upatre | 7bf7ed3a70780aa3d29bd73e1965af60c5b86e3244be5f20eb3a3e775c907e76

Analysis

max time kernel
157s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd0b344e7ccc45800d66dc377cb50ba_JC.exe
Size

59KB
MD5

ddd0b344e7ccc45800d66dc377cb50ba
SHA1

a7b938938a0ab48482f0369f0df2cf4fa4f4fefc
SHA256

7bf7ed3a70780aa3d29bd73e1965af60c5b86e3244be5f20eb3a3e775c907e76
SHA512

10db2382e961d4de1d27b78822fee08305099769099da555a784df470a4cd46c57ae8880689029ccb482452c70d6c65def43a10826fe082272bb4d9bd4de84da
SSDEEP

1536:5Y9jw/dUT62rGdiUOWWrMffJ+AxM+I+ceWE:5Y9CUT62/UOVMffJ+AW+I+cI

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	ddd0b344e7ccc45800d66dc377cb50ba_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3000	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 3000	4628	ddd0b344e7ccc45800d66dc377cb50ba_JC.exe	93
PID 4628 wrote to memory of 3000	4628	ddd0b344e7ccc45800d66dc377cb50ba_JC.exe	93
PID 4628 wrote to memory of 3000	4628	ddd0b344e7ccc45800d66dc377cb50ba_JC.exe	93

C:\Users\Admin\AppData\Local\Temp\ddd0b344e7ccc45800d66dc377cb50ba_JC.exe
"C:\Users\Admin\AppData\Local\Temp\ddd0b344e7ccc45800d66dc377cb50ba_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
59KB

MD5
6cd1a0f5f468a8e18fe3199dd91dc041

SHA1
188db118b25fbbc4b775e869e953d6a8ba78ad2e

SHA256
3df8c28d835f2b2abea38eacf78f13f2040f157432f7d4cf12b8a412abe0f551

SHA512
fa45a03497e732e69f6fd71a050ce5fec1d5f042b300a7aa67255b777b4026862a1993a9f617c0fb535378966a0b6da3eb99b500ec18fb63bc94eb09d0f8aabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
59KB

MD5
6cd1a0f5f468a8e18fe3199dd91dc041

SHA1
188db118b25fbbc4b775e869e953d6a8ba78ad2e

SHA256
3df8c28d835f2b2abea38eacf78f13f2040f157432f7d4cf12b8a412abe0f551

SHA512
fa45a03497e732e69f6fd71a050ce5fec1d5f042b300a7aa67255b777b4026862a1993a9f617c0fb535378966a0b6da3eb99b500ec18fb63bc94eb09d0f8aabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
59KB

MD5
6cd1a0f5f468a8e18fe3199dd91dc041

SHA1
188db118b25fbbc4b775e869e953d6a8ba78ad2e

SHA256
3df8c28d835f2b2abea38eacf78f13f2040f157432f7d4cf12b8a412abe0f551

SHA512
fa45a03497e732e69f6fd71a050ce5fec1d5f042b300a7aa67255b777b4026862a1993a9f617c0fb535378966a0b6da3eb99b500ec18fb63bc94eb09d0f8aabe

Download Submit
memory/3000-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4628-0-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4628-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download