upatre | dd89acf6a917c09c6cadd2a9f6ce1d2b26c8524664da43f95bf7e7db37340ce0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 12:12

Target

8b32579f300e50686f34123cdaba344e.exe
Size

12KB
MD5

8b32579f300e50686f34123cdaba344e
SHA1

f52cc319b24dcc82a509f662e2e7c57598c3caad
SHA256

dd89acf6a917c09c6cadd2a9f6ce1d2b26c8524664da43f95bf7e7db37340ce0
SHA512

53073855c5cf2a87ef77a585b416ef8b296a42ca1f5a47afe06297eef78bb8198081a5ce04a906e3a1167186620ba33ecbadead943219d1f4bc817d654e30cf1
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKkFlplVDuyk:v+dAURFxna4QAPQlYgkFlplVDuyk

Score

10^/10

Upatre
Upatre is a generic malware downloader.
downloader upatre
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

8b32579f300e50686f34123cdaba344e.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 8b32579f300e50686f34123cdaba344e.exe
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

3324 szgfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	8b32579f300e50686f34123cdaba344e.exe

pid	process
3324	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8b32579f300e50686f34123cdaba344e.exe

description	pid	process	target process
PID 2188 wrote to memory of 3324	2188	8b32579f300e50686f34123cdaba344e.exe	szgfw.exe
PID 2188 wrote to memory of 3324	2188	8b32579f300e50686f34123cdaba344e.exe	szgfw.exe
PID 2188 wrote to memory of 3324	2188	8b32579f300e50686f34123cdaba344e.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:3324

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
12KB

MD5
51f6a23070e26239f9653f293f1a6341

SHA1
fd2aa199d160419386413687c193f7ff96e3a4b9

SHA256
933547c8e4ad4cf51b12f2d8c7b955c121698d5b58d872a8e9b758014ef37789

SHA512
f62e8d68fb68bd25d9d36088721b39abddc985443d87806f7000014b948e70bb5289d4ade4470dbc573f92cb63b3c879d8c7415960f59d45838eec69704270cb

Download Submit