upatre | ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe
Size

57KB
MD5

2ac400de0145dd620833ce652b43c464
SHA1

167e29363266f1de568c2d7dcaf744534f5842fc
SHA256

ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a
SHA512

84b405d83e449f4b9ade212cceac82ce5756a83fe8e85c61ac68e28af4aa07d29c99e6fafd74be8dfba04fa6710ad23b28422fae1056c382931ae49f72711946
SSDEEP

768:v+xAURMDKRji3xVfIs3rtC5bdFrCZa2fCOoj5ZuLHXMZLXPJHPLk182440yqspTb:vCWDKUlsCZD1mh8txVQnlRIlz

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe

Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid	Process
3484	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exeszgfw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe

description	pid	Process	procid_target
PID 3140 wrote to memory of 3484	3140	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe	86
PID 3140 wrote to memory of 3484	3140	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe	86
PID 3140 wrote to memory of 3484	3140	ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe	86

C:\Users\Admin\AppData\Local\Temp\ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe
"C:\Users\Admin\AppData\Local\Temp\ab6a6c8161abd6c9c106643a36f39bea0c24b8c4399991fd12fec6377db3af6a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
58KB

MD5
9da2ac889aedd316e7de5152ba2c6c3b

SHA1
92753aed8b857e85f3b903494a65be8336b47204

SHA256
1a296d4fa5728a31b2180cb4954203775848fa1c22909b32a3ccf384d07dee70

SHA512
cb0bb0e7d1ae382c3c074f8e0fb5a04967d67143b853699e7e75f02b2cd41674c915d0cbef7cb171ee906300102f12e1ce54469fb03dade8a9b8bd12608fbb9e

Download Submit