upatre | 165b7c8a26704fe3e7ec2f8c8324b0c564eebe4b839c05106251d9b51f5e110a

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cc24a00417df587462a6716f1a17ba5.exe
Size

13KB
MD5

6cc24a00417df587462a6716f1a17ba5
SHA1

b1b96ade113c41f5c508cb36611da8dda1f8f556
SHA256

165b7c8a26704fe3e7ec2f8c8324b0c564eebe4b839c05106251d9b51f5e110a
SHA512

0b66b37c8af680b3206d9749a093a4bf9102dcbe41810447524dd01256193a5935e5168b9dda4817a51410914343ada427362839e77852c8097ac8365f180535
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjK7aylryyylQlylyyylk5ylNcQ:v+dAURFxna4QAPQlYg7aylryyylQlylS

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	6cc24a00417df587462a6716f1a17ba5.exe

Executes dropped EXE 1 IoCs

pid	Process
2328	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 2328	3356	6cc24a00417df587462a6716f1a17ba5.exe	90
PID 3356 wrote to memory of 2328	3356	6cc24a00417df587462a6716f1a17ba5.exe	90
PID 3356 wrote to memory of 2328	3356	6cc24a00417df587462a6716f1a17ba5.exe	90

C:\Users\Admin\AppData\Local\Temp\6cc24a00417df587462a6716f1a17ba5.exe
"C:\Users\Admin\AppData\Local\Temp\6cc24a00417df587462a6716f1a17ba5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
13KB

MD5
8b876a9787cbda6268b96e77e3256aa5

SHA1
fb0b59ac19cc0b380d78cc46362626f08367c6d6

SHA256
2725e944b08af4640bf9d63d5360bec55b1010a4ae7b28b2f4464604b33ea08a

SHA512
79c6021b2790cbaf91884c5fe0473b289e1312d86ec246246f76fd857c141c4146010db656d880ff690fcd5eabdb1904db42c035d025432248043b84fff62dfb

Download Submit