upatre | 3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6

Analysis

max time kernel
120s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6.exe
Size

4KB
MD5

dfbb4521b0b51a88e7fcc59e6b140ef6
SHA1

b1e65c96e931c5bc6a1eff0e23d31ef8d99c72c9
SHA256

3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6
SHA512

5d4e53d809b01ab515b7f7af69573d5da7b9e4df2898e5bc2636b408d7b52d4f71a5237756926b5a58a7029d58a9892a776228302320f7a9964583004590550c
SSDEEP

48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91RssNnA7B8mOo4jUx7OtKGc:Z0v4mUWKh9ctgC1RnNnKymV44Sh

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 5064	4556	3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6.exe	84
PID 4556 wrote to memory of 5064	4556	3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6.exe	84
PID 4556 wrote to memory of 5064	4556	3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6.exe	84

C:\Users\Admin\AppData\Local\Temp\3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6.exe
"C:\Users\Admin\AppData\Local\Temp\3e0ff50184e04798a2a0c55dd39f482ebfd821668fc00e896c05b2692030dbd6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
4023d2ba233677ee5735328474e645f4

SHA1
6c52eeac4d1db576b194bffe0a0085b789f398f1

SHA256
9b8b350215b3f3f443baaff2302b8c3ac9d74891d5580d27c524bac4e9c156bb

SHA512
26315c8090e78e157d3df7f0c8c9eefede7ed41a50d12c8faa0eeac63fe3761285f1b5a5555ab0bfa45f563469f5e152e9b1847dda50a95da9cb9adfa7299c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
4023d2ba233677ee5735328474e645f4

SHA1
6c52eeac4d1db576b194bffe0a0085b789f398f1

SHA256
9b8b350215b3f3f443baaff2302b8c3ac9d74891d5580d27c524bac4e9c156bb

SHA512
26315c8090e78e157d3df7f0c8c9eefede7ed41a50d12c8faa0eeac63fe3761285f1b5a5555ab0bfa45f563469f5e152e9b1847dda50a95da9cb9adfa7299c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
4023d2ba233677ee5735328474e645f4

SHA1
6c52eeac4d1db576b194bffe0a0085b789f398f1

SHA256
9b8b350215b3f3f443baaff2302b8c3ac9d74891d5580d27c524bac4e9c156bb

SHA512
26315c8090e78e157d3df7f0c8c9eefede7ed41a50d12c8faa0eeac63fe3761285f1b5a5555ab0bfa45f563469f5e152e9b1847dda50a95da9cb9adfa7299c1f

Download Submit