Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 10:56
Static task
static1
Behavioral task
behavioral1
Sample
0e5c33afd518bf29dc29f3586ffe0cde.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0e5c33afd518bf29dc29f3586ffe0cde.exe
Resource
win10v2004-20231215-en
General
-
Target
0e5c33afd518bf29dc29f3586ffe0cde.exe
-
Size
13KB
-
MD5
0e5c33afd518bf29dc29f3586ffe0cde
-
SHA1
d55d4ffc51cf1c01590623d8c0706ed0aae0e9b5
-
SHA256
a446b39d26976f869d89a09f8feeca6c5330fbe82859aeb0c59e0d70f856cd4f
-
SHA512
8b0ae5ef6aef63de66afd318ca3f79275576a55c58757d2bd547b883a946760aff259f18bcd684102e972371fab9be4f31dc2fafb6225e2ee2e79cf6bb134fdf
-
SSDEEP
384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjK7aylryylFyyTslDylyyyyylQ:v+dAURFxna4QAPQlYg7aylryylFyyTsq
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 0e5c33afd518bf29dc29f3586ffe0cde.exe -
Executes dropped EXE 1 IoCs
pid Process 3804 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2384 wrote to memory of 3804 2384 0e5c33afd518bf29dc29f3586ffe0cde.exe 88 PID 2384 wrote to memory of 3804 2384 0e5c33afd518bf29dc29f3586ffe0cde.exe 88 PID 2384 wrote to memory of 3804 2384 0e5c33afd518bf29dc29f3586ffe0cde.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5c33afd518bf29dc29f3586ffe0cde.exe"C:\Users\Admin\AppData\Local\Temp\0e5c33afd518bf29dc29f3586ffe0cde.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:3804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5ba01320b6633535437b89b0642308e37
SHA1b897485afe6219597b8ae6b3f90fbb8400df35fb
SHA25671a4e2566255228aad0dcd292c04cf77da3a432e4dfb1ea650e82443740e9c0e
SHA512fc53216afcb633fa1929c46956164f806019bfb4523f5f0c8d2186434007dd22ce18ebfda9594dd6d95958177ef9c8148334689989d8a2d21c970816955e1c05