Malware Analysis Report

2024-10-23 21:07

Sample ID 210515-hj35e7dky2
Target 900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a
SHA256 900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a
Tags
upatre downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a

Threat Level: Known bad

The file 900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a was found to be: Known bad.

Malicious Activity Summary

upatre downloader

Upatre

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 15:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 15:01

Reported

2021-05-16 01:13

Platform

win7v20210410

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe

"C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/1052-59-0x0000000075721000-0x0000000075723000-memory.dmp

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a7ce9b959e0456aa43b0243a15d484e9
SHA1 d7de590574f9bc0ba73db2fcff6785ad2999ba76
SHA256 b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be
SHA512 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339

\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a7ce9b959e0456aa43b0243a15d484e9
SHA1 d7de590574f9bc0ba73db2fcff6785ad2999ba76
SHA256 b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be
SHA512 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339

memory/1692-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a7ce9b959e0456aa43b0243a15d484e9
SHA1 d7de590574f9bc0ba73db2fcff6785ad2999ba76
SHA256 b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be
SHA512 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339

memory/1052-65-0x00000000003B0000-0x00000000003B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a7ce9b959e0456aa43b0243a15d484e9
SHA1 d7de590574f9bc0ba73db2fcff6785ad2999ba76
SHA256 b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be
SHA512 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 15:01

Reported

2021-05-16 01:13

Platform

win10v20210410

Max time kernel

150s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe

"C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe"

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"

Network

N/A

Files

memory/520-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a7ce9b959e0456aa43b0243a15d484e9
SHA1 d7de590574f9bc0ba73db2fcff6785ad2999ba76
SHA256 b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be
SHA512 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

MD5 a7ce9b959e0456aa43b0243a15d484e9
SHA1 d7de590574f9bc0ba73db2fcff6785ad2999ba76
SHA256 b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be
SHA512 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339

memory/4060-117-0x00000000005F0000-0x00000000005F1000-memory.dmp