upatre | 6a9a00150543560eb86f884174bc8ca28570085dab388b6c5fdbc0d8a72daebc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f72ace1c78b8be6aff17c6ff469959bd.exe
Size

103KB
MD5

f72ace1c78b8be6aff17c6ff469959bd
SHA1

0ca8814441060b982aac1baed31b93a9681ebc94
SHA256

6a9a00150543560eb86f884174bc8ca28570085dab388b6c5fdbc0d8a72daebc
SHA512

3a1c1a75b4f06b741114639ecdb7eee3440a638b67ac315bb4d4e08686d6f48294f24590bbe691767f168891daa4ce5514579a5858ee67c732a7c348dc141673
SSDEEP

3072:iY9CUT62/UOVMu8i8N898b8XN8X98XGH4:iY9C8QyZ

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	f72ace1c78b8be6aff17c6ff469959bd.exe

Executes dropped EXE 1 IoCs

pid	Process
1016	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 1016	3636	f72ace1c78b8be6aff17c6ff469959bd.exe	89
PID 3636 wrote to memory of 1016	3636	f72ace1c78b8be6aff17c6ff469959bd.exe	89
PID 3636 wrote to memory of 1016	3636	f72ace1c78b8be6aff17c6ff469959bd.exe	89

C:\Users\Admin\AppData\Local\Temp\f72ace1c78b8be6aff17c6ff469959bd.exe
"C:\Users\Admin\AppData\Local\Temp\f72ace1c78b8be6aff17c6ff469959bd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
104KB

MD5
bcd7e2d451f383f4fc9b8c19037647c8

SHA1
cc63ffab1dad1546493ba5dbde6065b96206f845

SHA256
843aaa7f4312877e9c41e4e1d35adfaa8ffd51f56831ed75d591fb230624694d

SHA512
9db91d53636320b3b1b96b2fe9ea5fd6e6e110f4b6fae183138e05937a16ada3a5fa47760545e86a534f50690b4eee6fc8efb913527ff26289e1192c02ad5c21

Download Submit
memory/1016-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3636-1-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3636-9-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download