Malware Analysis Report

2024-10-23 21:06

Sample ID 210511-x1rk2y9sfs
Target d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4
SHA256 d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4

Threat Level: Known bad

The file d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 09:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 09:15

Reported

2021-05-11 10:01

Platform

win7v20210408

Max time kernel

154s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4.exe

"C:\Users\Admin\AppData\Local\Temp\d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/880-60-0x0000000075801000-0x0000000075803000-memory.dmp

memory/880-61-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 de84d360452c17f7a4945151033c54e5
SHA1 23b58d48fb331f27ae3b74beb7c2284d0f15c877
SHA256 cfe0ec03f468475aea702d52193846b6592ae51146456e9a51d87e3a1af70270
SHA512 a42e50cd1e6ce9e07c49797ca65a7a075c8e7d05cc42451da8efe5eb21617c82af6f6ed76975552f5091e2a0a9954a9476ae1512343cc95978e385bceaadc293

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 de84d360452c17f7a4945151033c54e5
SHA1 23b58d48fb331f27ae3b74beb7c2284d0f15c877
SHA256 cfe0ec03f468475aea702d52193846b6592ae51146456e9a51d87e3a1af70270
SHA512 a42e50cd1e6ce9e07c49797ca65a7a075c8e7d05cc42451da8efe5eb21617c82af6f6ed76975552f5091e2a0a9954a9476ae1512343cc95978e385bceaadc293

memory/604-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 de84d360452c17f7a4945151033c54e5
SHA1 23b58d48fb331f27ae3b74beb7c2284d0f15c877
SHA256 cfe0ec03f468475aea702d52193846b6592ae51146456e9a51d87e3a1af70270
SHA512 a42e50cd1e6ce9e07c49797ca65a7a075c8e7d05cc42451da8efe5eb21617c82af6f6ed76975552f5091e2a0a9954a9476ae1512343cc95978e385bceaadc293

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 de84d360452c17f7a4945151033c54e5
SHA1 23b58d48fb331f27ae3b74beb7c2284d0f15c877
SHA256 cfe0ec03f468475aea702d52193846b6592ae51146456e9a51d87e3a1af70270
SHA512 a42e50cd1e6ce9e07c49797ca65a7a075c8e7d05cc42451da8efe5eb21617c82af6f6ed76975552f5091e2a0a9954a9476ae1512343cc95978e385bceaadc293

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 09:15

Reported

2021-05-11 10:01

Platform

win10v20210410

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4.exe

"C:\Users\Admin\AppData\Local\Temp\d65fbf0bc3551b89b23313cd2c436790b63da1f439bcc1d453beca6e074b3df4.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp

Files

memory/196-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 de84d360452c17f7a4945151033c54e5
SHA1 23b58d48fb331f27ae3b74beb7c2284d0f15c877
SHA256 cfe0ec03f468475aea702d52193846b6592ae51146456e9a51d87e3a1af70270
SHA512 a42e50cd1e6ce9e07c49797ca65a7a075c8e7d05cc42451da8efe5eb21617c82af6f6ed76975552f5091e2a0a9954a9476ae1512343cc95978e385bceaadc293

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 de84d360452c17f7a4945151033c54e5
SHA1 23b58d48fb331f27ae3b74beb7c2284d0f15c877
SHA256 cfe0ec03f468475aea702d52193846b6592ae51146456e9a51d87e3a1af70270
SHA512 a42e50cd1e6ce9e07c49797ca65a7a075c8e7d05cc42451da8efe5eb21617c82af6f6ed76975552f5091e2a0a9954a9476ae1512343cc95978e385bceaadc293

memory/3144-117-0x0000000000410000-0x00000000004BE000-memory.dmp

memory/196-118-0x0000000000470000-0x000000000051E000-memory.dmp