Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 20:59
Static task
static1
Behavioral task
behavioral1
Sample
0615da8d90f0e5ae26f51570f94307a0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
0615da8d90f0e5ae26f51570f94307a0N.exe
Resource
win10v2004-20240704-en
General
-
Target
0615da8d90f0e5ae26f51570f94307a0N.exe
-
Size
70KB
-
MD5
0615da8d90f0e5ae26f51570f94307a0
-
SHA1
0b27b13e7d70cd7b3086d5a65c70bfb8b37f9462
-
SHA256
af9aa95f110a746797ee9e01cec1da5d77b0cae81c7f404d900f3469a1192677
-
SHA512
ccf96ac7c022cd72788f72b220d5490be1a4826323df419c509929e7842d2fb19ad1978af3271d2c6926086768dd363a0a7c89caadeb4eb07e41e8870b99d6b3
-
SSDEEP
1536:5Y9jw/dUT62rGdiUOWWrMffJ+AxM+I+ceWgP/KmVQoc:5Y9CUT62/UOVMffJ+AW+I+cP
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation 0615da8d90f0e5ae26f51570f94307a0N.exe -
Executes dropped EXE 1 IoCs
pid Process 2380 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 244 wrote to memory of 2380 244 0615da8d90f0e5ae26f51570f94307a0N.exe 85 PID 244 wrote to memory of 2380 244 0615da8d90f0e5ae26f51570f94307a0N.exe 85 PID 244 wrote to memory of 2380 244 0615da8d90f0e5ae26f51570f94307a0N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0615da8d90f0e5ae26f51570f94307a0N.exe"C:\Users\Admin\AppData\Local\Temp\0615da8d90f0e5ae26f51570f94307a0N.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5131bb6e335b55bade09bad68a37ea180
SHA1e7d1b6d057df9b87e37e90f597b4ab9f28b3e0c3
SHA25685ab9ffe5713dfc25f0ec652c670f1f029b7734c6634fc23f0684c5d17f3958f
SHA512eee1ae4e88941e60f8d1341b5bb32958d5ae05ea4e53dfa848e875622dec36c9a5734315856ae5b445c2c907e51ab522074021a23f123c742c5fbe6ac6125384