Malware Analysis Report

2024-10-19 08:24

Sample ID 210511-nga6jdcjra
Target dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88
SHA256 dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88

Threat Level: Known bad

The file dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 12:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 12:51

Reported

2021-05-11 18:39

Platform

win7v20210410

Max time kernel

151s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88.exe

"C:\Users\Admin\AppData\Local\Temp\dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/788-60-0x0000000075551000-0x0000000075553000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e65ac4bdd740b1288c96a9b97e551c35
SHA1 b3478e3c012adb81c9784e1c87a6fa4f370d296f
SHA256 5138b058a56169d153144e15ac44e197d4a69151df35706b958d7d1bc1e2a5d5
SHA512 8c8f99962c417cacbe0f29ca8130e0f4c991eddc4e8531884d496543ba040164f63d3c15143a97458909b451a45b86192d8ee4a20e26bae6f6ebe2678b2560e2

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e65ac4bdd740b1288c96a9b97e551c35
SHA1 b3478e3c012adb81c9784e1c87a6fa4f370d296f
SHA256 5138b058a56169d153144e15ac44e197d4a69151df35706b958d7d1bc1e2a5d5
SHA512 8c8f99962c417cacbe0f29ca8130e0f4c991eddc4e8531884d496543ba040164f63d3c15143a97458909b451a45b86192d8ee4a20e26bae6f6ebe2678b2560e2

memory/1528-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e65ac4bdd740b1288c96a9b97e551c35
SHA1 b3478e3c012adb81c9784e1c87a6fa4f370d296f
SHA256 5138b058a56169d153144e15ac44e197d4a69151df35706b958d7d1bc1e2a5d5
SHA512 8c8f99962c417cacbe0f29ca8130e0f4c991eddc4e8531884d496543ba040164f63d3c15143a97458909b451a45b86192d8ee4a20e26bae6f6ebe2678b2560e2

memory/788-66-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e65ac4bdd740b1288c96a9b97e551c35
SHA1 b3478e3c012adb81c9784e1c87a6fa4f370d296f
SHA256 5138b058a56169d153144e15ac44e197d4a69151df35706b958d7d1bc1e2a5d5
SHA512 8c8f99962c417cacbe0f29ca8130e0f4c991eddc4e8531884d496543ba040164f63d3c15143a97458909b451a45b86192d8ee4a20e26bae6f6ebe2678b2560e2

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 12:51

Reported

2021-05-11 18:39

Platform

win10v20210410

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88.exe

"C:\Users\Admin\AppData\Local\Temp\dab7968169cf3106b7252b1272bc39a0403e1649def56d9c60bbc440c89f9c88.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/4064-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e65ac4bdd740b1288c96a9b97e551c35
SHA1 b3478e3c012adb81c9784e1c87a6fa4f370d296f
SHA256 5138b058a56169d153144e15ac44e197d4a69151df35706b958d7d1bc1e2a5d5
SHA512 8c8f99962c417cacbe0f29ca8130e0f4c991eddc4e8531884d496543ba040164f63d3c15143a97458909b451a45b86192d8ee4a20e26bae6f6ebe2678b2560e2

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 e65ac4bdd740b1288c96a9b97e551c35
SHA1 b3478e3c012adb81c9784e1c87a6fa4f370d296f
SHA256 5138b058a56169d153144e15ac44e197d4a69151df35706b958d7d1bc1e2a5d5
SHA512 8c8f99962c417cacbe0f29ca8130e0f4c991eddc4e8531884d496543ba040164f63d3c15143a97458909b451a45b86192d8ee4a20e26bae6f6ebe2678b2560e2

memory/1840-117-0x00000000004F0000-0x000000000063A000-memory.dmp

memory/4064-118-0x0000000000640000-0x0000000000641000-memory.dmp