upatre | bd309242a9fc345c42573920f71608a24e91fa36658f1a9e5b44359c0a3a2292

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1633e367e9d7a04b9bbc2303415a510N.exe
Size

5KB
MD5

d1633e367e9d7a04b9bbc2303415a510
SHA1

0ad573faf575cc34e513d59123066acb0b0e412b
SHA256

bd309242a9fc345c42573920f71608a24e91fa36658f1a9e5b44359c0a3a2292
SHA512

cb79d4ab2a1bccbd35040dbb73af98f841d9a850fccb348dc3e4283e0c3ae96b3901377e1c0f323b122053ebe5cda596bf63ddcdaadaba8d0d0b96a99394dd7f
SSDEEP

96:Z0v4mUWKh9ctgC1R66nKymV44ShR1qqzhS:9mUWKs/66nKfzShXg

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	d1633e367e9d7a04b9bbc2303415a510N.exe

Executes dropped EXE 1 IoCs

pid	Process
852	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1633e367e9d7a04b9bbc2303415a510N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 852	3264	d1633e367e9d7a04b9bbc2303415a510N.exe	86
PID 3264 wrote to memory of 852	3264	d1633e367e9d7a04b9bbc2303415a510N.exe	86
PID 3264 wrote to memory of 852	3264	d1633e367e9d7a04b9bbc2303415a510N.exe	86

C:\Users\Admin\AppData\Local\Temp\d1633e367e9d7a04b9bbc2303415a510N.exe
"C:\Users\Admin\AppData\Local\Temp\d1633e367e9d7a04b9bbc2303415a510N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
5KB

MD5
852a492c218fb2e3f2c662699d4b2a3d

SHA1
6afedfddf9f5ef604bb23b4f9dbdbed0adedc867

SHA256
2efcb013cfe6bfc89f3e9167854024ee42b4199f3e1b86bfcfb06f1ce798ece9

SHA512
4545b0fc26647135f476c3a94a8101879c73402e69f7ae8c4f29a4fe807259ac9e3f2861e5a135dd59cc5bb7ccbadab5aa60b23954f90cda80e9279e676dbfb5

Download Submit