Malware Analysis Report

2024-10-23 21:06

Sample ID 210509-xdn79mj92a
Target 5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7
SHA256 5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7

Threat Level: Known bad

The file 5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-09 18:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-09 18:53

Reported

2021-05-09 22:32

Platform

win7v20210410

Max time kernel

150s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe

"C:\Users\Admin\AppData\Local\Temp\5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 42c33b4e2cf48c5156f71f61d866e6c1
SHA1 473d9b1e7dd6563c7902f24f1c43c5b13bebe7e4
SHA256 ed7fee3500f6d467ce1cbe0c78fcf652ff94780e4c7d1d42e02e7c285c8db9ad
SHA512 9fbe51d8901a2c1cd1d5cf8a2d42c961acf5fb956fdae7ae855625a57c63ee814c44fda32dd07097df2e3e1e91be206f54a5cf177b37bf5e71515eec186105fe

memory/1816-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 42c33b4e2cf48c5156f71f61d866e6c1
SHA1 473d9b1e7dd6563c7902f24f1c43c5b13bebe7e4
SHA256 ed7fee3500f6d467ce1cbe0c78fcf652ff94780e4c7d1d42e02e7c285c8db9ad
SHA512 9fbe51d8901a2c1cd1d5cf8a2d42c961acf5fb956fdae7ae855625a57c63ee814c44fda32dd07097df2e3e1e91be206f54a5cf177b37bf5e71515eec186105fe

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 42c33b4e2cf48c5156f71f61d866e6c1
SHA1 473d9b1e7dd6563c7902f24f1c43c5b13bebe7e4
SHA256 ed7fee3500f6d467ce1cbe0c78fcf652ff94780e4c7d1d42e02e7c285c8db9ad
SHA512 9fbe51d8901a2c1cd1d5cf8a2d42c961acf5fb956fdae7ae855625a57c63ee814c44fda32dd07097df2e3e1e91be206f54a5cf177b37bf5e71515eec186105fe

memory/2040-66-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 42c33b4e2cf48c5156f71f61d866e6c1
SHA1 473d9b1e7dd6563c7902f24f1c43c5b13bebe7e4
SHA256 ed7fee3500f6d467ce1cbe0c78fcf652ff94780e4c7d1d42e02e7c285c8db9ad
SHA512 9fbe51d8901a2c1cd1d5cf8a2d42c961acf5fb956fdae7ae855625a57c63ee814c44fda32dd07097df2e3e1e91be206f54a5cf177b37bf5e71515eec186105fe

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-09 18:53

Reported

2021-05-09 22:32

Platform

win10v20210410

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe

"C:\Users\Admin\AppData\Local\Temp\5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 42c33b4e2cf48c5156f71f61d866e6c1
SHA1 473d9b1e7dd6563c7902f24f1c43c5b13bebe7e4
SHA256 ed7fee3500f6d467ce1cbe0c78fcf652ff94780e4c7d1d42e02e7c285c8db9ad
SHA512 9fbe51d8901a2c1cd1d5cf8a2d42c961acf5fb956fdae7ae855625a57c63ee814c44fda32dd07097df2e3e1e91be206f54a5cf177b37bf5e71515eec186105fe

memory/744-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 42c33b4e2cf48c5156f71f61d866e6c1
SHA1 473d9b1e7dd6563c7902f24f1c43c5b13bebe7e4
SHA256 ed7fee3500f6d467ce1cbe0c78fcf652ff94780e4c7d1d42e02e7c285c8db9ad
SHA512 9fbe51d8901a2c1cd1d5cf8a2d42c961acf5fb956fdae7ae855625a57c63ee814c44fda32dd07097df2e3e1e91be206f54a5cf177b37bf5e71515eec186105fe

memory/3172-117-0x0000000000410000-0x000000000055A000-memory.dmp

memory/744-118-0x0000000000530000-0x0000000000531000-memory.dmp