Malware Analysis Report

2024-10-19 08:24

Sample ID 210511-j2clr2ee4j
Target 626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4
SHA256 626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4

Threat Level: Known bad

The file 626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 14:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 14:22

Reported

2021-05-11 21:33

Platform

win7v20210410

Max time kernel

151s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe

"C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 10.7.0.30:53869 udp

Files

memory/1208-59-0x0000000075561000-0x0000000075563000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f227460c96a8fcffef6b1aa2fc6ddb7e
SHA1 d28e4ba4a685de5e85415fe1d919fede6f870a79
SHA256 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e
SHA512 e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f227460c96a8fcffef6b1aa2fc6ddb7e
SHA1 d28e4ba4a685de5e85415fe1d919fede6f870a79
SHA256 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e
SHA512 e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395

memory/1368-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f227460c96a8fcffef6b1aa2fc6ddb7e
SHA1 d28e4ba4a685de5e85415fe1d919fede6f870a79
SHA256 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e
SHA512 e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395

memory/1208-65-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f227460c96a8fcffef6b1aa2fc6ddb7e
SHA1 d28e4ba4a685de5e85415fe1d919fede6f870a79
SHA256 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e
SHA512 e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 14:22

Reported

2021-05-11 21:34

Platform

win10v20210408

Max time kernel

150s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe

"C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/784-114-0x0000000000500000-0x000000000064A000-memory.dmp

memory/1904-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f227460c96a8fcffef6b1aa2fc6ddb7e
SHA1 d28e4ba4a685de5e85415fe1d919fede6f870a79
SHA256 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e
SHA512 e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 f227460c96a8fcffef6b1aa2fc6ddb7e
SHA1 d28e4ba4a685de5e85415fe1d919fede6f870a79
SHA256 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e
SHA512 e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395

memory/1904-118-0x0000000000530000-0x0000000000531000-memory.dmp