Malware Analysis Report

2024-10-19 08:24

Sample ID 210511-rdlcwafmp6
Target 92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0
SHA256 92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0

Threat Level: Known bad

The file 92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 16:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 16:54

Reported

2021-05-12 02:31

Platform

win7v20210410

Max time kernel

150s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0.exe

"C:\Users\Admin\AppData\Local\Temp\92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/540-60-0x0000000075A71000-0x0000000075A73000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 938cc9d5014f27285f5bcee61bccc3db
SHA1 7b74f83273c793ac89b6a5282dada69cf5ffa612
SHA256 f8f728e280c6685e2b1494bdce83f811dfc5af1bc8e276d2dd1d49945e1655e8
SHA512 fa4b247da41cd9f076c2a112fe705c83219dbc768e10cde77346c78900c0654ea421ae22c90397452b9635797a2994c337e963e7bd8c4a3e9bf93a26f5c1470a

memory/1244-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 938cc9d5014f27285f5bcee61bccc3db
SHA1 7b74f83273c793ac89b6a5282dada69cf5ffa612
SHA256 f8f728e280c6685e2b1494bdce83f811dfc5af1bc8e276d2dd1d49945e1655e8
SHA512 fa4b247da41cd9f076c2a112fe705c83219dbc768e10cde77346c78900c0654ea421ae22c90397452b9635797a2994c337e963e7bd8c4a3e9bf93a26f5c1470a

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 938cc9d5014f27285f5bcee61bccc3db
SHA1 7b74f83273c793ac89b6a5282dada69cf5ffa612
SHA256 f8f728e280c6685e2b1494bdce83f811dfc5af1bc8e276d2dd1d49945e1655e8
SHA512 fa4b247da41cd9f076c2a112fe705c83219dbc768e10cde77346c78900c0654ea421ae22c90397452b9635797a2994c337e963e7bd8c4a3e9bf93a26f5c1470a

memory/540-66-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 938cc9d5014f27285f5bcee61bccc3db
SHA1 7b74f83273c793ac89b6a5282dada69cf5ffa612
SHA256 f8f728e280c6685e2b1494bdce83f811dfc5af1bc8e276d2dd1d49945e1655e8
SHA512 fa4b247da41cd9f076c2a112fe705c83219dbc768e10cde77346c78900c0654ea421ae22c90397452b9635797a2994c337e963e7bd8c4a3e9bf93a26f5c1470a

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 16:54

Reported

2021-05-12 02:31

Platform

win10v20210410

Max time kernel

150s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0.exe

"C:\Users\Admin\AppData\Local\Temp\92bc00adc0456a790ec74295004bc3344d4c836ecd29f82f66de01a37218f4d0.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/2420-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 938cc9d5014f27285f5bcee61bccc3db
SHA1 7b74f83273c793ac89b6a5282dada69cf5ffa612
SHA256 f8f728e280c6685e2b1494bdce83f811dfc5af1bc8e276d2dd1d49945e1655e8
SHA512 fa4b247da41cd9f076c2a112fe705c83219dbc768e10cde77346c78900c0654ea421ae22c90397452b9635797a2994c337e963e7bd8c4a3e9bf93a26f5c1470a

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 938cc9d5014f27285f5bcee61bccc3db
SHA1 7b74f83273c793ac89b6a5282dada69cf5ffa612
SHA256 f8f728e280c6685e2b1494bdce83f811dfc5af1bc8e276d2dd1d49945e1655e8
SHA512 fa4b247da41cd9f076c2a112fe705c83219dbc768e10cde77346c78900c0654ea421ae22c90397452b9635797a2994c337e963e7bd8c4a3e9bf93a26f5c1470a

memory/3892-117-0x0000000000530000-0x0000000000531000-memory.dmp

memory/2420-118-0x0000000000410000-0x00000000004BE000-memory.dmp