Overview

overview

10

Static

static

9256da1c27...1f.exe

windows7_x64

10

9256da1c27...1f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe

  • Size

    36KB

  • MD5

    56a2dad254438d56cbab545f24faf72b

  • SHA1

    3bd697d8dec1db399ae5f32e35afaa7fa67e76d9

  • SHA256

    9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f

  • SHA512

    4e74f7cc85b21659ef235aa4fd7e2482babbcf3183f683ea91e48c3a630355ccdd941298c2f49edc384de3f2e588e486e79fa3e743d957e07db7860fe1e74450

Score
10/10
upatredownloader

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

    downloaderupatre
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
    "C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2740
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    MD5

    e707e937cfbcb0d0a2fdf4f7542c9068

    SHA1

    d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37

    SHA256

    51d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5

    SHA512

    c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    MD5

    e707e937cfbcb0d0a2fdf4f7542c9068

    SHA1

    d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37

    SHA256

    51d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5

    SHA512

    c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7

    Download Submit
  • memory/1056-133-0x0000025B72B30000-0x0000025B72B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1056-134-0x0000025B72B90000-0x0000025B72BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1056-135-0x0000025B75880000-0x0000025B75884000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1984-130-0x0000000000440000-0x0000000000441000-memory.dmp
    Filesize

    4KB

    Download