Malware Analysis Report

2024-10-23 21:06

Sample ID 210511-53khnwqvxe
Target 74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2
SHA256 74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2

Threat Level: Known bad

The file 74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 08:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 08:41

Reported

2021-05-11 09:00

Platform

win7v20210410

Max time kernel

149s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2.exe

"C:\Users\Admin\AppData\Local\Temp\74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/772-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 45e702764d8459014be6a1d11de7057a
SHA1 f051c827b86142c6e5a54dfd57c048fe21014cf9
SHA256 0e2ed5d64e858bef3d6fd1b0db9007926c4643b982d7e0e0d40e42b75a5fdad4
SHA512 9f835e210c6c32b8e75a9447ee11a4a52b98f2fb9d04077cb5dab310633c68b675e809ce543177c9f640d4340efb9239c0d1c55ee34232ac9963a976656ba2a3

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 45e702764d8459014be6a1d11de7057a
SHA1 f051c827b86142c6e5a54dfd57c048fe21014cf9
SHA256 0e2ed5d64e858bef3d6fd1b0db9007926c4643b982d7e0e0d40e42b75a5fdad4
SHA512 9f835e210c6c32b8e75a9447ee11a4a52b98f2fb9d04077cb5dab310633c68b675e809ce543177c9f640d4340efb9239c0d1c55ee34232ac9963a976656ba2a3

memory/1364-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 45e702764d8459014be6a1d11de7057a
SHA1 f051c827b86142c6e5a54dfd57c048fe21014cf9
SHA256 0e2ed5d64e858bef3d6fd1b0db9007926c4643b982d7e0e0d40e42b75a5fdad4
SHA512 9f835e210c6c32b8e75a9447ee11a4a52b98f2fb9d04077cb5dab310633c68b675e809ce543177c9f640d4340efb9239c0d1c55ee34232ac9963a976656ba2a3

memory/772-65-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 45e702764d8459014be6a1d11de7057a
SHA1 f051c827b86142c6e5a54dfd57c048fe21014cf9
SHA256 0e2ed5d64e858bef3d6fd1b0db9007926c4643b982d7e0e0d40e42b75a5fdad4
SHA512 9f835e210c6c32b8e75a9447ee11a4a52b98f2fb9d04077cb5dab310633c68b675e809ce543177c9f640d4340efb9239c0d1c55ee34232ac9963a976656ba2a3

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 08:41

Reported

2021-05-11 09:00

Platform

win10v20210410

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2.exe

"C:\Users\Admin\AppData\Local\Temp\74d10374ea056310fb79a7409a289a4d088ca34303205d604b4c79b126765cf2.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/4444-114-0x0000000000500000-0x000000000064A000-memory.dmp

memory/4028-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 45e702764d8459014be6a1d11de7057a
SHA1 f051c827b86142c6e5a54dfd57c048fe21014cf9
SHA256 0e2ed5d64e858bef3d6fd1b0db9007926c4643b982d7e0e0d40e42b75a5fdad4
SHA512 9f835e210c6c32b8e75a9447ee11a4a52b98f2fb9d04077cb5dab310633c68b675e809ce543177c9f640d4340efb9239c0d1c55ee34232ac9963a976656ba2a3

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 45e702764d8459014be6a1d11de7057a
SHA1 f051c827b86142c6e5a54dfd57c048fe21014cf9
SHA256 0e2ed5d64e858bef3d6fd1b0db9007926c4643b982d7e0e0d40e42b75a5fdad4
SHA512 9f835e210c6c32b8e75a9447ee11a4a52b98f2fb9d04077cb5dab310633c68b675e809ce543177c9f640d4340efb9239c0d1c55ee34232ac9963a976656ba2a3

memory/4028-118-0x00000000009D0000-0x00000000009D1000-memory.dmp