Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 07:54
Static task
static1
Behavioral task
behavioral1
Sample
c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe
Resource
win10v2004-20241007-en
General
-
Target
c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe
-
Size
13KB
-
MD5
335c88456648790ac95362c50db3f8dc
-
SHA1
27a28742a7cd5fd5be1400ca2cd307cfbe3d6eac
-
SHA256
c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb
-
SHA512
ba193d4481e3dcbd86a27a10968b8abe126110a230293d488e22e8274f72c89e39a33e076179d6704ee7bdb1b6a0ff51ecadc087ae876b3d2437aa5adb81a933
-
SSDEEP
384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKhYsKUAylUmWmtsb:v+dAURFxna4QAPQlYghxKUAyl9Wm4
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Upatre family
-
Executes dropped EXE 1 IoCs
pid Process 2104 szgfw.exe -
Loads dropped DLL 2 IoCs
pid Process 2492 c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe 2492 c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2104 2492 c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe 31 PID 2492 wrote to memory of 2104 2492 c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe 31 PID 2492 wrote to memory of 2104 2492 c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe 31 PID 2492 wrote to memory of 2104 2492 c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe"C:\Users\Admin\AppData\Local\Temp\c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5ad6588a0dc48253f9ca7d58060cb0295
SHA1e0830cd21fbe40d36efb8eb5b0eb5187a17b4396
SHA256d126932445fb0039eae7ec5b26dbdbaa3fe921ce3c8382f34fee81fbff713ec7
SHA512b6c0128b57f5246c17315d809a7ff7523a4f13575ecb42c42501cd3d9fb7fb478f37cd2484dc8dff7de36f78b544d6d28fc57a473c82dbeb6cb4e0e33115aecc