Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 04:43
Static task
static1
Behavioral task
behavioral1
Sample
d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe
Resource
win10v2004-20241007-en
General
-
Target
d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe
-
Size
13KB
-
MD5
f6dee26e462aa2e5fbc380cae996d3f0
-
SHA1
7191102b294e3a1d45c2d0230afe26ea390bbc18
-
SHA256
d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806
-
SHA512
7ecd05b0437ddd055ba354ca82b2151dba7a42022bf7f428c6bf12342d127950ba9f5614dbdc7ba9aabdfa100e65c4e39038e3bc355b9f29e472b838fa3ac78c
-
SSDEEP
384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKhYsKUAylUmWmtsh:v+dAURFxna4QAPQlYghxKUAyl9Wm4
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Upatre family
-
Executes dropped EXE 1 IoCs
pid Process 2500 szgfw.exe -
Loads dropped DLL 2 IoCs
pid Process 2272 d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe 2272 d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2500 2272 d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe 30 PID 2272 wrote to memory of 2500 2272 d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe 30 PID 2272 wrote to memory of 2500 2272 d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe 30 PID 2272 wrote to memory of 2500 2272 d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe"C:\Users\Admin\AppData\Local\Temp\d909b9679d24c9826912193eec624363753f67aca0d614248e1601c49ce1a806N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5b6b05d6b39887e182c38273954c441b4
SHA12f38cecf71dbcb63ecfb6269fde2b67f617831ff
SHA256ead5c9931dbea16cd2f6200abdfc9f062c39c411161d7df81249fad55ff153de
SHA5126d92d9b09efc2613dffd60d91d40534678f2767d5ba04fb15474adacddf3f077142c9ee6a63f3411f6211c92ba2dc48955f420d3dc74af4acb9fded051d36a55