Overview

overview

10

Static

static

3

297fa15a2b...JC.exe

windows7-x64

10

297fa15a2b...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2023 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    297fa15a2b77de7d4391c677266cb4df_JC.exe

  • Size

    130KB

  • MD5

    297fa15a2b77de7d4391c677266cb4df

  • SHA1

    97f0cadd4a3b180ab36a7e25cb44a707afe0caa5

  • SHA256

    9d43a35f0cd9895f57400039809336576b28f6e6ca254a610b54c69d4359cc49

  • SHA512

    08d8f86895ca33c4893060ca9738824d95e97dd56b4dfbff4e2bbd641b52586237e6d7f824c88bd0a1dc4ed8dc7c99120a388acd9094a6a6639625564343e540

  • SSDEEP

    3072:tY9CUT62/UOVMgJsgJMgJogJwgJ0zqgJ01J3RgJ01JygJ01JK8gJ01JK2gJ01JKA:tY9C8QyFJlJFJRJZJqJyJ3CJyJbJyJWw

Score
10/10
upatredownloader

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

    downloaderupatre
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\297fa15a2b77de7d4391c677266cb4df_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\297fa15a2b77de7d4391c677266cb4df_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:4768
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:1840
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      Filesize

      130KB

      MD5

      bdac5013abe625c24a677d73853852db

      SHA1

      9349b3d9b8c45738f2873c185165b16708060330

      SHA256

      ac8a5f0d3172746eebe423ffa9b97325ee2dbd2bb05684c15156e7bbe0756714

      SHA512

      536c297b413a78fc22207f674d2a6e64ca968a40e1fa623a420f101f277895e60b5a1b45cce23308ec5d177a0590c1a2d086f52e1f62b3a00cbee88045827a6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      Filesize

      130KB

      MD5

      bdac5013abe625c24a677d73853852db

      SHA1

      9349b3d9b8c45738f2873c185165b16708060330

      SHA256

      ac8a5f0d3172746eebe423ffa9b97325ee2dbd2bb05684c15156e7bbe0756714

      SHA512

      536c297b413a78fc22207f674d2a6e64ca968a40e1fa623a420f101f277895e60b5a1b45cce23308ec5d177a0590c1a2d086f52e1f62b3a00cbee88045827a6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      Filesize

      130KB

      MD5

      bdac5013abe625c24a677d73853852db

      SHA1

      9349b3d9b8c45738f2873c185165b16708060330

      SHA256

      ac8a5f0d3172746eebe423ffa9b97325ee2dbd2bb05684c15156e7bbe0756714

      SHA512

      536c297b413a78fc22207f674d2a6e64ca968a40e1fa623a420f101f277895e60b5a1b45cce23308ec5d177a0590c1a2d086f52e1f62b3a00cbee88045827a6b

      Download Submit

    • memory/2944-0-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2944-1-0x00000000004B0000-0x00000000004B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2944-10-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3856-48-0x00000133041F0000-0x00000133041F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3856-16-0x000001337BB80000-0x000001337BB90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3856-32-0x000001337BC80000-0x000001337BC90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3856-50-0x0000013304220000-0x0000013304221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3856-51-0x0000013304220000-0x0000013304221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3856-52-0x0000013304330000-0x0000013304331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4768-11-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download