Overview

overview

10

Static

static

f5d4c6500d...b3.exe

windows7_x64

10

f5d4c6500d...b3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5d4c6500dd5d2614f795f8bd0c6259e43a3af3cbc86dfce1fc2576dafac1cb3.exe

  • Size

    266KB

  • MD5

    fea7b2e06e4bdf93a5c6b22507c4105e

  • SHA1

    9ecc6ed6111cf7447427752b04fef412c0c8b6d7

  • SHA256

    f5d4c6500dd5d2614f795f8bd0c6259e43a3af3cbc86dfce1fc2576dafac1cb3

  • SHA512

    e5a7bc24a6a4cb03afe416bf87e85b753137193dea176f4f2f874082df748c9a24446c363365eb30ff2b043908f10628d5f48df0a46746206e8bc1ac9b8dea65

Score
10/10
upatredownloader

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

    downloaderupatre
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5d4c6500dd5d2614f795f8bd0c6259e43a3af3cbc86dfce1fc2576dafac1cb3.exe
    "C:\Users\Admin\AppData\Local\Temp\f5d4c6500dd5d2614f795f8bd0c6259e43a3af3cbc86dfce1fc2576dafac1cb3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:4320
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4320-135-0x0000000000520000-0x0000000000521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-130-0x00000270DF390000-0x00000270DF3A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4776-131-0x00000270DFA20000-0x00000270DFA30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4776-132-0x00000270E2110000-0x00000270E2114000-memory.dmp

    Filesize

    16KB

    Download