Resubmissions

03-08-2024 17:20

240803-vwsnzazdln 10

27-07-2024 00:13

240727-ahwhgsxcjb 10

Analysis

  • max time kernel
    61s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2024 17:20

General

  • Target

    865c19fbb9dbdbb54ba4d9caad29720d25d77a3ddbbcc1708e372d7bc2a3d388.exe

  • Size

    38KB

  • MD5

    e097419880fda699d17e6f8eacb660c2

  • SHA1

    81bd0b318fe5b662ccdef14c1e0900f87284747c

  • SHA256

    865c19fbb9dbdbb54ba4d9caad29720d25d77a3ddbbcc1708e372d7bc2a3d388

  • SHA512

    440e2d86cea3f7bbde8a97add8db0f8e605222304e6d43dca99c48b38bf08d083c47c8bdf88009a5f0159fc7df6d7766c96a3ec5b20ca935d4c20c0cfbe329d7

  • SSDEEP

    768:v+dAURFxna4QAPQlYgkFlplVDuyUylyylylytlylySyPyb+L7Gdr/5syyoEdylYc:v6wosj+swSdes

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\865c19fbb9dbdbb54ba4d9caad29720d25d77a3ddbbcc1708e372d7bc2a3d388.exe
    "C:\Users\Admin\AppData\Local\Temp\865c19fbb9dbdbb54ba4d9caad29720d25d77a3ddbbcc1708e372d7bc2a3d388.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2888
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff21d6cc40,0x7fff21d6cc4c,0x7fff21d6cc58
      2⤵
        PID:2020
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1984 /prefetch:2
        2⤵
          PID:364
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2160 /prefetch:3
          2⤵
            PID:3800
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2328 /prefetch:8
            2⤵
              PID:4776
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
              2⤵
                PID:1220
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:1
                2⤵
                  PID:4852
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:1
                  2⤵
                    PID:512
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4896 /prefetch:8
                    2⤵
                      PID:1760
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
                      2⤵
                        PID:1396
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
                        2⤵
                        • Drops file in Program Files directory
                        PID:4124
                        • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
                          "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff755544698,0x7ff7555446a4,0x7ff7555446b0
                          3⤵
                          • Drops file in Program Files directory
                          PID:3956
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4464,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:1
                        2⤵
                          PID:1992
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4720,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:1
                          2⤵
                            PID:4468
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5168,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5540 /prefetch:1
                            2⤵
                              PID:4532
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5756,i,4662423629362997178,5444240885602546277,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5752 /prefetch:1
                              2⤵
                                PID:5084
                            • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                              1⤵
                                PID:3852
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                1⤵
                                  PID:1044

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  240B

                                  MD5

                                  cd578f8da5dc868cd4132d15e05fd3c1

                                  SHA1

                                  6e168fb5e366d34028fedd1fc2becf9b096868c8

                                  SHA256

                                  7513b620fade694c578c64e454a96a2a198e8a050ed6213f49569ba5099755f6

                                  SHA512

                                  67422d9866621a631252cb7285d6c9f66fed63fb75ae4227fbdb73584d051ba0af1a4196d4f26de7f733dd143e3f987abc144e8644abf2026cd251597487466c

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  354B

                                  MD5

                                  3899ee9cd461c2d33faa23135c3435b8

                                  SHA1

                                  dc16a0b305e86cba6203dae4861ad21da754ad0b

                                  SHA256

                                  0ae05afc57cc5b1b39b57a5a2630d5afb3f8e5685fe30a5da2d2f1d3a0506b72

                                  SHA512

                                  eb1e09bbbad43aea839b424ab1212e4ce45fa72bacb8a3f9741f816b4f7cc81acbf1e9c31d0cfa30df72ec3fbe29c877499719a03f2b3c72b5d3f02a5c97b3bb

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  684B

                                  MD5

                                  9ec9f28062b1d93a5b2e46efbaf053f0

                                  SHA1

                                  6e864b09381b4c00821fa3edc3633c695e4ac2ee

                                  SHA256

                                  d2b2ec0ba9cf29473ff1fecd18f92205cb222c4604b35b8c171032f7fe959290

                                  SHA512

                                  da56a58819a74e8498b210349dd5ffb5ee2d5ec1a15611ae627a4fa72532706f076e84fff9db224d73168ab3544a115b2824ad6964edaf1a85f1ace289c77dd9

