upatre | ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 01:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe
Size

57KB
MD5

2ac400de0145dd620833ce652b43c464
SHA1

167e29363266f1de568c2d7dcaf744534f5842fc
SHA256

ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a
SHA512

84b405d83e449f4b9ade212cceac82ce5756a83fe8e85c61ac68e28af4aa07d29c99e6fafd74be8dfba04fa6710ad23b28422fae1056c382931ae49f72711946
SSDEEP

768:v+xAURMDKRji3xVfIs3rtC5bdFrCZa2fCOoj5ZuLHXMZLXPJHPLk182440yqspTb:vCWDKUlsCZD1mh8txVQnlRIlz

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe

Executes dropped EXE 1 IoCs

pid	Process
3484	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3484	3140	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe	86
PID 3140 wrote to memory of 3484	3140	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe	86
PID 3140 wrote to memory of 3484	3140	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe	86

C:\Users\Admin\AppData\Local\Temp\ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe
"C:\Users\Admin\AppData\Local\Temp\ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3484

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=148727B2374765E42684336136A764DD; domain=.bing.com; expires=Sun, 31-Aug-2025 01:15:09 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0BEF9EC86E5A43BDA43C64DA680DC5B6 Ref B: LON04EDGE1216 Ref C: 2024-08-06T01:15:09Z
date: Tue, 06 Aug 2024 01:15:09 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=148727B2374765E42684336136A764DD

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=pfdhGb59rDIL8dHGQg2-JbE31dLHU3brAe8HC2m8JK8; domain=.bing.com; expires=Sun, 31-Aug-2025 01:15:09 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 34C1004D25D14F408014EA060C4590AE Ref B: LON04EDGE1216 Ref C: 2024-08-06T01:15:09Z
date: Tue, 06 Aug 2024 01:15:09 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=148727B2374765E42684336136A764DD; MSPTC=pfdhGb59rDIL8dHGQg2-JbE31dLHU3brAe8HC2m8JK8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8927184202A24E19858D09D9B4A0E0CF Ref B: LON04EDGE1216 Ref C: 2024-08-06T01:15:09Z
date: Tue, 06 Aug 2024 01:15:09 GMT
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

192.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

192.142.123.92.in-addr.arpa

IN PTR

Response

192.142.123.92.in-addr.arpa

IN PTR

a92-123-142-192deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b77c2fd4ec7f47ad880120a47cf4b180&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

192.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

192.142.123.92.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
58KB

MD5
9da2ac889aedd316e7de5152ba2c6c3b

SHA1
92753aed8b857e85f3b903494a65be8336b47204

SHA256
1a296d4fa5728a31b2180cb4954203775848fa1c22909b32a3ccf384d07dee70

SHA512
cb0bb0e7d1ae382c3c074f8e0fb5a04967d67143b853699e7e75f02b2cd41674c915d0cbef7cb171ee906300102f12e1ce54469fb03dade8a9b8bd12608fbb9e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.