Malware Analysis Report

2024-10-19 08:24

Sample ID 210513-nt2ap3q9ex
Target 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505
SHA256 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505

Threat Level: Known bad

The file 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-13 05:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-13 05:32

Reported

2021-05-13 21:24

Platform

win7v20210408

Max time kernel

151s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe

"C:\Users\Admin\AppData\Local\Temp\7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 fb876a6ad113595bf7b3acd1f5b9d23e
SHA1 71fb7757053633941b0a2bb09f82313006e4fc47
SHA256 8d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512 203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 fb876a6ad113595bf7b3acd1f5b9d23e
SHA1 71fb7757053633941b0a2bb09f82313006e4fc47
SHA256 8d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512 203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29

memory/1400-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 fb876a6ad113595bf7b3acd1f5b9d23e
SHA1 71fb7757053633941b0a2bb09f82313006e4fc47
SHA256 8d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512 203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29

memory/1820-66-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 fb876a6ad113595bf7b3acd1f5b9d23e
SHA1 71fb7757053633941b0a2bb09f82313006e4fc47
SHA256 8d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512 203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-13 05:32

Reported

2021-05-13 21:24

Platform

win10v20210410

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe

"C:\Users\Admin\AppData\Local\Temp\7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

Country Destination Domain Proto
N/A 23.42.205.27:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 fb876a6ad113595bf7b3acd1f5b9d23e
SHA1 71fb7757053633941b0a2bb09f82313006e4fc47
SHA256 8d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512 203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29

memory/3492-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 fb876a6ad113595bf7b3acd1f5b9d23e
SHA1 71fb7757053633941b0a2bb09f82313006e4fc47
SHA256 8d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512 203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29

memory/4012-117-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/3492-118-0x0000000000410000-0x000000000055A000-memory.dmp