upatre | 80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23

General

Target

80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe
Size

29KB
MD5

4ecd62e4a1993f8cae6cc22f39d9cd06
SHA1

14942714a30ebb1a044a9009d5df58b019880f95
SHA256

80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23
SHA512

0221b9b8756286e36dc45e75bdbc8187716f415bb2ae6d6eab10ea32418943feee0946dbe665877f33dbac718634d002dbf3ad2162e0ad72be71098ff8408c57

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

2072 szgfw.exe

pid	process
2072	szgfw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	548	svchost.exe
Token: SeCreatePagefilePrivilege	548	svchost.exe
Token: SeShutdownPrivilege	548	svchost.exe
Token: SeCreatePagefilePrivilege	548	svchost.exe
Token: SeShutdownPrivilege	548	svchost.exe
Token: SeCreatePagefilePrivilege	548	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe

description	pid	process	target process
PID 4476 wrote to memory of 2072	4476	80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe	szgfw.exe
PID 4476 wrote to memory of 2072	4476	80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe	szgfw.exe
PID 4476 wrote to memory of 2072	4476	80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe
"C:\Users\Admin\AppData\Local\Temp\80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
21650dca314e8675dd037e4a3449cb4e

SHA1
8268288deff1a1f8dd32649a43df8e7868130dbe

SHA256
9976a8441495fce6711d337a68cd649d13534dcd36f6350b92c3b3fb09a50d0c

SHA512
43e4df24b0ddc8c650ccd36b4d4a57e7d20dd7ac2ad7d58453b1b8e27fd41673c5e71edfc7c1d5329abc8aa9b6eaad59000e2afc565f2b28739bfb3bfb7ee5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
21650dca314e8675dd037e4a3449cb4e

SHA1
8268288deff1a1f8dd32649a43df8e7868130dbe

SHA256
9976a8441495fce6711d337a68cd649d13534dcd36f6350b92c3b3fb09a50d0c

SHA512
43e4df24b0ddc8c650ccd36b4d4a57e7d20dd7ac2ad7d58453b1b8e27fd41673c5e71edfc7c1d5329abc8aa9b6eaad59000e2afc565f2b28739bfb3bfb7ee5a9

Download Submit
memory/548-130-0x0000022644560000-0x0000022644570000-memory.dmp

Filesize
64KB

Download
memory/548-131-0x0000022644B20000-0x0000022644B30000-memory.dmp

Filesize
64KB

Download
memory/548-132-0x0000022647190000-0x0000022647194000-memory.dmp

Filesize
16KB

Download
memory/2072-135-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads