upatre | fbef5095fa26b2d78db4e71a0793d0e43e499c2f8dc0722c92cc816e0e4d5a8c

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e365b1a8d27376d244af564f0572f670.exe
Size

130KB
MD5

e365b1a8d27376d244af564f0572f670
SHA1

bd6de4067520ba3044a79c11486a70886a967e3a
SHA256

fbef5095fa26b2d78db4e71a0793d0e43e499c2f8dc0722c92cc816e0e4d5a8c
SHA512

b85453f7d7ab35aaea386b74f4e8bba1c66164473fa50c52bc127fb67977b2d56f12b4826cbf955786b233563372166a4de7ee82e4077a5555ca08008fa5cbd9
SSDEEP

3072:tY9CUT62/UOVMgJsgJMgJogJwgJ0zqgJ01J3RgJ01JygJ01JK8gJ01JK2gJ01JKJ:tY9C8QyFJlJFJRJZJqJyJ3CJyJbJyJW5

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.e365b1a8d27376d244af564f0572f670.exe

Executes dropped EXE 1 IoCs

pid	Process
1376	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1376	2376	NEAS.e365b1a8d27376d244af564f0572f670.exe	90
PID 2376 wrote to memory of 1376	2376	NEAS.e365b1a8d27376d244af564f0572f670.exe	90
PID 2376 wrote to memory of 1376	2376	NEAS.e365b1a8d27376d244af564f0572f670.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.e365b1a8d27376d244af564f0572f670.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e365b1a8d27376d244af564f0572f670.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
e742106f04abf1f36dc2016dc7fcafcd

SHA1
896773a448850ac0c5e1f57d2a53968db5f59ce7

SHA256
b70f71ccbcabcaa52a514de691078aa0339db114cd956b49804f9e7a1df6e4e8

SHA512
07a87c55a46a5eb5696e2d8e7ea1129c517219b788ade7e01a70459cdfcdd8ba43cbb0e20fcf76592e73e9e55404026cefd97f391f5b98e8421f4380de74ee96

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
e742106f04abf1f36dc2016dc7fcafcd

SHA1
896773a448850ac0c5e1f57d2a53968db5f59ce7

SHA256
b70f71ccbcabcaa52a514de691078aa0339db114cd956b49804f9e7a1df6e4e8

SHA512
07a87c55a46a5eb5696e2d8e7ea1129c517219b788ade7e01a70459cdfcdd8ba43cbb0e20fcf76592e73e9e55404026cefd97f391f5b98e8421f4380de74ee96

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
e742106f04abf1f36dc2016dc7fcafcd

SHA1
896773a448850ac0c5e1f57d2a53968db5f59ce7

SHA256
b70f71ccbcabcaa52a514de691078aa0339db114cd956b49804f9e7a1df6e4e8

SHA512
07a87c55a46a5eb5696e2d8e7ea1129c517219b788ade7e01a70459cdfcdd8ba43cbb0e20fcf76592e73e9e55404026cefd97f391f5b98e8421f4380de74ee96

Download Submit
memory/1376-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2376-1-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2376-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download