upatre | 9d43a35f0cd9895f57400039809336576b28f6e6ca254a610b54c69d4359cc49

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01-10-2023 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

297fa15a2b77de7d4391c677266cb4df_JC.exe
Size

130KB
MD5

297fa15a2b77de7d4391c677266cb4df
SHA1

97f0cadd4a3b180ab36a7e25cb44a707afe0caa5
SHA256

9d43a35f0cd9895f57400039809336576b28f6e6ca254a610b54c69d4359cc49
SHA512

08d8f86895ca33c4893060ca9738824d95e97dd56b4dfbff4e2bbd641b52586237e6d7f824c88bd0a1dc4ed8dc7c99120a388acd9094a6a6639625564343e540
SSDEEP

3072:tY9CUT62/UOVMgJsgJMgJogJwgJ0zqgJ01J3RgJ01JygJ01JK8gJ01JK2gJ01JKA:tY9C8QyFJlJFJRJZJqJyJ3CJyJbJyJWw

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1344	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	297fa15a2b77de7d4391c677266cb4df_JC.exe
1904	297fa15a2b77de7d4391c677266cb4df_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1344	1904	297fa15a2b77de7d4391c677266cb4df_JC.exe	28
PID 1904 wrote to memory of 1344	1904	297fa15a2b77de7d4391c677266cb4df_JC.exe	28
PID 1904 wrote to memory of 1344	1904	297fa15a2b77de7d4391c677266cb4df_JC.exe	28
PID 1904 wrote to memory of 1344	1904	297fa15a2b77de7d4391c677266cb4df_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\297fa15a2b77de7d4391c677266cb4df_JC.exe
"C:\Users\Admin\AppData\Local\Temp\297fa15a2b77de7d4391c677266cb4df_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
bdac5013abe625c24a677d73853852db

SHA1
9349b3d9b8c45738f2873c185165b16708060330

SHA256
ac8a5f0d3172746eebe423ffa9b97325ee2dbd2bb05684c15156e7bbe0756714

SHA512
536c297b413a78fc22207f674d2a6e64ca968a40e1fa623a420f101f277895e60b5a1b45cce23308ec5d177a0590c1a2d086f52e1f62b3a00cbee88045827a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
bdac5013abe625c24a677d73853852db

SHA1
9349b3d9b8c45738f2873c185165b16708060330

SHA256
ac8a5f0d3172746eebe423ffa9b97325ee2dbd2bb05684c15156e7bbe0756714

SHA512
536c297b413a78fc22207f674d2a6e64ca968a40e1fa623a420f101f277895e60b5a1b45cce23308ec5d177a0590c1a2d086f52e1f62b3a00cbee88045827a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
bdac5013abe625c24a677d73853852db

SHA1
9349b3d9b8c45738f2873c185165b16708060330

SHA256
ac8a5f0d3172746eebe423ffa9b97325ee2dbd2bb05684c15156e7bbe0756714

SHA512
536c297b413a78fc22207f674d2a6e64ca968a40e1fa623a420f101f277895e60b5a1b45cce23308ec5d177a0590c1a2d086f52e1f62b3a00cbee88045827a6b

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
bdac5013abe625c24a677d73853852db

SHA1
9349b3d9b8c45738f2873c185165b16708060330

SHA256
ac8a5f0d3172746eebe423ffa9b97325ee2dbd2bb05684c15156e7bbe0756714

SHA512
536c297b413a78fc22207f674d2a6e64ca968a40e1fa623a420f101f277895e60b5a1b45cce23308ec5d177a0590c1a2d086f52e1f62b3a00cbee88045827a6b

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
bdac5013abe625c24a677d73853852db

SHA1
9349b3d9b8c45738f2873c185165b16708060330

SHA256
ac8a5f0d3172746eebe423ffa9b97325ee2dbd2bb05684c15156e7bbe0756714

SHA512
536c297b413a78fc22207f674d2a6e64ca968a40e1fa623a420f101f277895e60b5a1b45cce23308ec5d177a0590c1a2d086f52e1f62b3a00cbee88045827a6b

Download Submit
memory/1344-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1904-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1904-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1904-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download