upatre | 228c13978462a72c4abe3f3b3159432c761478b855a9175f76e2ac794027340c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 17:25

Target

virussign.com_b07a6671f8bfb6853c6a6ee4d3976d00.exe
Size

4KB
MD5

b07a6671f8bfb6853c6a6ee4d3976d00
SHA1

e1fc693d730c1e3b3772af9c1c16e35a3afa16b7
SHA256

228c13978462a72c4abe3f3b3159432c761478b855a9175f76e2ac794027340c
SHA512

3e70f4432bf9f07c7af68aa9aa9e8231b52ffdae39e440707106b51a9a6f885e8519788afa4a329640e6c03f69bfebeb810fac21844ec7d941e09dbc87a09103
SSDEEP

48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91RsNIJN6nA7B8mOo4jUx7OtKGa:Z0v4mUWKh9ctgC1ReIJN6nKymV44Shy/

Score

10^/10

Upatre
Upatre is a generic malware downloader.
downloader upatre
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

virussign.com_b07a6671f8bfb6853c6a6ee4d3976d00.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation virussign.com_b07a6671f8bfb6853c6a6ee4d3976d00.exe
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

3528 szgfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	virussign.com_b07a6671f8bfb6853c6a6ee4d3976d00.exe

pid	process
3528	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

virussign.com_b07a6671f8bfb6853c6a6ee4d3976d00.exe

description	pid	process	target process
PID 4728 wrote to memory of 3528	4728	virussign.com_b07a6671f8bfb6853c6a6ee4d3976d00.exe	szgfw.exe
PID 4728 wrote to memory of 3528	4728	virussign.com_b07a6671f8bfb6853c6a6ee4d3976d00.exe	szgfw.exe
PID 4728 wrote to memory of 3528	4728	virussign.com_b07a6671f8bfb6853c6a6ee4d3976d00.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:3528

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
4KB

MD5
b93ce5fc01cd99239598ab6f5cc8c448

SHA1
9fdc35a3b84623408670fa17b466fd9d33b3ecaf

SHA256
6448cc4b1e09227c44261f8fd7da4300bd1b256f646c3d9e5bed6590d0f8dd50

SHA512
f2915f2fdae27be5bcc374f822bd522902fda90d9cda1e293b88e7ba3f8eeb5b8abb889375c8d0e3cdad7b32c1d01a611d40d269c24b60e692e8addfb1ae9386

Download Submit