upatre | e94ce686fb9f1ea35741511824185a648b94ddc26424f317f26d7cac15e88ccf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdfe3fe0bf213cc2a9061b506a47a51c.exe
Size

13KB
MD5

fdfe3fe0bf213cc2a9061b506a47a51c
SHA1

444972dfbd30d9fc3bc7d9397143f26217e73316
SHA256

e94ce686fb9f1ea35741511824185a648b94ddc26424f317f26d7cac15e88ccf
SHA512

8c6d8c0ff2d1d983d551e0c619133709836e370ffc5bdf0e399a25dc8d28e8644b024c6d66b80178083711beed00e4c06369eab9fe9eb6ee39fb0f4e0f4b2cc3
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKkFlplVDuyUynylyO/yl+ulQ:v+dAURFxna4QAPQlYgkFlplVDuyUynyp

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	fdfe3fe0bf213cc2a9061b506a47a51c.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2536	3988	fdfe3fe0bf213cc2a9061b506a47a51c.exe	91
PID 3988 wrote to memory of 2536	3988	fdfe3fe0bf213cc2a9061b506a47a51c.exe	91
PID 3988 wrote to memory of 2536	3988	fdfe3fe0bf213cc2a9061b506a47a51c.exe	91

C:\Users\Admin\AppData\Local\Temp\fdfe3fe0bf213cc2a9061b506a47a51c.exe
"C:\Users\Admin\AppData\Local\Temp\fdfe3fe0bf213cc2a9061b506a47a51c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
13KB

MD5
f124f6cc7698cbd9d9da389c31ad394c

SHA1
62f00220f7688d064009791c03b306408c26e671

SHA256
ff78d3a1b0b1ebd335c3ace16e1366411a99d7d1d34811a7a150678300de2194

SHA512
416342f1d34c05589c164da7b9c7e67c5a8907a512077865e3fbfd08c62b2c378b29107eb94fc12e661e285ee7286daaab8535d8365c0cafc213fc128fdf2847

Download Submit