Analysis
-
max time kernel
180s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2023 19:38
Static task
static1
Behavioral task
behavioral1
Sample
635166366c57c2c30f491dbd64403e60_exe32.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
635166366c57c2c30f491dbd64403e60_exe32.exe
Resource
win10v2004-20230915-en
General
-
Target
635166366c57c2c30f491dbd64403e60_exe32.exe
-
Size
130KB
-
MD5
635166366c57c2c30f491dbd64403e60
-
SHA1
8688379c337327dd3e7844440bc8e40359857807
-
SHA256
9d4e630fdc6f53f103efd983f39c40fe0d358c96bacc23dead2525b7759e8c8b
-
SHA512
5f5f2cdec69d7b42879e05c8c2255dff6c47c5df81e39a5defdd21a9ae9358881c076a358d7c53436b4d5194198c754115cb0730d5226015a57a55d7acb546d2
-
SSDEEP
3072:tY9CUT62/UOVMgJsgJMgJogJwgJ0zqgJ01J3RgJ01JygJ01JK8gJ01JK2gJ01JKS:tY9C8QyFJlJFJRJZJqJyJ3CJyJbJyJWi
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
635166366c57c2c30f491dbd64403e60_exe32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation 635166366c57c2c30f491dbd64403e60_exe32.exe -
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 4760 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
635166366c57c2c30f491dbd64403e60_exe32.exedescription pid process target process PID 4332 wrote to memory of 4760 4332 635166366c57c2c30f491dbd64403e60_exe32.exe szgfw.exe PID 4332 wrote to memory of 4760 4332 635166366c57c2c30f491dbd64403e60_exe32.exe szgfw.exe PID 4332 wrote to memory of 4760 4332 635166366c57c2c30f491dbd64403e60_exe32.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\635166366c57c2c30f491dbd64403e60_exe32.exe"C:\Users\Admin\AppData\Local\Temp\635166366c57c2c30f491dbd64403e60_exe32.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeFilesize
130KB
MD5cc6e485380cbe71c63b55da86882f8e5
SHA1a77358978c230ab169dbb5eb2181670d9b8099d2
SHA2562dd02209a43c23d2ebc3299d1199417fdd1e638cc5ec99e9b61feb219d4ff1d7
SHA512eb767362eb9b5216abbfb30915bf15342f4c2e533e65880c2c813af4ce3ce1645aa096f596fb1e4593455f7e5e74d97373010edb2bf3c74afa230b63d605c1d7
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeFilesize
130KB
MD5cc6e485380cbe71c63b55da86882f8e5
SHA1a77358978c230ab169dbb5eb2181670d9b8099d2
SHA2562dd02209a43c23d2ebc3299d1199417fdd1e638cc5ec99e9b61feb219d4ff1d7
SHA512eb767362eb9b5216abbfb30915bf15342f4c2e533e65880c2c813af4ce3ce1645aa096f596fb1e4593455f7e5e74d97373010edb2bf3c74afa230b63d605c1d7
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeFilesize
130KB
MD5cc6e485380cbe71c63b55da86882f8e5
SHA1a77358978c230ab169dbb5eb2181670d9b8099d2
SHA2562dd02209a43c23d2ebc3299d1199417fdd1e638cc5ec99e9b61feb219d4ff1d7
SHA512eb767362eb9b5216abbfb30915bf15342f4c2e533e65880c2c813af4ce3ce1645aa096f596fb1e4593455f7e5e74d97373010edb2bf3c74afa230b63d605c1d7
-
memory/4332-0-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4332-1-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/4332-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4760-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4760-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB