Malware Analysis Report

2024-10-23 21:07

Sample ID 210515-9vtmmg7s8j
Target a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143
SHA256 a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143

Threat Level: Known bad

The file a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 11:27

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 11:27

Reported

2021-05-15 17:51

Platform

win10v20210408

Max time kernel

149s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143.exe

"C:\Users\Admin\AppData\Local\Temp\a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/2544-114-0x0000000000410000-0x00000000004BE000-memory.dmp

memory/3948-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 6ae7161c76a4ef112144024764edea7f
SHA1 7b73dc93df6cc9b99b75524989a7164903420f65
SHA256 de41f88b412eef0eeaedd204655736184cafad2e88c60532cd4b97394fbb1219
SHA512 e25582579657212eac3c6fd3b46ac8125a295d43be93dc5695ab04a6264cab0b0e2cc025e9be24a3c319ecdce2ddf936a10c59258e7270f16922b38aca4744e6

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 6ae7161c76a4ef112144024764edea7f
SHA1 7b73dc93df6cc9b99b75524989a7164903420f65
SHA256 de41f88b412eef0eeaedd204655736184cafad2e88c60532cd4b97394fbb1219
SHA512 e25582579657212eac3c6fd3b46ac8125a295d43be93dc5695ab04a6264cab0b0e2cc025e9be24a3c319ecdce2ddf936a10c59258e7270f16922b38aca4744e6

memory/3948-118-0x0000000000740000-0x0000000000741000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 11:27

Reported

2021-05-15 17:51

Platform

win7v20210408

Max time kernel

150s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143.exe

"C:\Users\Admin\AppData\Local\Temp\a3d45e61a9ced1862ec30979b63d8dd56db07777336d1845b80b5ac70577e143.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1656-59-0x0000000075801000-0x0000000075803000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 6ae7161c76a4ef112144024764edea7f
SHA1 7b73dc93df6cc9b99b75524989a7164903420f65
SHA256 de41f88b412eef0eeaedd204655736184cafad2e88c60532cd4b97394fbb1219
SHA512 e25582579657212eac3c6fd3b46ac8125a295d43be93dc5695ab04a6264cab0b0e2cc025e9be24a3c319ecdce2ddf936a10c59258e7270f16922b38aca4744e6

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 6ae7161c76a4ef112144024764edea7f
SHA1 7b73dc93df6cc9b99b75524989a7164903420f65
SHA256 de41f88b412eef0eeaedd204655736184cafad2e88c60532cd4b97394fbb1219
SHA512 e25582579657212eac3c6fd3b46ac8125a295d43be93dc5695ab04a6264cab0b0e2cc025e9be24a3c319ecdce2ddf936a10c59258e7270f16922b38aca4744e6

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 6ae7161c76a4ef112144024764edea7f
SHA1 7b73dc93df6cc9b99b75524989a7164903420f65
SHA256 de41f88b412eef0eeaedd204655736184cafad2e88c60532cd4b97394fbb1219
SHA512 e25582579657212eac3c6fd3b46ac8125a295d43be93dc5695ab04a6264cab0b0e2cc025e9be24a3c319ecdce2ddf936a10c59258e7270f16922b38aca4744e6

memory/1624-62-0x0000000000000000-mapping.dmp

memory/1656-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 6ae7161c76a4ef112144024764edea7f
SHA1 7b73dc93df6cc9b99b75524989a7164903420f65
SHA256 de41f88b412eef0eeaedd204655736184cafad2e88c60532cd4b97394fbb1219
SHA512 e25582579657212eac3c6fd3b46ac8125a295d43be93dc5695ab04a6264cab0b0e2cc025e9be24a3c319ecdce2ddf936a10c59258e7270f16922b38aca4744e6