upatre | c8a993f54c27f966d9fd80a5389986fd1656ddfcafa49b719b9c85cfcd61d0dc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 08:23

Target

51a7e4293812242447db937b86c17320_JaffaCakes118.exe
Size

13KB
MD5

51a7e4293812242447db937b86c17320
SHA1

22cf4cccb8462fa0471f2f07c11ef762034d2afc
SHA256

c8a993f54c27f966d9fd80a5389986fd1656ddfcafa49b719b9c85cfcd61d0dc
SHA512

502e1fd745486f1e7062e5e73f6366748795959a173949ef0d876925ddca3cf3df5afa4e0856a15be1d80bb1db0bf2c3c1cde3d6a9a0d5f75024f27cf4c5b0de
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKkFlplVDuyUylyylylylyylPhw:v+dAURFxna4QAPQlYgkFlplVDuyUylyB

Score

10^/10

Upatre
Upatre is a generic malware downloader.
downloader upatre
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

51a7e4293812242447db937b86c17320_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 51a7e4293812242447db937b86c17320_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

1604 szgfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	51a7e4293812242447db937b86c17320_JaffaCakes118.exe

pid	process
1604	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

51a7e4293812242447db937b86c17320_JaffaCakes118.exe

description	pid	process	target process
PID 4364 wrote to memory of 1604	4364	51a7e4293812242447db937b86c17320_JaffaCakes118.exe	szgfw.exe
PID 4364 wrote to memory of 1604	4364	51a7e4293812242447db937b86c17320_JaffaCakes118.exe	szgfw.exe
PID 4364 wrote to memory of 1604	4364	51a7e4293812242447db937b86c17320_JaffaCakes118.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:1604

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
13KB

MD5
87f84d8ae282e3ea828eee3533c406b6

SHA1
52251a76afee9f4632b333acdef06c9c271af7bc

SHA256
42bcced795b4d16415b8a41ebfb615e8546c1dbffe1ade45edbd657c64000d4e

SHA512
12e410dd083524382572f2c1ce31b84aee8a0219e9bab86babe0595e0dc5243af2c800fc14d8d6cc3580d2a024960bd37b2fd193af5f102ca3edb681f1fe440f

Download Submit