upatre | af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc

Analysis

max time kernel
11s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2022 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe
Size

32KB
MD5

b8e8d6e56c86cb32eae2e3440a2b30a1
SHA1

0af9c6d368d88d3ea56a572ceac1a4544ffbdbfe
SHA256

af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc
SHA512

dcb68d0483c09a6fd1c35879c26545180590edbe9ebb1467a5f05ee3318750e6a8a53df665d8b6e1a38699f40a48187e93c796869a82943c2c25e1a3add4c2bf
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rPjaxz:GY9jw/dUT62rGdiUOWWr7aF

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

4792 szgfw.exe

pid	process
4792	szgfw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe

description	pid	process	target process
PID 4968 wrote to memory of 4792	4968	af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe	szgfw.exe
PID 4968 wrote to memory of 4792	4968	af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe	szgfw.exe
PID 4968 wrote to memory of 4792	4968	af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe
"C:\Users\Admin\AppData\Local\Temp\af4796a69bd09a7af59e71f11f64c986f213a368e473853b527ffc88fc163bcc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
32KB

MD5
8caff4a000ac3354235d2edd235d81fb

SHA1
aca21691cef7f4bdf3bdf7aa444d5fab0c59213a

SHA256
1cb82a231d77073603464b446e3679de9ea9956b650c7a928fdaadd2ee4e99c3

SHA512
1fa6a6ce2c93119418e324432a7959a7cc018dc25b703a2cb4f43cd4d002487eda01cb3b2136d169cc8a48a755770546cd54ab22b4275d374b32fd2ff469d04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
32KB

MD5
8caff4a000ac3354235d2edd235d81fb

SHA1
aca21691cef7f4bdf3bdf7aa444d5fab0c59213a

SHA256
1cb82a231d77073603464b446e3679de9ea9956b650c7a928fdaadd2ee4e99c3

SHA512
1fa6a6ce2c93119418e324432a7959a7cc018dc25b703a2cb4f43cd4d002487eda01cb3b2136d169cc8a48a755770546cd54ab22b4275d374b32fd2ff469d04a

Download Submit
memory/4792-132-0x0000000000000000-mapping.dmp

Download