upatre | 9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14

Analysis

max time kernel
10s
max time network
2s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2022 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe
Size

34KB
MD5

b5f484312c0d6aa92f1c06f1694800b4
SHA1

6997bce7000cf7bbc8cedcd758ba4ef6011123f5
SHA256

9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14
SHA512

c4a4af5c45fc9bdbf057bc5525ab2d420a65a34c8f7218e80d7cc5bf6c503e19b08f3b99bbe094594b09e58c80b16aa930743b41b2ed5f72b94ade91052bafbf
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rCBsPGTLKu:GY9jw/dUT62rGdiUOWWrC6P6Wu

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

3628 szgfw.exe

pid	process
3628	szgfw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe

description	pid	process	target process
PID 2876 wrote to memory of 3628	2876	9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe	szgfw.exe
PID 2876 wrote to memory of 3628	2876	9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe	szgfw.exe
PID 2876 wrote to memory of 3628	2876	9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe
"C:\Users\Admin\AppData\Local\Temp\9f571e2ca8f5a9dc2c90551690625bae28a6e8f52dcbaae93e01efaa34828e14.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:3628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
34KB

MD5
3774fabdf2b708ad58e93951403e57a0

SHA1
a56efa3b0e95184aa72d6a1554ceae75ce5ddea8

SHA256
f01830158d12c678aeff0b3067398fbf7f1b2af723ebddc08084d63ed6bb2a4b

SHA512
9d85568c73c92693f1b4521467e6013bf9f0651fa8ff076b1af75f5f716ceade34113bd4b548d16ef8dd49439c0ae584e982e305697b63ac8918a78f14cbea96

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
34KB

MD5
3774fabdf2b708ad58e93951403e57a0

SHA1
a56efa3b0e95184aa72d6a1554ceae75ce5ddea8

SHA256
f01830158d12c678aeff0b3067398fbf7f1b2af723ebddc08084d63ed6bb2a4b

SHA512
9d85568c73c92693f1b4521467e6013bf9f0651fa8ff076b1af75f5f716ceade34113bd4b548d16ef8dd49439c0ae584e982e305697b63ac8918a78f14cbea96

Download Submit
memory/3628-132-0x0000000000000000-mapping.dmp

Download