Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 12:12
Static task
static1
Behavioral task
behavioral1
Sample
8b32579f300e50686f34123cdaba344e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8b32579f300e50686f34123cdaba344e.exe
Resource
win10v2004-20231215-en
General
-
Target
8b32579f300e50686f34123cdaba344e.exe
-
Size
12KB
-
MD5
8b32579f300e50686f34123cdaba344e
-
SHA1
f52cc319b24dcc82a509f662e2e7c57598c3caad
-
SHA256
dd89acf6a917c09c6cadd2a9f6ce1d2b26c8524664da43f95bf7e7db37340ce0
-
SHA512
53073855c5cf2a87ef77a585b416ef8b296a42ca1f5a47afe06297eef78bb8198081a5ce04a906e3a1167186620ba33ecbadead943219d1f4bc817d654e30cf1
-
SSDEEP
384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKkFlplVDuyk:v+dAURFxna4QAPQlYgkFlplVDuyk
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8b32579f300e50686f34123cdaba344e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 8b32579f300e50686f34123cdaba344e.exe -
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 3324 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8b32579f300e50686f34123cdaba344e.exedescription pid process target process PID 2188 wrote to memory of 3324 2188 8b32579f300e50686f34123cdaba344e.exe szgfw.exe PID 2188 wrote to memory of 3324 2188 8b32579f300e50686f34123cdaba344e.exe szgfw.exe PID 2188 wrote to memory of 3324 2188 8b32579f300e50686f34123cdaba344e.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b32579f300e50686f34123cdaba344e.exe"C:\Users\Admin\AppData\Local\Temp\8b32579f300e50686f34123cdaba344e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeFilesize
12KB
MD551f6a23070e26239f9653f293f1a6341
SHA1fd2aa199d160419386413687c193f7ff96e3a4b9
SHA256933547c8e4ad4cf51b12f2d8c7b955c121698d5b58d872a8e9b758014ef37789
SHA512f62e8d68fb68bd25d9d36088721b39abddc985443d87806f7000014b948e70bb5289d4ade4470dbc573f92cb63b3c879d8c7415960f59d45838eec69704270cb