Malware Analysis Report

2024-10-19 08:24

Sample ID 210511-21d47nd4w6
Target 5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0
SHA256 5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0

Threat Level: Known bad

The file 5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 12:01

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 12:01

Reported

2021-05-11 17:00

Platform

win10v20210408

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0.exe

"C:\Users\Admin\AppData\Local\Temp\5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp

Files

memory/624-114-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/3996-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 bce95a0a8c8ff3a96313612786e967a3
SHA1 d934b0fc0bba4b57e5b965957885a3240364b6cb
SHA256 c1935ea478738eb98d5ca14c053a4f5613b5558db35225b4021f4c306dd4a1c0
SHA512 626e29cce74926666e6fe3b940cf63881d4de0eca303c4bb7054cb32435cec71fb229f082af4ef238d06949e3d66d5459870d12d025f029f4bef7a0aecbe7638

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 bce95a0a8c8ff3a96313612786e967a3
SHA1 d934b0fc0bba4b57e5b965957885a3240364b6cb
SHA256 c1935ea478738eb98d5ca14c053a4f5613b5558db35225b4021f4c306dd4a1c0
SHA512 626e29cce74926666e6fe3b940cf63881d4de0eca303c4bb7054cb32435cec71fb229f082af4ef238d06949e3d66d5459870d12d025f029f4bef7a0aecbe7638

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 12:01

Reported

2021-05-11 17:00

Platform

win7v20210408

Max time kernel

150s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0.exe

"C:\Users\Admin\AppData\Local\Temp\5599823438f64c5ef5952cc25533250eea631528cff4cfb4d5bf439cacbff6c0.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/684-60-0x0000000075C71000-0x0000000075C73000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 bce95a0a8c8ff3a96313612786e967a3
SHA1 d934b0fc0bba4b57e5b965957885a3240364b6cb
SHA256 c1935ea478738eb98d5ca14c053a4f5613b5558db35225b4021f4c306dd4a1c0
SHA512 626e29cce74926666e6fe3b940cf63881d4de0eca303c4bb7054cb32435cec71fb229f082af4ef238d06949e3d66d5459870d12d025f029f4bef7a0aecbe7638

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 bce95a0a8c8ff3a96313612786e967a3
SHA1 d934b0fc0bba4b57e5b965957885a3240364b6cb
SHA256 c1935ea478738eb98d5ca14c053a4f5613b5558db35225b4021f4c306dd4a1c0
SHA512 626e29cce74926666e6fe3b940cf63881d4de0eca303c4bb7054cb32435cec71fb229f082af4ef238d06949e3d66d5459870d12d025f029f4bef7a0aecbe7638

memory/1228-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 bce95a0a8c8ff3a96313612786e967a3
SHA1 d934b0fc0bba4b57e5b965957885a3240364b6cb
SHA256 c1935ea478738eb98d5ca14c053a4f5613b5558db35225b4021f4c306dd4a1c0
SHA512 626e29cce74926666e6fe3b940cf63881d4de0eca303c4bb7054cb32435cec71fb229f082af4ef238d06949e3d66d5459870d12d025f029f4bef7a0aecbe7638

memory/684-66-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 bce95a0a8c8ff3a96313612786e967a3
SHA1 d934b0fc0bba4b57e5b965957885a3240364b6cb
SHA256 c1935ea478738eb98d5ca14c053a4f5613b5558db35225b4021f4c306dd4a1c0
SHA512 626e29cce74926666e6fe3b940cf63881d4de0eca303c4bb7054cb32435cec71fb229f082af4ef238d06949e3d66d5459870d12d025f029f4bef7a0aecbe7638