Malware Analysis Report

2024-10-23 21:06

Sample ID 210509-c7kr9mc5fn
Target df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2
SHA256 df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2

Threat Level: Known bad

The file df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-09 15:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-09 15:22

Reported

2021-05-09 16:21

Platform

win7v20210410

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe

"C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1268-60-0x0000000075591000-0x0000000075593000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 62cf9fe09f64c66ae8bec043bf007036
SHA1 8f21beaf55dcd05716db7299a75b2726e6ccc4c5
SHA256 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033
SHA512 f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 62cf9fe09f64c66ae8bec043bf007036
SHA1 8f21beaf55dcd05716db7299a75b2726e6ccc4c5
SHA256 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033
SHA512 f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997

memory/1500-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 62cf9fe09f64c66ae8bec043bf007036
SHA1 8f21beaf55dcd05716db7299a75b2726e6ccc4c5
SHA256 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033
SHA512 f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997

memory/1268-66-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 62cf9fe09f64c66ae8bec043bf007036
SHA1 8f21beaf55dcd05716db7299a75b2726e6ccc4c5
SHA256 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033
SHA512 f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-09 15:22

Reported

2021-05-09 16:21

Platform

win10v20210410

Max time kernel

150s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe

"C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/3928-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 62cf9fe09f64c66ae8bec043bf007036
SHA1 8f21beaf55dcd05716db7299a75b2726e6ccc4c5
SHA256 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033
SHA512 f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 62cf9fe09f64c66ae8bec043bf007036
SHA1 8f21beaf55dcd05716db7299a75b2726e6ccc4c5
SHA256 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033
SHA512 f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997

memory/3952-117-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/3928-118-0x0000000000410000-0x000000000055A000-memory.dmp