Analysis
-
max time kernel
33s -
max time network
27s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 06:12
Static task
static1
Behavioral task
behavioral1
Sample
275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe
Resource
win7-20240708-en
General
-
Target
275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe
-
Size
11KB
-
MD5
cfb689cffbeca7ceaffdac627b209c13
-
SHA1
7d37df83a837496f45a8b85f0a37ca3c9a8236c3
-
SHA256
275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14
-
SHA512
9ca4726f84cfb592295c6da066c13eb89ba8dfc4c6fcc71aea16af26cc3d236c095a801833aa115e978581376aa8e68254520ce5ede30dcd835ad7a5dbc7b35b
-
SSDEEP
192:9mUWKs/RnKfzShH/JFxRmyja4QhiP7UlZSyGjpjWD7jqPlyjGwQ:6K+dKfzQHxFxRmyja4QhiP7UlY/pjK7W
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2756 szgfw.exe -
Loads dropped DLL 2 IoCs
pid Process 3044 275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe 3044 275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2564 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2564 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe 2564 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2756 3044 275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe 30 PID 3044 wrote to memory of 2756 3044 275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe 30 PID 3044 wrote to memory of 2756 3044 275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe 30 PID 3044 wrote to memory of 2756 3044 275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe"C:\Users\Admin\AppData\Local\Temp\275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2756
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD583eb82d88c202e91e54330e39ddb0204
SHA1297ae7928fabcfdc5df4cb157f1015bea78e0698
SHA2564324fc6ca1d3cd7a73f1331e12364cf911f3cbf5636143b600deb2968dbea94d
SHA512522f410d38fb6af7368f36b857142eac38194b2fd4581e5a1868f4e8ba4226bd506ff0c6e670ac1a68ccec2d83231abc5f7a56f0bde14dd9d933cb923caa6d50