upatre | f317e877507bd3c9eb81abc44ffc6a3655656a85cc4a0b2fc4206dc4e00f0652

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

641c86ad71692ab0bcf05dd071a7e9b3.exe
Size

13KB
MD5

641c86ad71692ab0bcf05dd071a7e9b3
SHA1

6c3d376f199303be1bba627615dbce4c25e656be
SHA256

f317e877507bd3c9eb81abc44ffc6a3655656a85cc4a0b2fc4206dc4e00f0652
SHA512

91244df22a3b14499946fb76acfc972ca7a04892ce2ee10f8a1e076a729fb28616923cc175f059760fd6b663af94bf79d0badb23d3b607da319cc942e9b515a7
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjK7aylryylFyyTslDlZUyyl+Ui:v+dAURFxna4QAPQlYg7aylryylFyyTsj

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	641c86ad71692ab0bcf05dd071a7e9b3.exe

Executes dropped EXE 1 IoCs

pid	Process
4808	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4808	2188	641c86ad71692ab0bcf05dd071a7e9b3.exe	89
PID 2188 wrote to memory of 4808	2188	641c86ad71692ab0bcf05dd071a7e9b3.exe	89
PID 2188 wrote to memory of 4808	2188	641c86ad71692ab0bcf05dd071a7e9b3.exe	89

C:\Users\Admin\AppData\Local\Temp\641c86ad71692ab0bcf05dd071a7e9b3.exe
"C:\Users\Admin\AppData\Local\Temp\641c86ad71692ab0bcf05dd071a7e9b3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
13KB

MD5
57e93271c3e6d94215b5c740aa293dcc

SHA1
c9915ae719d58e9c6f119c97f5e12b68b6d1d8c1

SHA256
06f7f5fa95d1c3778b5dc0b0169ee47a4520bc6587f7dc68a35d0e3347f28950

SHA512
88bde94002b44f293389f8568cc04395a6562c2fb8812d6d882be40440d48686f1936ab5006fb79011d8f9ea010ba7a6dd66535526ac7fafc534f35e5c76f362

Download Submit