upatre | 6442fd754368fc641c9eff6e16e95b0646152f80e384b9f150ba2b01415a75ad

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb80817e08f490ebfa47bba6337796a.exe
Size

12KB
MD5

1fb80817e08f490ebfa47bba6337796a
SHA1

6d37a111928a0749847497b2ddf73b4255e3a2f2
SHA256

6442fd754368fc641c9eff6e16e95b0646152f80e384b9f150ba2b01415a75ad
SHA512

370bca056296904993966b4d12668f146063f19e273b18e7c7ba16c74aa93517458754b334de0d77e39784604db03f4c0317f3e1ecabee0569abdcd39c5bdd82
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKhYsKkyyl7n9m:v+dAURFxna4QAPQlYghxKkyyl7no

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	1fb80817e08f490ebfa47bba6337796a.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2712	1192	1fb80817e08f490ebfa47bba6337796a.exe	25
PID 1192 wrote to memory of 2712	1192	1fb80817e08f490ebfa47bba6337796a.exe	25
PID 1192 wrote to memory of 2712	1192	1fb80817e08f490ebfa47bba6337796a.exe	25

C:\Users\Admin\AppData\Local\Temp\1fb80817e08f490ebfa47bba6337796a.exe
"C:\Users\Admin\AppData\Local\Temp\1fb80817e08f490ebfa47bba6337796a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
12KB

MD5
9261df9e10b9a79fd03c8655479d8915

SHA1
7056135dc3d1c56fbeb9226ca3eea8fc82926fb9

SHA256
afeb21e41dd37ff74464f7bc76857089dcf9c5df1f53f2468ab531a03a9d97d6

SHA512
240344c6d4c6b8f37b47ddbaab097356b2c0f31079df36fcdb0a44faa06b92d39edb422fc8e264dba521a805ab8a66f017c46ad200c1117e80ca072bcde8a9e3

Download Submit