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request24.73.42.20.in-addr.arpaIN PTRResponse
-
204.79.197.200:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid=tls, http21.9kB 9.3kB 22 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=2662cd42b4d54efcae49465f8754c93f&localId=w:98470707-4D7A-9B5E-D19D-B989235A330A&deviceId=6825826206357472&anid=HTTP Response
204 -
1.2kB 8.3kB 16 14
-
1.2kB 8.3kB 16 14
-
1.2kB 8.3kB 16 14
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&w=1080&h=1920&c=4tls, http244.5kB 1.3MB 946 943
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301025_159EZPKLFPK71SUGC&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301458_1O5GXDV85M53L16NQ&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
56 B 158 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.20013.107.21.200
-
72 B 137 B 1 1
DNS Request
226.235.55.23.in-addr.arpa
-
73 B 106 B 1 1
DNS Request
200.197.79.204.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
226.173.246.72.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
23.160.77.104.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
50.238.32.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
24.73.42.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5d5daabe032ea664e8524b8a707a5200b
SHA1a83010c6365f4a938edae4887951a913db98684a
SHA25652ad727a635029d9f2b23cc8e1456ad4856475d00123bde2514d19d082f97951
SHA512a0dfc4f7752ca8e70531c52fc2bacad8af2c22570d49de27f3bbd11fa0a18395c86cc4a299f84eaeac578a82c39fa8dccf2e097570a04894cf1963776d3db315
-
Filesize
67KB
MD5d5daabe032ea664e8524b8a707a5200b
SHA1a83010c6365f4a938edae4887951a913db98684a
SHA25652ad727a635029d9f2b23cc8e1456ad4856475d00123bde2514d19d082f97951
SHA512a0dfc4f7752ca8e70531c52fc2bacad8af2c22570d49de27f3bbd11fa0a18395c86cc4a299f84eaeac578a82c39fa8dccf2e097570a04894cf1963776d3db315
-
Filesize
67KB
MD5d5daabe032ea664e8524b8a707a5200b
SHA1a83010c6365f4a938edae4887951a913db98684a
SHA25652ad727a635029d9f2b23cc8e1456ad4856475d00123bde2514d19d082f97951
SHA512a0dfc4f7752ca8e70531c52fc2bacad8af2c22570d49de27f3bbd11fa0a18395c86cc4a299f84eaeac578a82c39fa8dccf2e097570a04894cf1963776d3db315