Malware Analysis Report

2024-10-23 21:06

Sample ID 210509-8sd4dh8c2e
Target 7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89
SHA256 7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89

Threat Level: Known bad

The file 7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-09 23:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-09 23:11

Reported

2021-05-10 07:00

Platform

win7v20210410

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89.exe

"C:\Users\Admin\AppData\Local\Temp\7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1096-59-0x0000000075281000-0x0000000075283000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 85d89dde2d2e59c65bd419a9330dff8e
SHA1 0141fa73fbf71fce6a7ed675c3f1aad421978f24
SHA256 f1e55cbe17c557f50faabd0090d286d653a004ea9c5349c28f460574824588f2
SHA512 9bb2c8efbc54bae56d27b0943fbed25bb1824d35e9e1d9d4434c07a8da7f03722c0e3e13d7775f496264b3098f9a2f425bf4dc0f8e9c8488513364720e5392e1

memory/1480-62-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 85d89dde2d2e59c65bd419a9330dff8e
SHA1 0141fa73fbf71fce6a7ed675c3f1aad421978f24
SHA256 f1e55cbe17c557f50faabd0090d286d653a004ea9c5349c28f460574824588f2
SHA512 9bb2c8efbc54bae56d27b0943fbed25bb1824d35e9e1d9d4434c07a8da7f03722c0e3e13d7775f496264b3098f9a2f425bf4dc0f8e9c8488513364720e5392e1

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 85d89dde2d2e59c65bd419a9330dff8e
SHA1 0141fa73fbf71fce6a7ed675c3f1aad421978f24
SHA256 f1e55cbe17c557f50faabd0090d286d653a004ea9c5349c28f460574824588f2
SHA512 9bb2c8efbc54bae56d27b0943fbed25bb1824d35e9e1d9d4434c07a8da7f03722c0e3e13d7775f496264b3098f9a2f425bf4dc0f8e9c8488513364720e5392e1

memory/1096-65-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 85d89dde2d2e59c65bd419a9330dff8e
SHA1 0141fa73fbf71fce6a7ed675c3f1aad421978f24
SHA256 f1e55cbe17c557f50faabd0090d286d653a004ea9c5349c28f460574824588f2
SHA512 9bb2c8efbc54bae56d27b0943fbed25bb1824d35e9e1d9d4434c07a8da7f03722c0e3e13d7775f496264b3098f9a2f425bf4dc0f8e9c8488513364720e5392e1

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-09 23:11

Reported

2021-05-10 07:00

Platform

win10v20210410

Max time kernel

149s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89.exe

"C:\Users\Admin\AppData\Local\Temp\7af8a8060742a396ed2c5387024fa4c662dcb58062c230de7bd1d10780c2eb89.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/4044-114-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/3088-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 85d89dde2d2e59c65bd419a9330dff8e
SHA1 0141fa73fbf71fce6a7ed675c3f1aad421978f24
SHA256 f1e55cbe17c557f50faabd0090d286d653a004ea9c5349c28f460574824588f2
SHA512 9bb2c8efbc54bae56d27b0943fbed25bb1824d35e9e1d9d4434c07a8da7f03722c0e3e13d7775f496264b3098f9a2f425bf4dc0f8e9c8488513364720e5392e1

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 85d89dde2d2e59c65bd419a9330dff8e
SHA1 0141fa73fbf71fce6a7ed675c3f1aad421978f24
SHA256 f1e55cbe17c557f50faabd0090d286d653a004ea9c5349c28f460574824588f2
SHA512 9bb2c8efbc54bae56d27b0943fbed25bb1824d35e9e1d9d4434c07a8da7f03722c0e3e13d7775f496264b3098f9a2f425bf4dc0f8e9c8488513364720e5392e1