Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe
Resource
win10v2004-20240508-en
General
-
Target
a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe
-
Size
4KB
-
MD5
0225c371180a7951cda9632103c92edd
-
SHA1
c7d589cbb0c9a5b1cdaae9c7ccc3fd43a5ce177f
-
SHA256
a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6
-
SHA512
104751efde2cd1cc773acf6d57dfbfe5f81e6a77ca83d8617eae3a6cbebe5f2cacce6b4ee51976234d8ba9113504e7212656f2cc3539cc2986f223b83debef46
-
SSDEEP
48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91RsDgZnA7B8mOo4jUx7OtKGc:Z0v4mUWKh9ctgC1RFnKymV44Sh
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe -
Deletes itself 1 IoCs
pid Process 3744 szgfw.exe -
Executes dropped EXE 1 IoCs
pid Process 3744 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5044 wrote to memory of 3744 5044 a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe 85 PID 5044 wrote to memory of 3744 5044 a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe 85 PID 5044 wrote to memory of 3744 5044 a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe"C:\Users\Admin\AppData\Local\Temp\a0cb4f7f3c939cc3fd95d8392c08b8a339da6ee21d9fb39770a2cf28a8189aa6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Deletes itself
- Executes dropped EXE
PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57bfe4bddb1eacbe0b3b9465cc3bb3bf5
SHA1d2ac0919d149e417d5f5e15d2d4ecebd990e7117
SHA256163788d5555fbd7bf84f4c9d2323fd8cd8e6f522462f36ae200e2114c740d27a
SHA512946d2176f366ee851d010713f557c3980c1721025c7d668d4a5a258faafa89a7da0dc1a54017f25bd19750578fd59ae070de766a454c581e98174ee5f3f37a8b