upatre | f41b7f67025ace51598bf40d10011d4b71afef601676d8b4031b5e13da239cd1

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.93a48ac3c592c61ec665ec342cb55880.exe
Size

10KB
MD5

93a48ac3c592c61ec665ec342cb55880
SHA1

838e92a295c184eb93d1e60362f144622f91b1f2
SHA256

f41b7f67025ace51598bf40d10011d4b71afef601676d8b4031b5e13da239cd1
SHA512

35a71789b18e201bc0eab62e3538b691b5ddd878edee35ce8319616b22c08f405727f88f64ae93cc90943d316d06f43be67f14af3d042f9412ce959371a20ba0
SSDEEP

192:9mUWKs/yOnKfzShNz2OGc9lyZmMPdJF7bojBPBZLKQVyA/pKE7Q8u2Q:6K+HKfzQNz2OGcqZmMPdrHmBPBZOQVyL

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	NEAS.93a48ac3c592c61ec665ec342cb55880.exe

Executes dropped EXE 1 IoCs

pid	Process
4524	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 4524	1152	NEAS.93a48ac3c592c61ec665ec342cb55880.exe	87
PID 1152 wrote to memory of 4524	1152	NEAS.93a48ac3c592c61ec665ec342cb55880.exe	87
PID 1152 wrote to memory of 4524	1152	NEAS.93a48ac3c592c61ec665ec342cb55880.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.93a48ac3c592c61ec665ec342cb55880.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.93a48ac3c592c61ec665ec342cb55880.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
10KB

MD5
2aa701fb843fd15e614543c3080c6209

SHA1
56f3c11be9397193d9442e9730626d1064be5fc1

SHA256
4b2a1134ed3e98dd9c5b9c8ad3a5399cbb6888a53c4226dd66aa9f422ec75504

SHA512
ecebd8a6031c2f5494536fb72a87053093ab48b86a5964803ffb55b70c61d5ef973f0001e4644d976b877384b505e32d26e706affce938acdbc1aa5b0e53e08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
10KB

MD5
2aa701fb843fd15e614543c3080c6209

SHA1
56f3c11be9397193d9442e9730626d1064be5fc1

SHA256
4b2a1134ed3e98dd9c5b9c8ad3a5399cbb6888a53c4226dd66aa9f422ec75504

SHA512
ecebd8a6031c2f5494536fb72a87053093ab48b86a5964803ffb55b70c61d5ef973f0001e4644d976b877384b505e32d26e706affce938acdbc1aa5b0e53e08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
10KB

MD5
2aa701fb843fd15e614543c3080c6209

SHA1
56f3c11be9397193d9442e9730626d1064be5fc1

SHA256
4b2a1134ed3e98dd9c5b9c8ad3a5399cbb6888a53c4226dd66aa9f422ec75504

SHA512
ecebd8a6031c2f5494536fb72a87053093ab48b86a5964803ffb55b70c61d5ef973f0001e4644d976b877384b505e32d26e706affce938acdbc1aa5b0e53e08e

Download Submit