Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe
Resource
win10v2004-20240802-en
General
-
Target
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe
-
Size
4KB
-
MD5
81211f974db6eea0112d731358065cd6
-
SHA1
3bd39ad5df928ad1b7ad1b5a58d94ecc9fdfbd13
-
SHA256
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0
-
SHA512
429584d80c9a7f9496bc9196f4ced315189dc664194a93987d12fa0c64c3a0ebe5f90d99a38c3fceddd5fba61952fa7aa3e44d8b9d0bad12a7c52f0f03b92e00
-
SSDEEP
48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91Rs/bnA7B8mOo4jUx7OtKGc:Z0v4mUWKh9ctgC1R+bnKymV44Sh
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe -
Deletes itself 1 IoCs
Processes:
szgfw.exepid Process 4860 szgfw.exe -
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid Process 4860 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exeszgfw.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szgfw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exedescription pid Process procid_target PID 1528 wrote to memory of 4860 1528 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe 82 PID 1528 wrote to memory of 4860 1528 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe 82 PID 1528 wrote to memory of 4860 1528 6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe"C:\Users\Admin\AppData\Local\Temp\6e6c1885075ba4d3978fd9abd1726c0ec57eeef2592b3a22f60ca68edac3dab0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD588b0dbd9d2c5a5508d601f1bae962ea7
SHA114bc5dd6af0695c58f90f0428aae401a54f3e799
SHA256ae61c70dd7cca9fe380dcf161b498152a3ab489136637ac46675453602e8e839
SHA5121f6b75943b99f5b53718358bf5f50adc4fa0d921797c9c2e8b04dcdc4934c331aedfc107589a31598dd179dae5358a29710d871cb3187f194e58b202c957e85e