upatre | 5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe
Size

24KB
MD5

5c3ccc1e5a8aad0e53012501e8d31c40
SHA1

a0d474611e9be3ff63105cedc19c5a8ab40551f8
SHA256

5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7
SHA512

67d2e5559ea2c9974043110d596156153fdcded1a2fe30abf173d2168e019a67934f7a21a8d97355d72dc81eb4b4bce601a1d0ade1fff835ce5505f06e636a07
SSDEEP

384:bK+xKfzQ2XFpOQGR9zos2clAKLHRN74u56/R9zZwu9oFQ:W+xAUiXOQ69zbjlAAX5e9zmQ

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

3104 szgfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3104	szgfw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe

description	pid	process	target process
PID 1112 wrote to memory of 3104	1112	5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe	szgfw.exe
PID 1112 wrote to memory of 3104	1112	5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe	szgfw.exe
PID 1112 wrote to memory of 3104	1112	5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f06193c9d9ca44996f5c07514ff51ea3ea20ed618d9026acf395fe3301748a7_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:3104

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
24KB

MD5
648161bded52564c7cce1049fc99abc0

SHA1
0b44eb6d74e36095c6100f2f728594eeed373714

SHA256
8d74a1584454bf9d55e9d0ac902b06ae5bb73371140188304916cee5de9c4657

SHA512
013b64e0c8fa2269b443b413558657d9e9b76a0a509015ea2f1b02f16c2fadf4f0431112b19e9de4748f0a6fb158b4756825d741c153d1260d353f8994d8dea8

Download Submit