upatre | a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca

Analysis

max time kernel
10s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2022 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe
Size

41KB
MD5

a32cdeb0d254617e7fa6151d666df77d
SHA1

05f988c178bd6d6efa31881ebb93f44844205947
SHA256

a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca
SHA512

8382d96e678e699ee613db2c12ef26c8c069308ecd71f4ea294f72a522f4e6445f28a0714270e81f0bacd9e3a6ae9386d1a15a900ed8c650398c7c8fab45e4f2
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rh95k5mwFW1S7MA0:GY9jw/dUT62rGdiUOWWrNmLWMAA0

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

5080 szgfw.exe

pid	process
5080	szgfw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe

description	pid	process	target process
PID 3592 wrote to memory of 5080	3592	a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe	szgfw.exe
PID 3592 wrote to memory of 5080	3592	a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe	szgfw.exe
PID 3592 wrote to memory of 5080	3592	a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe
"C:\Users\Admin\AppData\Local\Temp\a6218fa6d4d2ff382ca803385ae5a66e7850cfaeb55e3f8fc29a97b5fbf6deca.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
41KB

MD5
dd7c1816add5f3570ffef696c4853cb4

SHA1
dd87dbdad9ef6861c34c3110dafbef31b22eeade

SHA256
de19f86fcbdf7c994ae2e5f4fcefbcdd3c7a418c7138c769ac2aca2468f14916

SHA512
7a5f0ec7f721ddf8e363c4ce801a9f558df02a44d363ddecf4fc707c20123581cc33a169849e7d8fffc87ab649eeb055c05b80df4b5222ad659624eb36641b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
41KB

MD5
dd7c1816add5f3570ffef696c4853cb4

SHA1
dd87dbdad9ef6861c34c3110dafbef31b22eeade

SHA256
de19f86fcbdf7c994ae2e5f4fcefbcdd3c7a418c7138c769ac2aca2468f14916

SHA512
7a5f0ec7f721ddf8e363c4ce801a9f558df02a44d363ddecf4fc707c20123581cc33a169849e7d8fffc87ab649eeb055c05b80df4b5222ad659624eb36641b90

Download Submit
memory/5080-132-0x0000000000000000-mapping.dmp

Download