upatre | cdac5edd109e6e7e681d08dc691a163a20184f53c3c511e2bef622a6c66b60fd

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f99b05458d778055d7493a9490adadd.exe
Size

12KB
MD5

6f99b05458d778055d7493a9490adadd
SHA1

5671a418317d8a13b996d2054efd28cb599b399c
SHA256

cdac5edd109e6e7e681d08dc691a163a20184f53c3c511e2bef622a6c66b60fd
SHA512

35dced20279fb7f8a7b03120a527fbd8dfd26cef37272cd74aec3e6209342739181f77879236df2cf77de74b87c988677de4bfeb8cd5ebdd2f422e33b40c0c34
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKkFlplYyfQ:v+dAURFxna4QAPQlYgkFlplYyfQ

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	6f99b05458d778055d7493a9490adadd.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2160	2892	6f99b05458d778055d7493a9490adadd.exe	89
PID 2892 wrote to memory of 2160	2892	6f99b05458d778055d7493a9490adadd.exe	89
PID 2892 wrote to memory of 2160	2892	6f99b05458d778055d7493a9490adadd.exe	89

C:\Users\Admin\AppData\Local\Temp\6f99b05458d778055d7493a9490adadd.exe
"C:\Users\Admin\AppData\Local\Temp\6f99b05458d778055d7493a9490adadd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
12KB

MD5
79428cc23548e0d6da873f843d082b34

SHA1
093dc89250f86dec70ebdc1b1402c1d537457512

SHA256
5bb7e6fc093fea5c510b4264395aa609efcfdb5f99db639366b363bca6615525

SHA512
c29f87f258a3a9f072a07137f50f852eb824bb252cab2386c7a88a1927798562e889cedb9ff470f5dff1d1927cd1e77f2745ba07400867a149e1cf4fdf54ae41

Download Submit