upatre | 6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe
Size

13KB
MD5

ebf4745019fc875de4a7a4c6b565a4fb
SHA1

c4e432fe5c625072489b0162e1b07037890f81c0
SHA256

6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d
SHA512

6c79722749b8ff5281e136ed1168f84cdf8b861bee260ee1ce143a305b155433e1ec3e7dd8375f0bfa41fe2aa82401b087fa447f5d31e06e3195c18c0f7313ab
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKhYsKUAylUmWmtsu:v+dAURFxna4QAPQlYghxKUAyl9Wml

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Upatre family
upatre

Executes dropped EXE 1 IoCs

pid	Process
588	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe
2124	6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 588	2124	6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe	31
PID 2124 wrote to memory of 588	2124	6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe	31
PID 2124 wrote to memory of 588	2124	6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe	31
PID 2124 wrote to memory of 588	2124	6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe	31

C:\Users\Admin\AppData\Local\Temp\6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe
"C:\Users\Admin\AppData\Local\Temp\6e491367d25b8ef313401220f744d9f3c8010d0448362d68d6e400beb86b287d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
14KB

MD5
1bb82b1777b20f1757c0dc54e9a3f633

SHA1
fe3f53e830e83a57adcd67aac3ec760f67955790

SHA256
4dd6e14db8303b91f480fad4208e78ecf7cce4c5c519f7f13d78830d37b787a8

SHA512
5b030b1e244246176e46f00c8764837da80517fedfb7e25d875124bbfc4a6952a4cc9c504e70395446c04eb1183616da5e323ad3f64c8acd6fc36fbc0448bc69

Download Submit