Malware Analysis Report

2024-10-19 08:24

Sample ID 210511-z9aft2pjts
Target 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf
SHA256 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf

Threat Level: Known bad

The file 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-11 12:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-11 12:21

Reported

2021-05-11 17:39

Platform

win7v20210410

Max time kernel

150s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe

"C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 172.217.20.110:80 tcp
N/A 172.217.20.110:80 tcp

Files

memory/1088-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 532ab42ab0be50660b7e7e4c78b925e8
SHA1 0b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256 c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512 de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 532ab42ab0be50660b7e7e4c78b925e8
SHA1 0b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256 c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512 de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78

memory/1348-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 532ab42ab0be50660b7e7e4c78b925e8
SHA1 0b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256 c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512 de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78

memory/1088-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 532ab42ab0be50660b7e7e4c78b925e8
SHA1 0b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256 c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512 de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-11 12:21

Reported

2021-05-11 17:39

Platform

win10v20210410

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe

"C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1844-114-0x0000000000980000-0x0000000000981000-memory.dmp

memory/392-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 532ab42ab0be50660b7e7e4c78b925e8
SHA1 0b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256 c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512 de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 532ab42ab0be50660b7e7e4c78b925e8
SHA1 0b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256 c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512 de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78

memory/392-118-0x0000000000410000-0x000000000055A000-memory.dmp