upatre | 8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3

General

Target

8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe
Size

31KB
MD5

ec04f3f4850e52e9d852374502beb39f
SHA1

00ba0a57045736c252d16e78ed89a8025f7152ab
SHA256

8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3
SHA512

9089b0bc8dc05b9f79b660dd13732ef03fbab9928e18f21a2995c0d59b4964d675e6b0a620ac2e6820330b780e844432eaea565f0302f9c877554d91c7d58ee4

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

3064 szgfw.exe

pid	process
3064	szgfw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	804	svchost.exe
Token: SeCreatePagefilePrivilege	804	svchost.exe
Token: SeShutdownPrivilege	804	svchost.exe
Token: SeCreatePagefilePrivilege	804	svchost.exe
Token: SeShutdownPrivilege	804	svchost.exe
Token: SeCreatePagefilePrivilege	804	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe

description	pid	process	target process
PID 2108 wrote to memory of 3064	2108	8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe	szgfw.exe
PID 2108 wrote to memory of 3064	2108	8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe	szgfw.exe
PID 2108 wrote to memory of 3064	2108	8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe
"C:\Users\Admin\AppData\Local\Temp\8fb5bb6e9859732b8c4f0accb086cff88aab31a4050c8bd66da04ccf3bb2cfb3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
a747b5b803378610701d8484b32ff044

SHA1
4b713334ce5fc9e661d5c9e75030661f92854c51

SHA256
4a18c99738e4e6d3c93e73fad07d54f6cbceeca3a7a9d606c429c1897d1c71c9

SHA512
1273a26747d3214376ceb5e10fd296f261c36eb4ffd0844368d9176fa863d8d94cc9eb9f9fa4b855023b644906af2bcae885ca75fe3e9b04b103612e154b7393

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
a747b5b803378610701d8484b32ff044

SHA1
4b713334ce5fc9e661d5c9e75030661f92854c51

SHA256
4a18c99738e4e6d3c93e73fad07d54f6cbceeca3a7a9d606c429c1897d1c71c9

SHA512
1273a26747d3214376ceb5e10fd296f261c36eb4ffd0844368d9176fa863d8d94cc9eb9f9fa4b855023b644906af2bcae885ca75fe3e9b04b103612e154b7393

Download Submit
memory/804-130-0x000001D5A5330000-0x000001D5A5340000-memory.dmp

Filesize
64KB

Download
memory/804-131-0x000001D5A5390000-0x000001D5A53A0000-memory.dmp

Filesize
64KB

Download
memory/804-132-0x000001D5A80B0000-0x000001D5A80B4000-memory.dmp

Filesize
16KB

Download
memory/3064-135-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads