upatre | 19e9b4524bbab365e60b1e0f75cb73ffee4caa96f57f1033e5701c96474bc65e

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2022 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

741/2dca3a51e417f6cdf37d2e46c3befe3c737298622ee8cc542975d044a226123f.exe
Size

25KB
MD5

b40cfbb959c975e6b95f325d5881fb7b
SHA1

271894cb8bfbaeee1d437739f3bdb7413eda982f
SHA256

2dca3a51e417f6cdf37d2e46c3befe3c737298622ee8cc542975d044a226123f
SHA512

e1f7d4de30bfbcc06ecfd62dfa8fbc726fc36854a4ed0d3d480aff67924e93024d21dbaa7af891d4b383080a61584a960231e83cdfe84198c8e5a1e90513d39e
SSDEEP

768:v+qAUVByyyNylXUylqylylmMxgMyXAN5IkSFlOxXmkewtWVJ/Yj:vNVrklvZ

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
4248	szgfw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2dca3a51e417f6cdf37d2e46c3befe3c737298622ee8cc542975d044a226123f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4248	4216	2dca3a51e417f6cdf37d2e46c3befe3c737298622ee8cc542975d044a226123f.exe	78
PID 4216 wrote to memory of 4248	4216	2dca3a51e417f6cdf37d2e46c3befe3c737298622ee8cc542975d044a226123f.exe	78
PID 4216 wrote to memory of 4248	4216	2dca3a51e417f6cdf37d2e46c3befe3c737298622ee8cc542975d044a226123f.exe	78

C:\Users\Admin\AppData\Local\Temp\741\2dca3a51e417f6cdf37d2e46c3befe3c737298622ee8cc542975d044a226123f.exe
"C:\Users\Admin\AppData\Local\Temp\741\2dca3a51e417f6cdf37d2e46c3befe3c737298622ee8cc542975d044a226123f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
25KB

MD5
9bcc7dd523de337f610489967749c9b0

SHA1
0583f2705d781a4f5482facaafefde5701251a9c

SHA256
136e252b3c9cf52933f5c38f3247a58f9e086fb5b02159ea9a306cd6f9768600

SHA512
90054f85213f006f3f6c1b81ae42882c8ad7bd2835e5a10ae1c1a0ff8a97437e4d8d79ce3e2df398e80cfbb4506cca7bccecfc8bc39934c23ba7834a092c6777

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
25KB

MD5
9bcc7dd523de337f610489967749c9b0

SHA1
0583f2705d781a4f5482facaafefde5701251a9c

SHA256
136e252b3c9cf52933f5c38f3247a58f9e086fb5b02159ea9a306cd6f9768600

SHA512
90054f85213f006f3f6c1b81ae42882c8ad7bd2835e5a10ae1c1a0ff8a97437e4d8d79ce3e2df398e80cfbb4506cca7bccecfc8bc39934c23ba7834a092c6777

Download Submit