Malware Analysis Report

2024-10-19 08:24

Sample ID 210511-fnn62yd4wj
Target b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971
SHA256 b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971

Threat Level: Known bad

The file b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 14:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 14:58

Reported

2021-05-11 22:52

Platform

win7v20210410

Max time kernel

151s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe

"C:\Users\Admin\AppData\Local\Temp\b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp

Files

memory/1748-59-0x00000000757E1000-0x00000000757E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e77bfe02b547e5d53cc2bb790e0ccf2b
SHA1 6365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256 af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA512 1f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e77bfe02b547e5d53cc2bb790e0ccf2b
SHA1 6365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256 af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA512 1f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30

memory/1296-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e77bfe02b547e5d53cc2bb790e0ccf2b
SHA1 6365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256 af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA512 1f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30

memory/1748-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e77bfe02b547e5d53cc2bb790e0ccf2b
SHA1 6365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256 af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA512 1f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 14:58

Reported

2021-05-11 22:52

Platform

win10v20210408

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe

"C:\Users\Admin\AppData\Local\Temp\b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/904-114-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2960-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e77bfe02b547e5d53cc2bb790e0ccf2b
SHA1 6365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256 af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA512 1f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e77bfe02b547e5d53cc2bb790e0ccf2b
SHA1 6365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256 af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA512 1f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30