Malware Analysis Report

2024-10-19 08:24

Sample ID 210511-ev4b9jbjre
Target 2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009
SHA256 2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009

Threat Level: Known bad

The file 2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 10:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 10:52

Reported

2021-05-11 14:47

Platform

win7v20210410

Max time kernel

151s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009.exe

"C:\Users\Admin\AppData\Local\Temp\2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1640-60-0x0000000075631000-0x0000000075633000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f51faf453f58febbae7686a6a8061642
SHA1 eaecc2a99f67e5ccac49e198fdc3b37d1a0d38b3
SHA256 e2e8221d103882873779f4144dad98ff71668495e3611f40e1a180248d11cec9
SHA512 f87a156dd7a7c617820ab10bd0f984451863f9fd8bca68d877f4abbbeb6cc6e8f9799fb87343595c2e61379dd2058ffdd42f92b3496796bc325aaf5120dba869

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f51faf453f58febbae7686a6a8061642
SHA1 eaecc2a99f67e5ccac49e198fdc3b37d1a0d38b3
SHA256 e2e8221d103882873779f4144dad98ff71668495e3611f40e1a180248d11cec9
SHA512 f87a156dd7a7c617820ab10bd0f984451863f9fd8bca68d877f4abbbeb6cc6e8f9799fb87343595c2e61379dd2058ffdd42f92b3496796bc325aaf5120dba869

memory/872-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f51faf453f58febbae7686a6a8061642
SHA1 eaecc2a99f67e5ccac49e198fdc3b37d1a0d38b3
SHA256 e2e8221d103882873779f4144dad98ff71668495e3611f40e1a180248d11cec9
SHA512 f87a156dd7a7c617820ab10bd0f984451863f9fd8bca68d877f4abbbeb6cc6e8f9799fb87343595c2e61379dd2058ffdd42f92b3496796bc325aaf5120dba869

memory/1640-66-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f51faf453f58febbae7686a6a8061642
SHA1 eaecc2a99f67e5ccac49e198fdc3b37d1a0d38b3
SHA256 e2e8221d103882873779f4144dad98ff71668495e3611f40e1a180248d11cec9
SHA512 f87a156dd7a7c617820ab10bd0f984451863f9fd8bca68d877f4abbbeb6cc6e8f9799fb87343595c2e61379dd2058ffdd42f92b3496796bc325aaf5120dba869

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 10:52

Reported

2021-05-11 14:47

Platform

win10v20210408

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009.exe

"C:\Users\Admin\AppData\Local\Temp\2f7105ec213816d9dec74453fbd68500116c3cded88cb0484eea4a4fa5dce009.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp

Files

memory/860-114-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/208-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f51faf453f58febbae7686a6a8061642
SHA1 eaecc2a99f67e5ccac49e198fdc3b37d1a0d38b3
SHA256 e2e8221d103882873779f4144dad98ff71668495e3611f40e1a180248d11cec9
SHA512 f87a156dd7a7c617820ab10bd0f984451863f9fd8bca68d877f4abbbeb6cc6e8f9799fb87343595c2e61379dd2058ffdd42f92b3496796bc325aaf5120dba869

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f51faf453f58febbae7686a6a8061642
SHA1 eaecc2a99f67e5ccac49e198fdc3b37d1a0d38b3
SHA256 e2e8221d103882873779f4144dad98ff71668495e3611f40e1a180248d11cec9
SHA512 f87a156dd7a7c617820ab10bd0f984451863f9fd8bca68d877f4abbbeb6cc6e8f9799fb87343595c2e61379dd2058ffdd42f92b3496796bc325aaf5120dba869