upatre | 0542244596994f40640ba1661a7d92690d2bdd9ab0294c3b468bd20652973055

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-08_c82d87867aa1f99cb4d750ac143a4792_amadey_karagany_rhadamanthys_smoke-loader.exe
Size

79KB
MD5

c82d87867aa1f99cb4d750ac143a4792
SHA1

4032febddd1b27b54e735215624214e92160bd64
SHA256

0542244596994f40640ba1661a7d92690d2bdd9ab0294c3b468bd20652973055
SHA512

01709cfe3d94e18e51a4c7a62421566f6667c535c60062db625782818b09a70aea5eff862703a50cb4bfd9a9c1d21ada3c2f67d5c86e248e76a8fdd7617f829f
SSDEEP

1536:gQKoJqVDN9kX77n7XCW3+Pmm3OedeNIFTldug9gMh:FKnt83n7SiYOedeNIJZZh

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Upatre family
upatre

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	_dropped.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	2025-04-08_c82d87867aa1f99cb4d750ac143a4792_amadey_karagany_rhadamanthys_smoke-loader.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	_dropped.exe
2188	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-08_c82d87867aa1f99cb4d750ac143a4792_amadey_karagany_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_dropped.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szgfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2328	2876	2025-04-08_c82d87867aa1f99cb4d750ac143a4792_amadey_karagany_rhadamanthys_smoke-loader.exe	87
PID 2876 wrote to memory of 2328	2876	2025-04-08_c82d87867aa1f99cb4d750ac143a4792_amadey_karagany_rhadamanthys_smoke-loader.exe	87
PID 2876 wrote to memory of 2328	2876	2025-04-08_c82d87867aa1f99cb4d750ac143a4792_amadey_karagany_rhadamanthys_smoke-loader.exe	87
PID 2328 wrote to memory of 2188	2328	_dropped.exe	92
PID 2328 wrote to memory of 2188	2328	_dropped.exe	92
PID 2328 wrote to memory of 2188	2328	_dropped.exe	92

C:\Users\Admin\AppData\Local\Temp\2025-04-08_c82d87867aa1f99cb4d750ac143a4792_amadey_karagany_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-08_c82d87867aa1f99cb4d750ac143a4792_amadey_karagany_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\_dropped.exe
  "C:\Users\Admin\AppData\Local\Temp\_dropped.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\szgfw.exe
    "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2188

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_dropped.exe

Filesize
38KB

MD5
bba812f0463fdeed7c99f3687b9ac25f

SHA1
bab03e7f294b1178fa24aa5e1c329129683d25bb

SHA256
9bd6489834d28a0756213fcab1ceb51722d89cc50264cbab7a2becf4f7fd171d

SHA512
c99643725a15030d88e0bab15d3439549a90f84d174aaa4da3592067aefbf7a889f6f3126c9add218f5cd07281314fc05fcf168f287ccceeda085790e4f9bc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
38KB

MD5
44c8f4b2071be4a8be02c0f931ed4305

SHA1
026e3455482d7ed1cd6e94bf7e95e202b913bab8

SHA256
ece5c10b8a9610c06ec07446d53c15f60897a15ad91076eb1e2cdea720666813

SHA512
0c9fe2782b6b98c66dcb65049cdc535ce6acae0df2f07cda6af91be5ebfdbb92027ec9eb478e8b59872c00eb33db56d6560ccf875b6401e55c641b8eee51158d

Download Submit
memory/2188-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2328-8-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2328-17-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download