upatre | b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1

General

Target

b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1.exe
Size

328KB
MD5

aff7d7ebdcba7d7ed345c73f538cd9e4
SHA1

9964325fb30f479c6f7855d4d7a766c7cc79e204
SHA256

b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1
SHA512

1b8703627397a0726a8aed3c7e99f3c8d66d5ffe9d6c21e16c12d0c04e15a16351c0f37b45b748841507800ca5191b92cac959f8ce8a4cbfcb2c6459ac49e72d

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1708	szgfw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3364	svchost.exe
Token: SeCreatePagefilePrivilege	3364	svchost.exe
Token: SeShutdownPrivilege	3364	svchost.exe
Token: SeCreatePagefilePrivilege	3364	svchost.exe
Token: SeShutdownPrivilege	3364	svchost.exe
Token: SeCreatePagefilePrivilege	3364	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1708	1016	b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1.exe	87
PID 1016 wrote to memory of 1708	1016	b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1.exe	87
PID 1016 wrote to memory of 1708	1016	b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1.exe	87

C:\Users\Admin\AppData\Local\Temp\b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1.exe
"C:\Users\Admin\AppData\Local\Temp\b2b74b51b3edea8b0a01ff9b0f60453b625563de5f2e092e44740e1a6679aec1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-133-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3364-130-0x000001E6F8D30000-0x000001E6F8D40000-memory.dmp

Filesize
64KB

Download
memory/3364-131-0x000001E6F8D90000-0x000001E6F8DA0000-memory.dmp

Filesize
64KB

Download
memory/3364-132-0x000001E6FBA70000-0x000001E6FBA74000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing