Malware Analysis Report

2024-10-19 08:24

Sample ID 210515-1xgzhp75pa
Target fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811
SHA256 fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811

Threat Level: Known bad

The file fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 04:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 04:02

Reported

2021-05-15 08:40

Platform

win7v20210410

Max time kernel

151s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe

"C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a147122d6b5c5e82dafa3ddf92bcf002
SHA1 9d570d530598df4bd070ea68c5e52c749d50884b
SHA256 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce
SHA512 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2

memory/1604-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a147122d6b5c5e82dafa3ddf92bcf002
SHA1 9d570d530598df4bd070ea68c5e52c749d50884b
SHA256 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce
SHA512 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a147122d6b5c5e82dafa3ddf92bcf002
SHA1 9d570d530598df4bd070ea68c5e52c749d50884b
SHA256 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce
SHA512 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2

memory/1084-66-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a147122d6b5c5e82dafa3ddf92bcf002
SHA1 9d570d530598df4bd070ea68c5e52c749d50884b
SHA256 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce
SHA512 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 04:02

Reported

2021-05-15 08:41

Platform

win10v20210408

Max time kernel

150s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe

"C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/4804-114-0x0000000002470000-0x0000000002471000-memory.dmp

memory/2432-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a147122d6b5c5e82dafa3ddf92bcf002
SHA1 9d570d530598df4bd070ea68c5e52c749d50884b
SHA256 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce
SHA512 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a147122d6b5c5e82dafa3ddf92bcf002
SHA1 9d570d530598df4bd070ea68c5e52c749d50884b
SHA256 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce
SHA512 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2