upatre | 9dbbf9c16cb8338edb14f349e8f9e688e556f5262bf7c7b3783c65bb396984e6

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2023 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62bfda431fb5970c7ef246f90314ed9.exe
Size

63KB
MD5

a62bfda431fb5970c7ef246f90314ed9
SHA1

81b9cffa0a3a69a709b2aa90ecd3acc91f6bdfe4
SHA256

9dbbf9c16cb8338edb14f349e8f9e688e556f5262bf7c7b3783c65bb396984e6
SHA512

104623bf1d9f8c8c782a86b400d551771f15ad0513724d5394679317c3b20b6fcb90d950ff838c1844ea4ef05e025540849ad0a0337f1f4eff8e12d9d42672df
SSDEEP

1536:5Y9jw/dUT62rGdiUOWWrMffJ+AxM+I+ceWgG:5Y9CUT62/UOVMffJ+AW+I+cT

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation	a62bfda431fb5970c7ef246f90314ed9.exe

Executes dropped EXE 1 IoCs

pid	Process
4180	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4180	5056	a62bfda431fb5970c7ef246f90314ed9.exe	81
PID 5056 wrote to memory of 4180	5056	a62bfda431fb5970c7ef246f90314ed9.exe	81
PID 5056 wrote to memory of 4180	5056	a62bfda431fb5970c7ef246f90314ed9.exe	81

C:\Users\Admin\AppData\Local\Temp\a62bfda431fb5970c7ef246f90314ed9.exe
"C:\Users\Admin\AppData\Local\Temp\a62bfda431fb5970c7ef246f90314ed9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
63KB

MD5
36424798166757571abca70cc083bbfe

SHA1
069ea9e26681f7d48d7877624004433dc0b31e1e

SHA256
77f14e2359ad181057e6600c68b3d2611a5e72dd21249bc249f46e1c7726d489

SHA512
b7087dab59eb1cbc3626a1b92708ba2efefb12cf2af62f7efaa81d78728acd0033ff75e13d5358c454996a839a4ce4b041bdd01c52321331b0f5e73f179331ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
63KB

MD5
36424798166757571abca70cc083bbfe

SHA1
069ea9e26681f7d48d7877624004433dc0b31e1e

SHA256
77f14e2359ad181057e6600c68b3d2611a5e72dd21249bc249f46e1c7726d489

SHA512
b7087dab59eb1cbc3626a1b92708ba2efefb12cf2af62f7efaa81d78728acd0033ff75e13d5358c454996a839a4ce4b041bdd01c52321331b0f5e73f179331ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
63KB

MD5
36424798166757571abca70cc083bbfe

SHA1
069ea9e26681f7d48d7877624004433dc0b31e1e

SHA256
77f14e2359ad181057e6600c68b3d2611a5e72dd21249bc249f46e1c7726d489

SHA512
b7087dab59eb1cbc3626a1b92708ba2efefb12cf2af62f7efaa81d78728acd0033ff75e13d5358c454996a839a4ce4b041bdd01c52321331b0f5e73f179331ad

Download Submit
memory/4180-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5056-0-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/5056-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download