Malware Analysis Report

2024-10-19 08:24

Sample ID 210515-bkx2f1peya
Target ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0
SHA256 ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0

Threat Level: Known bad

The file ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0 was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 05:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 05:21

Reported

2021-05-15 11:33

Platform

win7v20210408

Max time kernel

151s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe

"C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1120-59-0x0000000074D91000-0x0000000074D93000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 76f3ec304d802ef1c845aff36944cf20
SHA1 462c3cd5e9e551271889a14413c90a7dbff681b0
SHA256 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309
SHA512 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056

memory/360-62-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 76f3ec304d802ef1c845aff36944cf20
SHA1 462c3cd5e9e551271889a14413c90a7dbff681b0
SHA256 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309
SHA512 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 76f3ec304d802ef1c845aff36944cf20
SHA1 462c3cd5e9e551271889a14413c90a7dbff681b0
SHA256 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309
SHA512 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056

memory/1120-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 76f3ec304d802ef1c845aff36944cf20
SHA1 462c3cd5e9e551271889a14413c90a7dbff681b0
SHA256 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309
SHA512 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 05:21

Reported

2021-05-15 11:33

Platform

win10v20210408

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe

"C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/508-114-0x0000000000510000-0x000000000065A000-memory.dmp

memory/3420-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 76f3ec304d802ef1c845aff36944cf20
SHA1 462c3cd5e9e551271889a14413c90a7dbff681b0
SHA256 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309
SHA512 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 76f3ec304d802ef1c845aff36944cf20
SHA1 462c3cd5e9e551271889a14413c90a7dbff681b0
SHA256 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309
SHA512 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056

memory/3420-118-0x0000000000410000-0x000000000055A000-memory.dmp