Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
4388a62c01f922250bfc2e1f4d0a2da0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4388a62c01f922250bfc2e1f4d0a2da0N.exe
Resource
win10v2004-20240802-en
General
-
Target
4388a62c01f922250bfc2e1f4d0a2da0N.exe
-
Size
47KB
-
MD5
4388a62c01f922250bfc2e1f4d0a2da0
-
SHA1
ec2a9fb9dc798b372c52be655d381d271f44d419
-
SHA256
ddb407d80571a7a4c11753ba98eaea945dc74117e648a19ee4376c6fad3dfb48
-
SHA512
525a13fdd37674ae535e1b6c0966c8fe6e3ca1863e75c3afa1b171f1198f5cb9d3dec441bdaf6d7680fcc03c9833caf39cf2f405dde24ce714a293db0a41599a
-
SSDEEP
768:xf1Y9RRw/dUT6vurBkUOyGAv+rlhLhddW4dU95k5mwFW1S7MTIQ/rxa:jY9jw/dUT62rKUOWWrlhLhLT4mLWMA8b
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2144 szgfw.exe -
Loads dropped DLL 2 IoCs
pid Process 2316 4388a62c01f922250bfc2e1f4d0a2da0N.exe 2316 4388a62c01f922250bfc2e1f4d0a2da0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4388a62c01f922250bfc2e1f4d0a2da0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2144 2316 4388a62c01f922250bfc2e1f4d0a2da0N.exe 30 PID 2316 wrote to memory of 2144 2316 4388a62c01f922250bfc2e1f4d0a2da0N.exe 30 PID 2316 wrote to memory of 2144 2316 4388a62c01f922250bfc2e1f4d0a2da0N.exe 30 PID 2316 wrote to memory of 2144 2316 4388a62c01f922250bfc2e1f4d0a2da0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4388a62c01f922250bfc2e1f4d0a2da0N.exe"C:\Users\Admin\AppData\Local\Temp\4388a62c01f922250bfc2e1f4d0a2da0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5dfa5e288ea0b9e5196ffff423bec8666
SHA16ae9fd9fade8e22f5df93a7ea9c28bfff20eb669
SHA256918f86ac53e315cf5b697abcb82cd2c3518a76c5fc163578fd795520fa92cd45
SHA51272e3a72e3a42a3927d073140a30406a2f3d83b38cc75adf377e45240d06a4266638602be1e89d190983a28860a8493a3011cb9766a8d00338b9d0834ff46aff0