upatre | 582276b350bb8b058d540c6c234ceff1b200952ae568f893afd97f10409116a9

Analysis

max time kernel
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious10a2bf2f5e49.exe
Size

32KB
MD5

76f4fd15208435592af8b71b100092ee
SHA1

7c7cd8092f90c9893f4ce670c6556a091dbbccb0
SHA256

582276b350bb8b058d540c6c234ceff1b200952ae568f893afd97f10409116a9
SHA512

3c8bdfcb276b05a20cc602b7221123fd7721761b35ebaa02d66b02454028ca32448422312736a8303b45eb584a8d313b923cb381fc401b16e0f164cd492a38e0
SSDEEP

384:ovbf1Y9qpeROAq/VfUT6vupj3InXd/bS2kUOW5GAMECxk8h9XK+Es:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rh9/

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	easyMalicious10a2bf2f5e49.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2184	2096	easyMalicious10a2bf2f5e49.exe	79
PID 2096 wrote to memory of 2184	2096	easyMalicious10a2bf2f5e49.exe	79
PID 2096 wrote to memory of 2184	2096	easyMalicious10a2bf2f5e49.exe	79

C:\Users\Admin\AppData\Local\Temp\easyMalicious10a2bf2f5e49.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious10a2bf2f5e49.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
32KB

MD5
635935a926dae764ae0433de00b5ffd0

SHA1
070608172bfbb3c910ac7eb131089268bce82bff

SHA256
21e5f7c2037d8f7b12b0f9059493f17fe1cfcffaeada551b877ca01e395a1e40

SHA512
9e92671c6c943c648bc5beacff50185a2a70a05fca80356cab3a8b0d2903a7d00afe380434d0d5b8e32f03f2ed669f2d41d4549595ff95dd168f3fa4ca44ea4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
32KB

MD5
635935a926dae764ae0433de00b5ffd0

SHA1
070608172bfbb3c910ac7eb131089268bce82bff

SHA256
21e5f7c2037d8f7b12b0f9059493f17fe1cfcffaeada551b877ca01e395a1e40

SHA512
9e92671c6c943c648bc5beacff50185a2a70a05fca80356cab3a8b0d2903a7d00afe380434d0d5b8e32f03f2ed669f2d41d4549595ff95dd168f3fa4ca44ea4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
32KB

MD5
635935a926dae764ae0433de00b5ffd0

SHA1
070608172bfbb3c910ac7eb131089268bce82bff

SHA256
21e5f7c2037d8f7b12b0f9059493f17fe1cfcffaeada551b877ca01e395a1e40

SHA512
9e92671c6c943c648bc5beacff50185a2a70a05fca80356cab3a8b0d2903a7d00afe380434d0d5b8e32f03f2ed669f2d41d4549595ff95dd168f3fa4ca44ea4b

Download Submit
memory/2096-134-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2096-142-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2184-143-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download