Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 18:00
Static task
static1
Behavioral task
behavioral1
Sample
ff5f312e4a7b69523d1cf92459632531.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ff5f312e4a7b69523d1cf92459632531.exe
Resource
win10v2004-20231215-en
General
-
Target
ff5f312e4a7b69523d1cf92459632531.exe
-
Size
41KB
-
MD5
ff5f312e4a7b69523d1cf92459632531
-
SHA1
50a7c9844bfdfa3b685fb9d6c2432ecaf9fea69f
-
SHA256
5ec973014509f7f1cab5c08ec25d3a23bf2707db56b40a3daad4332d55e2f7ea
-
SHA512
26d362673d80a76b239aa0650a2ab58308b66d4a67693eda61ce108664722cce31cd54ae6267e778a3974f9d5eba5680ae4918a391191e369a2986c986180f72
-
SSDEEP
768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rCBsPGTWikRyyjwyyyylyvyQ:GY9jw/dUT62rGdiUOWWrC6P6Tq
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation ff5f312e4a7b69523d1cf92459632531.exe -
Executes dropped EXE 1 IoCs
pid Process 4860 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4592 wrote to memory of 4860 4592 ff5f312e4a7b69523d1cf92459632531.exe 92 PID 4592 wrote to memory of 4860 4592 ff5f312e4a7b69523d1cf92459632531.exe 92 PID 4592 wrote to memory of 4860 4592 ff5f312e4a7b69523d1cf92459632531.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff5f312e4a7b69523d1cf92459632531.exe"C:\Users\Admin\AppData\Local\Temp\ff5f312e4a7b69523d1cf92459632531.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:4860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD51063fc5aa4d17e39de5807c1673b7077
SHA1d3a61f73ea21a8211c69ba66166e90a06be4c1a3
SHA256e8749fa6bef5ee2cd9ab09794513b1499973d8703013c76ffaa3ccb1b6df12e2
SHA512141eb0a01c17833d44ac8e36f2ac37cc48e110a179cb742d5a0b5686dc13930ca3ffe4069fa33017da6bafcb56e6ce19e1a30976d0482805d64adb73fcd9ec20