Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
-
submitted
12/02/2025, 09:50
General
-
Target
56a8f510514461f749c68b39033a117eab0e6c7af710ad9af3c0a04e9d38ed60.exe
-
Size
7KB
-
MD5
048526acfea2216074129ba69a0a3f7e
-
SHA1
aed6a308d8aff3a4dffb8c8af6a58257f75d57e3
-
SHA256
56a8f510514461f749c68b39033a117eab0e6c7af710ad9af3c0a04e9d38ed60
-
SHA512
7dcb0b17f92bffcd124bc44b52098b0617c6674821192b312200d8467d47bf1ba7dc6e7733b30682dbd02fcb086e71d744cf15b7181a882f3694755e8ec8fbbd
-
SSDEEP
48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91RsnnA7B8mOo4jUx7OtKGcEl/Q:Z0v4mUWKh9ctgC1R8nKymV44ShJl/Xg
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Upatre family
-
Downloads MZ/PE file 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\56a8f510514461f749c68b39033a117eab0e6c7af710ad9af3c0a04e9d38ed60.exe"C:\Users\Admin\AppData\Local\Temp\56a8f510514461f749c68b39033a117eab0e6c7af710ad9af3c0a04e9d38ed60.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUI2QTExQTktMzRDMS00MUIwLThCMDYtQkYyQ0FDN0JCN0E3fSIgdXNlcmlkPSJ7RkEyNDgyNEMtNjcwRS00MjMwLTkzMUUtNTUzQkVBNkNBRkRGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUNBQ0NGNDgtNTkzMi00ODhELTg0NjYtNEZFOUE1MzM2NzE5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDkxMTc0MTY2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\MicrosoftEdge_X64_133.0.3065.59.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff663856a68,0x7ff663856a74,0x7ff663856a803⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F524E6B7-72D5-4A3B-B690-70FB3CCD1C26}\EDGEMITMP_05F7D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff663856a68,0x7ff663856a74,0x7ff663856a804⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff76ed06a68,0x7ff76ed06a74,0x7ff76ed06a804⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff76ed06a68,0x7ff76ed06a74,0x7ff76ed06a804⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff76ed06a68,0x7ff76ed06a74,0x7ff76ed06a804⤵
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.8MB
MD51b3e9c59f9c7a134ec630ada1eb76a39
SHA1a7e831d392e99f3d37847dcc561dd2e017065439
SHA256ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e
-
Filesize
5.2MB
MD55efcc5a752b46638e58dc3201fff0e65
SHA1d09e5d7be2fed790e640fcfede85a290d3d5a0f3
SHA2566b6096e9661a05c5ad765384ae0ed1662f4927f7207e36415ba61ffbfdb39826
SHA512c7b24dc36c07db385420bf9381fdc947048c06aa42012e3263c90fe87dd22de917ac924d5e814b888d814602fabe44dd7b4a575034c63ceb4bcadb54396719b0
-
Filesize
5.3MB
MD573ff0ccd87f331e700f1eef391bd9b7f
SHA1c7e50b9d3df714f8a33dfce2d2a888cade537cd7
SHA25633e533eafbee20ce564b40a40e69e9527b530538cf9b9239c8cf4cd35e87771e
SHA5125a5307cc954b291cf27a4ff7e3c2796f305ac9b3be9db4b4e5816d51be5166a1b34a8a91c063139139f9eeac6b9295d348704007a4031618b90b28478237d474
-
Filesize
4.1MB
MD5fdb4d9154da43438424c9ed0decdc423
