upatre | e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe
Size

25KB
MD5

4cdeb433c74c5f0c4c39b1acbb5da210
SHA1

e8b692733c8e215f4e10598bb1a23573236a006b
SHA256

e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20
SHA512

eac2e6f18098a1019360b14ee8f620d45ed3e17a9804bdab191470183e933667bc300235fc75676a92825e824cddbb6002ebd42068baf26c56c1abfcb9770f42
SSDEEP

384:bK+xKfzQ2XFpOQGR9zos2clAKLHRN74u56/R9zZwu99g5Fg:W+xAUiXOQ69zbjlAAX5e9zX

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe

Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

868 szgfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
868	szgfw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exeszgfw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe

description	pid	process	target process
PID 3812 wrote to memory of 868	3812	e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe	szgfw.exe
PID 3812 wrote to memory of 868	3812	e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe	szgfw.exe
PID 3812 wrote to memory of 868	3812	e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe
"C:\Users\Admin\AppData\Local\Temp\e106d8bc526d56580e17d1ccee8dab73ce808f10e30e89a53b03c8b783990a20.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
25KB

MD5
12f68ae9b1ad7ea87bf26be9eec987c1

SHA1
5da9713dda11e052a7838df164b0f05bfd7c5879

SHA256
8a59dd9be9222685ed296d301383e1e2c2866049ebaea106ffeffdc3eba87855

SHA512
6924718328e82f7da41fa742f1de8a9947353e57d624222ce2f691a9d32c7b6bdbf72cfb54e4e5d2b29d9087122e06e9f07c148bdcc6241ac376bc605b1b8928

Download Submit