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  9KB

                                  MD5

                                  113fd7da737a85e6a9236c1346b203ba

                                  SHA1

                                  e5de64872673a25c961db698594284e22f6bc47e

                                  SHA256

                                  f368dfa644d48506c40a340d3163f44fe7efd90dad213038b4080591b41b0811

                                  SHA512

                                  5285283103686ce9345649e27fbe6ccaef29a65f5b5a2542486fe9f179e3309ed9612629c011fbb9b9267675a602dd039bbe8e79e664858dd0e40c5b4ef0eb40

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  8KB

                                  MD5

                                  92c34cc530e8559155574a6a55518f34

                                  SHA1

                                  02426adba30321b92203e6d1ffb56c275b5bf44d

                                  SHA256

                                  40dd4e85f652c7f50ab0907324f468d133e541dd71bb781a0afaee0af2b3bb39

                                  SHA512

                                  9fe032339dcc898c4762f0549c1ca14d9a408472c7abefc20a875bb8daefae78883aac23790813765cd5fa8751bd462f25224199b4d59b60a4b207450874cccd

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  9KB

                                  MD5

                                  18a7d9dac8a5c1ec3ee0996fbc774cd5

                                  SHA1

                                  00cac97a54b77ce8e0340fb84fae08e11feeee3c

                                  SHA256

                                  5c42d733551d02be537f6b6d6d6730c463b5123c48201bf66a96deb2d840e4a0

                                  SHA512

                                  4e190c3185b76306ab309e39b17d14943a70224b0886559e37beae9c7fd74defc281ad8b87c9e909872e0f795187004a35d234e009e83f6b931eff58775e99c7

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                  Filesize

                                  15KB

                                  MD5

                                  4ccab126ac454fed09afb25c0be90818

                                  SHA1

                                  ded8779f2baeb833b519aac270d691ba919e032a

                                  SHA256

                                  7762723a947c5bff66cce45431a98f05bc542b10f552350fa1645527da6376b9

                                  SHA512

                                  cde0f18f5bc29395de01a6277ad6d86e612b42f5cb1e0e189d30267ff7592b097991a6ca51add64eb19c320e896144b8cf5443a936b90a81f023f17426ace382

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  195KB

                                  MD5

                                  0d1e75c1b1f826d16865bb46a9efe59e

                                  SHA1

                                  3da64d002b1b255734aa508dbade45838efe551c

                                  SHA256

                                  6ee353114513fdc8e4abb1aee72bc9ffd7c4fb7fe95f2b259f3aea9582331f50

                                  SHA512

                                  1da0f02eff923d72d9d0110d19602e464f5a8c4cec8c4302103e7750354d63f3ab4b48dd2c29423179944751799df061eef1a56d9e359b8ebb476d8be7eaa399

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  195KB

                                  MD5

                                  b946e8cbfe3ba4b753a86bd794b77372

                                  SHA1

                                  5baf375613ea94ae83186b1075d3516ceccf3811

                                  SHA256

                                  dc518362274300f47564fbb5844ee2d76add525f5c9792a2bf4bd73ba0080ce1

                                  SHA512

                                  d4b168466791ea57965e31fb635afb2319575ef6dcb0fbda568c431b7406de7905a8df0f0f95a708d66f24d8624673c5cc1d282b6423a10de50762f7d4321d9e

                                • C:\Users\Admin\AppData\Local\Temp\szgfw.exe

                                  Filesize

                                  38KB

                                  MD5

                                  101c6ddd93ffb0f74bac5d8fbab7da11

                                  SHA1

                                  c8d4d37b81864dadca022fa04ded24531d892a30

                                  SHA256

                                  3f427257eed83a667883a009da7d8c0caf968138a17b79090d6778bd182a1801

                                  SHA512

                                  3cdde6c5bd0ca4b903a3cc4abfeb7f3b54072b2df4fef811afd605bf0028cd5b9d97fd4b4f26aef36c22ea9538a6ec4e5c7ea4cabe7f5cacac7a49ca8297b160