Overview

overview

10

Static

static

47f92cedff...4a.exe

windows7_x64

10

47f92cedff...4a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    14-02-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47f92cedff6396557e801853e31e9cafdd47dd9b5cd18621c254523376b6744a.exe

  • Size

    600KB

  • MD5

    46884b25c44a21c20cda77e028315c4c

  • SHA1

    9aa4b276dcd952f472480022c825470f0616eb2d

  • SHA256

    47f92cedff6396557e801853e31e9cafdd47dd9b5cd18621c254523376b6744a

  • SHA512

    f8f73950472aa703e432ea54c00dd36aede6b8b804e5c457790b0c6645a59bad281296bfb139d86caf8cbc3bbd837471020251b8a9e8ddb796840a5a93b2d96a

Score
10/10
upatredownloader

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

    downloaderupatre
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47f92cedff6396557e801853e31e9cafdd47dd9b5cd18621c254523376b6744a.exe
    "C:\Users\Admin\AppData\Local\Temp\47f92cedff6396557e801853e31e9cafdd47dd9b5cd18621c254523376b6744a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:1144
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1276
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1240-133-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1276-130-0x000001C510F90000-0x000001C510FA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1276-131-0x000001C511520000-0x000001C511530000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1276-132-0x000001C513C10000-0x000001C513C14000-memory.dmp

    Filesize

    16KB

    Download