upatre | 0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d.exe
Size

4KB
MD5

18a51c9efe860d9856ca2c934f4403bd
SHA1

62269c42fcf2d2ba123c2411af2cdb4d1f15495f
SHA256

0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d
SHA512

d01e661b201dd8ffef016c21be23ad7de974c197b55f8416b3f68ed118570c3ab21625ce29afbc22f35a9cd246f1c4220d9bbeac8e20848aa5a93a4aa8a1780b
SSDEEP

48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91RslP6nA7B8mOo4jUx7OtKGc32:Z0v4mUWKh9ctgC1RGynKymV44Shi2

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2736	116	0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d.exe	91
PID 116 wrote to memory of 2736	116	0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d.exe	91
PID 116 wrote to memory of 2736	116	0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d.exe	91

C:\Users\Admin\AppData\Local\Temp\0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d.exe
"C:\Users\Admin\AppData\Local\Temp\0bd63792e194c7cf1b02d73bbb916f8ac373adfe036e1e14f1836bf54c4d470d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
a63a6dce0965f9fc93d42af3b1e17787

SHA1
3bdead9a149bea98f486d8f293af1ac496e6afbb

SHA256
fedd09fdbebfd1ad3fe813c6bdc4ef1b1c6052e52a500d9c207fae15c0ae1224

SHA512
e1f461da78ed308a912ac9ebf7d5a230ca3de8fa48f681110fbed3c6bb345395127bf9dfbf34ed2aeb144f059a19c94a69474f882eca30f745b5e49151913890

Download Submit