Malware Analysis Report

2024-10-19 08:24

Sample ID 210513-d8rw8s1wka
Target 52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2
SHA256 52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2

Threat Level: Known bad

The file 52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-13 12:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-13 12:40

Reported

2021-05-14 05:39

Platform

win10v20210410

Max time kernel

149s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2.exe

"C:\Users\Admin\AppData\Local\Temp\52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1520-115-0x0000000000000000-mapping.dmp

memory/1908-114-0x0000000000540000-0x000000000068A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 3e2f8ae8f8d807e1522e211ec591faef
SHA1 ed7025603d05de8d137f2dce2a315d46dfb6f8e9
SHA256 d914e5d8b11aea1c72d8e03527e2a0313a1624b0f272e7a58154ab45e985dac0
SHA512 d3af6ca32b2dbed07c36e2ea48bf1250028fed5c33ea44a0c1792c6523627854efb2e8fe99b0cd89eca415b4b03f0d83d7d675ec5bc49e01af3030e93af6a1bb

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 3e2f8ae8f8d807e1522e211ec591faef
SHA1 ed7025603d05de8d137f2dce2a315d46dfb6f8e9
SHA256 d914e5d8b11aea1c72d8e03527e2a0313a1624b0f272e7a58154ab45e985dac0
SHA512 d3af6ca32b2dbed07c36e2ea48bf1250028fed5c33ea44a0c1792c6523627854efb2e8fe99b0cd89eca415b4b03f0d83d7d675ec5bc49e01af3030e93af6a1bb

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-13 12:40

Reported

2021-05-14 05:40

Platform

win7v20210408

Max time kernel

150s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2.exe

"C:\Users\Admin\AppData\Local\Temp\52a4325b439b3bfb5bb9dddf9c01c6c9b27a7f2c3fb372d68d8570c7c270c6c2.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1656-59-0x0000000075801000-0x0000000075803000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 3e2f8ae8f8d807e1522e211ec591faef
SHA1 ed7025603d05de8d137f2dce2a315d46dfb6f8e9
SHA256 d914e5d8b11aea1c72d8e03527e2a0313a1624b0f272e7a58154ab45e985dac0
SHA512 d3af6ca32b2dbed07c36e2ea48bf1250028fed5c33ea44a0c1792c6523627854efb2e8fe99b0cd89eca415b4b03f0d83d7d675ec5bc49e01af3030e93af6a1bb

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 3e2f8ae8f8d807e1522e211ec591faef
SHA1 ed7025603d05de8d137f2dce2a315d46dfb6f8e9
SHA256 d914e5d8b11aea1c72d8e03527e2a0313a1624b0f272e7a58154ab45e985dac0
SHA512 d3af6ca32b2dbed07c36e2ea48bf1250028fed5c33ea44a0c1792c6523627854efb2e8fe99b0cd89eca415b4b03f0d83d7d675ec5bc49e01af3030e93af6a1bb

memory/604-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 3e2f8ae8f8d807e1522e211ec591faef
SHA1 ed7025603d05de8d137f2dce2a315d46dfb6f8e9
SHA256 d914e5d8b11aea1c72d8e03527e2a0313a1624b0f272e7a58154ab45e985dac0
SHA512 d3af6ca32b2dbed07c36e2ea48bf1250028fed5c33ea44a0c1792c6523627854efb2e8fe99b0cd89eca415b4b03f0d83d7d675ec5bc49e01af3030e93af6a1bb

memory/1656-65-0x00000000003A0000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 3e2f8ae8f8d807e1522e211ec591faef
SHA1 ed7025603d05de8d137f2dce2a315d46dfb6f8e9
SHA256 d914e5d8b11aea1c72d8e03527e2a0313a1624b0f272e7a58154ab45e985dac0
SHA512 d3af6ca32b2dbed07c36e2ea48bf1250028fed5c33ea44a0c1792c6523627854efb2e8fe99b0cd89eca415b4b03f0d83d7d675ec5bc49e01af3030e93af6a1bb