Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe
Resource
win10v2004-20240802-en
General
-
Target
63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe
-
Size
13KB
-
MD5
f154021e7f4d232f969a67d3c07f548a
-
SHA1
8aab0bcab51fb5b37bed2e7062a92c17386fc3ee
-
SHA256
63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574
-
SHA512
c3d04227b4012cfe05f4f96cce5c8f1974a34530620c536c3f21fd38cf5b5aedb834143e1c88868281c29e2bcb436d4c1353e720156f85d1d27369024b9ba284
-
SSDEEP
384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjK7aylryylFyylYLlmylylyy8yyCL:v+dAURFxna4QAPQlYg7aylryylFyylYw
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe -
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid Process 3548 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exeszgfw.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szgfw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exedescription pid Process procid_target PID 2664 wrote to memory of 3548 2664 63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe 83 PID 2664 wrote to memory of 3548 2664 63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe 83 PID 2664 wrote to memory of 3548 2664 63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe"C:\Users\Admin\AppData\Local\Temp\63463a610fea5ef1e61f1e1c971eb4f37b7eb96e12371965e7b547c31ecc3574.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD539641c3fb72a9409abf72053c4c35b57
SHA1f112e4294c1becd725590ac46d880562992477b4
SHA25685e331fbf99f6404fe919d5a78bdfb71ec294809eaa2f76b032e0b0af4a42557
SHA512cd6e20ed02fbdaf02755434499e6b28b9db5817fa99d1520d5028dbf9d783afdbba0342cf3bf76107ac9a0fc0c057ed6ab4f8ec021a2155734ed7cca78a6bf4c