Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe
Resource
win10v2004-20240226-en
General
-
Target
db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe
-
Size
39KB
-
MD5
e877faf412c2cd0d214313b421017795
-
SHA1
4a587671bb3644192f852bc92f0a35e23695489a
-
SHA256
db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a
-
SHA512
14afa42b17cca60abf2f3dc5e534f1e433ccccaafbf3c9833875cf5c978499000a3bd6840bae1a0f4848dc8a35555b9a2c3e64ac57f7e737adb7c17a08a89f28
-
SSDEEP
768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rh95k5AY0IAyMLuJdL3YTCjL6T8:GY9jw/dUT62rGdiUOWWrNmAmiT8
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe -
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 2384 szgfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exedescription pid process target process PID 4000 wrote to memory of 2384 4000 db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe szgfw.exe PID 4000 wrote to memory of 2384 4000 db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe szgfw.exe PID 4000 wrote to memory of 2384 4000 db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe"C:\Users\Admin\AppData\Local\Temp\db8840ce28ebc2966b3bb34a246951a7e7a92eed0ac28b369e91b4324c5bb72a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeFilesize
39KB
MD5627cbc6aec6544e845ab93e032d8e94d
SHA10e16bca49346108ecb5ee7889c2cca0780b0081e
SHA256f91628ad34454030f3da17a60adbb0e6dfbad326eadb8afec51ac347bb782af5
SHA512448cac2e9e8cf70a2eea347e4653e107b9552c85d73911e53067639ae67979c75ccbd0b397f0db47082cdd5b3d274dd5ab0360a361be255ea5c5041ed480d6d4
-
memory/2384-10-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4000-0-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/4000-9-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB