Analysis
-
max time kernel
149s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:55
Behavioral task
behavioral1
Sample
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe
Resource
win10v2004-20240426-en
General
-
Target
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe
-
Size
9KB
-
MD5
036b9780123ccf9b3ca23e1353e28078
-
SHA1
e4f76b5970ef1b0f9f01a1aecc8037c1ed4f01f7
-
SHA256
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274
-
SHA512
7f50cd548bea36a49e8470bd3662600bba05a54c56131b559c11bbdd7164df7c4d384a4ed4d16515af22c0ecae603b9d1681f28fcc2fde89f62c47b2e6ff3ae8
-
SSDEEP
192:IFsXvZsk3d/ZcfFaQZT6CSJB8Oye3Q4pagU5lLOqN:asX7d/ZctaQZT6CSB8Oye3Q4K5pX
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
UPX dump on OEP (original entry point) 3 IoCs
resource yara_rule behavioral2/memory/1568-0-0x0000000000400000-0x0000000000406000-memory.dmp UPX behavioral2/files/0x0007000000023305-5.dat UPX behavioral2/memory/1568-8-0x0000000000400000-0x0000000000406000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe -
Executes dropped EXE 1 IoCs
pid Process 4872 szgfw.exe -
resource yara_rule behavioral2/memory/1568-0-0x0000000000400000-0x0000000000406000-memory.dmp upx behavioral2/files/0x0007000000023305-5.dat upx behavioral2/memory/1568-8-0x0000000000400000-0x0000000000406000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1568 wrote to memory of 4872 1568 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe 83 PID 1568 wrote to memory of 4872 1568 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe 83 PID 1568 wrote to memory of 4872 1568 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe"C:\Users\Admin\AppData\Local\Temp\c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:4872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD571a9dc1343a0994cb5c68e5832cf634b
SHA138989980eb6df9bc6dd97f0d1f79d9cc13b82601
SHA256704af0c787e3c51003e74c575ed9f5a3da5b2868cde8b228787939c2f06d4d78
SHA512595e841e261aa0640ac10f7f9eaa93b9901ba4e0697c7b5ba86e2e9dc8faa422964933a2179566bcf0d7bccd3dbc49bb246dc3aac2bc061bb5a08830e2e965f6