Malware Analysis Report

2024-10-23 21:06

Sample ID 210509-tk8va298zs
Target de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111
SHA256 de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111

Threat Level: Known bad

The file de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-09 17:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-09 17:35

Reported

2021-05-09 20:12

Platform

win7v20210410

Max time kernel

151s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe

"C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp

Files

memory/336-60-0x0000000075551000-0x0000000075553000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 40d97b7919332709a9fb45ebabb338ec
SHA1 272df6a891dede1875570fa94125050959dd5bbe
SHA256 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA512 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 40d97b7919332709a9fb45ebabb338ec
SHA1 272df6a891dede1875570fa94125050959dd5bbe
SHA256 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA512 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32

memory/824-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 40d97b7919332709a9fb45ebabb338ec
SHA1 272df6a891dede1875570fa94125050959dd5bbe
SHA256 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA512 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32

memory/336-66-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 40d97b7919332709a9fb45ebabb338ec
SHA1 272df6a891dede1875570fa94125050959dd5bbe
SHA256 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA512 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-09 17:35

Reported

2021-05-09 20:12

Platform

win10v20210410

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe

"C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/3892-114-0x0000000000470000-0x000000000051E000-memory.dmp

memory/2312-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 40d97b7919332709a9fb45ebabb338ec
SHA1 272df6a891dede1875570fa94125050959dd5bbe
SHA256 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA512 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 40d97b7919332709a9fb45ebabb338ec
SHA1 272df6a891dede1875570fa94125050959dd5bbe
SHA256 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA512 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32

memory/2312-118-0x0000000000460000-0x0000000000461000-memory.dmp