upatre | a11b40f95a5718651867a18797eef2a04049ea5e0f643b92ee7750a40ff6c41c

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7723ecdaa7848d9749ab4a5a1878f0b0_NeikiAnalytics.exe
Size

8KB
MD5

7723ecdaa7848d9749ab4a5a1878f0b0
SHA1

3233aed74a7e8867cdd013db464e2ffc02b269a8
SHA256

a11b40f95a5718651867a18797eef2a04049ea5e0f643b92ee7750a40ff6c41c
SHA512

3c6c731445ae0700a6a7ac19646cb91230d88b1a99f327eb929e3f15284c15221a43657c92dfe79b51d0946237ddd28c569d517a06aaffd847cb917be551c8b6
SSDEEP

192:IFsXvZsk3d/ZcfFaQZT6CSJB8Oye3Q4pagU5lLf:asX7d/ZctaQZT6CSB8Oye3Q4K5pf

Score

10^/10

upatre downloader upx

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	7723ecdaa7848d9749ab4a5a1878f0b0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	szgfw.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3216-1-0x0000000000400000-0x0000000000406000-memory.dmp	upx
behavioral2/files/0x0008000000023413-5.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4516	3216	7723ecdaa7848d9749ab4a5a1878f0b0_NeikiAnalytics.exe	82
PID 3216 wrote to memory of 4516	3216	7723ecdaa7848d9749ab4a5a1878f0b0_NeikiAnalytics.exe	82
PID 3216 wrote to memory of 4516	3216	7723ecdaa7848d9749ab4a5a1878f0b0_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\7723ecdaa7848d9749ab4a5a1878f0b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7723ecdaa7848d9749ab4a5a1878f0b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
8KB

MD5
771ddff42dd3ed1cea2e1a1b968cf274

SHA1
e49c117049ee2a7ba770977dc0c91f65fe70f231

SHA256
bea69887c02db9dc047b5641babbb7caed16f36b8647175b62ff9d1757ab2c74

SHA512
903bfcddef334a9e2ceb1bc558a3a7dabec2a6407fe317d2403755facafcacf827de8715250b17277ca59a6cbaa8b1cbc5e73e5106ca0fe4c2bff97d0a4d1fe2

Download Submit
memory/3216-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download