Resubmissions
25-09-2024 14:04
240925-rc8z3aserg 10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 14:04
Static task
static1
Behavioral task
behavioral1
Sample
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe
Resource
win11-20240802-en
General
-
Target
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe
-
Size
4KB
-
MD5
81211f974db6eea0112d731358065cd6
-
SHA1
3bd39ad5df928ad1b7ad1b5a58d94ecc9fdfbd13
-
SHA256
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0
-
SHA512
429584d80c9a7f9496bc9196f4ced315189dc664194a93987d12fa0c64c3a0ebe5f90d99a38c3fceddd5fba61952fa7aa3e44d8b9d0bad12a7c52f0f03b92e00
-
SSDEEP
48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91Rs/bnA7B8mOo4jUx7OtKGc:Z0v4mUWKh9ctgC1R+bnKymV44Sh
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Deletes itself 1 IoCs
Processes:
szgfw.exepid Process 2400 szgfw.exe -
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid Process 2400 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exepid Process 1640 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe 1640 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exeszgfw.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szgfw.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exedescription pid Process procid_target PID 1640 wrote to memory of 2400 1640 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe 30 PID 1640 wrote to memory of 2400 1640 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe 30 PID 1640 wrote to memory of 2400 1640 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe 30 PID 1640 wrote to memory of 2400 1640 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe"C:\Users\Admin\AppData\Local\Temp\6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD588b0dbd9d2c5a5508d601f1bae962ea7
SHA114bc5dd6af0695c58f90f0428aae401a54f3e799
SHA256ae61c70dd7cca9fe380dcf161b498152a3ab489136637ac46675453602e8e839
SHA5121f6b75943b99f5b53718358bf5f50adc4fa0d921797c9c2e8b04dcdc4934c331aedfc107589a31598dd179dae5358a29710d871cb3187f194e58b202c957e85e