upatre | d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-03-2023 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe
Size

4KB
MD5

658c61d16ba472c29f511fb03ff2815a
SHA1

9ce2455123e092e2750c228ff77a8362bbc81196
SHA256

d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf
SHA512

028991ca2cf902f3e0790f7080a747408ff4552e6f6316b2cbdf4bcc53cb993c7b33adee412b8ca8ff494b19b72650ae1a29f6dc2f760cc565c53ecb11e60e58
SSDEEP

48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91RsANnA7B8mOo4jUx7OtKGc:Z0v4mUWKh9ctgC1RHnKymV44Sh

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Deletes itself 1 IoCs

pid	Process
1252	szgfw.exe

Executes dropped EXE 1 IoCs

pid	Process
1252	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
924	d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe
924	d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1252	924	d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe	28
PID 924 wrote to memory of 1252	924	d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe	28
PID 924 wrote to memory of 1252	924	d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe	28
PID 924 wrote to memory of 1252	924	d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe	28

C:\Users\Admin\AppData\Local\Temp\d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe
"C:\Users\Admin\AppData\Local\Temp\d4123dd9b796ce95f3b89de0b6e1b8a1e7f36184f0a1e11244bae5435ff07baf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
09c8a3abf6737ed8acdc691f600f664c

SHA1
5e36e7a2eb23418998941817a8a5f82e4d84889a

SHA256
cbe2c87808d8d7495f37b6a33086e8bceb216830d147b891d4227e156823a950

SHA512
3a17cd7ebd53970fc1f7f5199de637f3bd0b35808871a295c7e9d4cf0bfa05e111a22f0f9205abe44bde874e27f33aaa89d8bb72d8717915371a3a1fb643ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
09c8a3abf6737ed8acdc691f600f664c

SHA1
5e36e7a2eb23418998941817a8a5f82e4d84889a

SHA256
cbe2c87808d8d7495f37b6a33086e8bceb216830d147b891d4227e156823a950

SHA512
3a17cd7ebd53970fc1f7f5199de637f3bd0b35808871a295c7e9d4cf0bfa05e111a22f0f9205abe44bde874e27f33aaa89d8bb72d8717915371a3a1fb643ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
09c8a3abf6737ed8acdc691f600f664c

SHA1
5e36e7a2eb23418998941817a8a5f82e4d84889a

SHA256
cbe2c87808d8d7495f37b6a33086e8bceb216830d147b891d4227e156823a950

SHA512
3a17cd7ebd53970fc1f7f5199de637f3bd0b35808871a295c7e9d4cf0bfa05e111a22f0f9205abe44bde874e27f33aaa89d8bb72d8717915371a3a1fb643ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
09c8a3abf6737ed8acdc691f600f664c

SHA1
5e36e7a2eb23418998941817a8a5f82e4d84889a

SHA256
cbe2c87808d8d7495f37b6a33086e8bceb216830d147b891d4227e156823a950

SHA512
3a17cd7ebd53970fc1f7f5199de637f3bd0b35808871a295c7e9d4cf0bfa05e111a22f0f9205abe44bde874e27f33aaa89d8bb72d8717915371a3a1fb643ecd8

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
09c8a3abf6737ed8acdc691f600f664c

SHA1
5e36e7a2eb23418998941817a8a5f82e4d84889a

SHA256
cbe2c87808d8d7495f37b6a33086e8bceb216830d147b891d4227e156823a950

SHA512
3a17cd7ebd53970fc1f7f5199de637f3bd0b35808871a295c7e9d4cf0bfa05e111a22f0f9205abe44bde874e27f33aaa89d8bb72d8717915371a3a1fb643ecd8

Download Submit