upatre | 80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23

Analysis

max time kernel
158s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-02-2022 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe
Size

29KB
MD5

4ecd62e4a1993f8cae6cc22f39d9cd06
SHA1

14942714a30ebb1a044a9009d5df58b019880f95
SHA256

80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23
SHA512

0221b9b8756286e36dc45e75bdbc8187716f415bb2ae6d6eab10ea32418943feee0946dbe665877f33dbac718634d002dbf3ad2162e0ad72be71098ff8408c57

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2072	szgfw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	548	svchost.exe
Token: SeCreatePagefilePrivilege	548	svchost.exe
Token: SeShutdownPrivilege	548	svchost.exe
Token: SeCreatePagefilePrivilege	548	svchost.exe
Token: SeShutdownPrivilege	548	svchost.exe
Token: SeCreatePagefilePrivilege	548	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2072	4476	80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe	87
PID 4476 wrote to memory of 2072	4476	80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe	87
PID 4476 wrote to memory of 2072	4476	80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe	87

C:\Users\Admin\AppData\Local\Temp\80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe
"C:\Users\Admin\AppData\Local\Temp\80ef05726b008884a085b38ebbcdf5a28dbe90599fc5d7f5977ce57774fbcc23.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-130-0x0000022644560000-0x0000022644570000-memory.dmp

Filesize
64KB

Download
memory/548-131-0x0000022644B20000-0x0000022644B30000-memory.dmp

Filesize
64KB

Download
memory/548-132-0x0000022647190000-0x0000022647194000-memory.dmp

Filesize
16KB

Download
memory/2072-135-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download