SHA1cb7a23aae0690f5888f497388f3524b531f7a623
SHA2560731c69c9099af1761aeaab46cf316419bc42eb7fe35468c5354a0ba25c0ffa7
SHA5128b309f000952433129647020eadc0c0186e717c2c8e9b2c4bd6be0ed5691a183515d2c5da8fa37ebe933e9ce9f05b0ecda334945d4322d89fa1253028f6ed5ae
-
Filesize
5.1MB
MD52c95350a98918da615bd69362a8d11a5
SHA15f5282326f720ab3e51c58b023eedea92befa5e3
SHA25693398ceef493379783693f164114e21f8d42eb500848454593768a15dfe081f9
SHA5124cd51ca70c5a761d39cace2c2adebff62223fe86f124f8ddae4600c23e6cc8cb8baa30fbb3a2785d2b07c1694ced209992491fcfe8aa21c8b8185e3e45113e28
-
Filesize
4.2MB
MD5e84ec057ecc2dd0bd2686d7e04c7bcfa
SHA1c523c72c95b56229723893229d434c4a69f643e8
SHA256e7ba0c292fe832a5d6f49325b1a671efcc7aba6bb53bba6daecdca136e14e4fb
SHA512ea2e227dc8cca1583288e5a5e34025fe2a0961847c8fa93a49b90403e746f18879fe05150d92d5b259943e88b8c6704b2d94511b6adc995a8e8cebdb0846e979
-
Filesize
4.3MB
MD59460d15f9f4f105862f10f8e934c155e
SHA1e5b21b29a0bdfa0d69e1c0f6dc13d9733fdc59c2
SHA25673c468461f26874c3d75f7a76f6be7d7a5e674645d585812c865de95dc47e5d6
SHA51224fca750d5faf234e484ae5d26f9eadf7fd1fedbf6b1ef6cc8ca72f8da751a5231196acb0adf82275a3dce9b40bcea5649b021548a04c0d9242499ce572957b6
-
Filesize
3.9MB
MD5ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51
-
Filesize
74KB
MD520123865436865e3f33bb715ef9b3fb8
SHA1140f72aed051cbc371a7ff16e437d916ef5f35e0
SHA25673d5dc79e7fc50740cb0d769d60657486f1af27b002d3814442626817c5aec17
SHA512baec894f4ef3400805008e97b8c5bb11153d62b70f850b30151ae81368eaf015e604cd12dfc0b35bd6289141d4d6786aca0c7c036f6a43ef98efd3b99cf37d65
-
Filesize
98KB
MD592352e6a5ec72d0b5bbb2dc1764f6249
SHA1164230678fc7c4cf2e569b1265ac0466c6ac64fa
SHA2564db5d62dd5b327bc068fa82cedf386a879279d87934f385ca29c3b06b5c46bb6
SHA512f0ae33d82bb5192a46abefb4a0c5c20f9aafdfe85d7c84d7b9090bca9524331f4111fd01ac4c47557b72392e8841cca03366f1434d1bb20ecb72861028db69aa
-
Filesize
104KB
MD5b9f07353019b7df48020968c92d9f095
SHA153ab14b5a8db0243942ce54a49cb022d173f94fc
SHA2563092e1888c33f0e5f85f2cfa75fae3acb7aa833bf421a9355ac97287f9cd04ab
SHA51204365ebba42593ff165631f0b688e990ced848da218e7779d8f847d27a71efeb4455786e5774df0b562a1d3de40079123f1234c5d638b6af1f2d63ea9731b0fd
-
Filesize
104KB
MD542323dc0ae4e9e95a26c9d3e34892ee9
SHA1387fd747f7cf2dde883a851ac8b498cfdfe2037c
SHA25681aac7cde23f95b00aec6ed523f9adb6cab826d4a2a8eaa8ec9773a1de4c94e5
SHA512fd91ac80c20fd5849ffe459feeeb36b928800c442a9506a847bb5644c60d686a092cdbf3b0c00ef1caa3a014a4e027d37bc7b9f2bf40dffe28bd51f3559ac4f6
-
Filesize
7KB
MD5e70103ede9566bb9127f4e816c7154cd
SHA1e380dd0327fb924b2675074983981f39be7bf83c
SHA2568436e5a9602eaaae69b11aee6de5123a47b76a381ac28832b552f703eaaa600a
SHA512f5dd400d984e67f84be0d55d003f12d89434aa5d7ebdf56785e1c288cd6e8b5bd794b2bd7804b38f7de407f92f737f278330143dcfaea989671622f096c52fa4