Malware Analysis Report

2024-10-19 08:24

Sample ID 210515-94mr2v99w2
Target d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df
SHA256 d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df

Threat Level: Known bad

The file d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 04:32

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 04:32

Reported

2021-05-15 09:43

Platform

win10v20210408

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df.exe

"C:\Users\Admin\AppData\Local\Temp\d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/2544-114-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2916-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 0eb112182d5f72ee3cf5edfa03934a64
SHA1 ed7b99e270d84262613c840e9ff154a8ebdd676e
SHA256 9e00f1f7a9bae72272175b2070d3452d665eb46577fe7cf116aa3d90034d036b
SHA512 717f0080dcbbacd8ed56742a134a75d829a9030ddf4772295f5921b9320784f3f217849069447906cf0da4d452ac403a8473a9ee6cf066bab5b33e4dc43237cf

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 0eb112182d5f72ee3cf5edfa03934a64
SHA1 ed7b99e270d84262613c840e9ff154a8ebdd676e
SHA256 9e00f1f7a9bae72272175b2070d3452d665eb46577fe7cf116aa3d90034d036b
SHA512 717f0080dcbbacd8ed56742a134a75d829a9030ddf4772295f5921b9320784f3f217849069447906cf0da4d452ac403a8473a9ee6cf066bab5b33e4dc43237cf

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 04:32

Reported

2021-05-15 09:43

Platform

win7v20210410

Max time kernel

151s

Max time network

15s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df.exe

"C:\Users\Admin\AppData\Local\Temp\d82dd85d5ecb23a21542231c79db17b060a58bfd84a9d7c1d2f0eea1750ad9df.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1996-60-0x0000000075D41000-0x0000000075D43000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 0eb112182d5f72ee3cf5edfa03934a64
SHA1 ed7b99e270d84262613c840e9ff154a8ebdd676e
SHA256 9e00f1f7a9bae72272175b2070d3452d665eb46577fe7cf116aa3d90034d036b
SHA512 717f0080dcbbacd8ed56742a134a75d829a9030ddf4772295f5921b9320784f3f217849069447906cf0da4d452ac403a8473a9ee6cf066bab5b33e4dc43237cf

memory/1304-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 0eb112182d5f72ee3cf5edfa03934a64
SHA1 ed7b99e270d84262613c840e9ff154a8ebdd676e
SHA256 9e00f1f7a9bae72272175b2070d3452d665eb46577fe7cf116aa3d90034d036b
SHA512 717f0080dcbbacd8ed56742a134a75d829a9030ddf4772295f5921b9320784f3f217849069447906cf0da4d452ac403a8473a9ee6cf066bab5b33e4dc43237cf

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 0eb112182d5f72ee3cf5edfa03934a64
SHA1 ed7b99e270d84262613c840e9ff154a8ebdd676e
SHA256 9e00f1f7a9bae72272175b2070d3452d665eb46577fe7cf116aa3d90034d036b
SHA512 717f0080dcbbacd8ed56742a134a75d829a9030ddf4772295f5921b9320784f3f217849069447906cf0da4d452ac403a8473a9ee6cf066bab5b33e4dc43237cf

memory/1996-66-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 0eb112182d5f72ee3cf5edfa03934a64
SHA1 ed7b99e270d84262613c840e9ff154a8ebdd676e
SHA256 9e00f1f7a9bae72272175b2070d3452d665eb46577fe7cf116aa3d90034d036b
SHA512 717f0080dcbbacd8ed56742a134a75d829a9030ddf4772295f5921b9320784f3f217849069447906cf0da4d452ac403a8473a9ee6cf066bab5b33e4dc43237cf