upatre | 9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045

Analysis

max time kernel
101s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2025, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045N.exe
Size

7KB
MD5

f53201c382dc5a3c8819b8c7b294a680
SHA1

434d60962983c0bf7692c6621d304a519b8f5fc6
SHA256

9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045
SHA512

8c0b9d390729a9da3a310ac30dcdb73c176862017d485ff06b557ab671e6b051620cbc711f88a007dee97f4c4fb363443c178ff3186dd842c1834b161f791c76
SSDEEP

48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91RsnnA7B8mOo4jUx7OtKGcEl/g:Z0v4mUWKh9ctgC1R8nKymV44ShJl/Xw

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Upatre family
upatre

Downloads MZ/PE file 1 IoCs

flow	pid	Process
41	1704	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045N.exe

Executes dropped EXE 1 IoCs

pid	Process
4956	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szgfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4368	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4956	1388	9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045N.exe	86
PID 1388 wrote to memory of 4956	1388	9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045N.exe	86
PID 1388 wrote to memory of 4956	1388	9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045N.exe	86

C:\Users\Admin\AppData\Local\Temp\9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045N.exe
"C:\Users\Admin\AppData\Local\Temp\9260684f202848c0c64b4e1a8358eb5f603774411a240c9523f1a6927cc61045N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4956

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTYwMkQxMTktNTYyOC00NjM0LTlCMTgtMUQyN0RCQTk2REFGfSIgdXNlcmlkPSJ7NDM0RjExODgtRUJDNS00OTNELUJGQUItNjY2RjEyNzkyNDVFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODcxQTM3RjUtMThBOS00QjI4LTgzRUQtN0MzNjM2MDJCNjk4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjUzODY0MjY1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
7KB

MD5
c598a413b86fc09cdabe6152a0833a7c

SHA1
570316374ab10b725c97f1468a9e6224b072718a

SHA256
4d58b0f356b3657aa78de7291b943e24655e089250ec4f9d957722081abcac53

SHA512
e1f8c4729815a60e6c5bb31a9f421ea0fa7b867c31711817913c7c0f9020edb24b479e7a55f3dab0045cd118adeca69d612a07ea3f3a3c668ab919bcdd1edde1

Download Submit