upatre | a0eaab26f23b7b15963b01ac89ff3e5c79d90cab54f8d986e20b64cfab1da081

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe
Size

130KB
MD5

55c6bc0fcf1273e5bd775d923a5af154
SHA1

3576a15b10efe2629f20163464dfdca1484e70d1
SHA256

a0eaab26f23b7b15963b01ac89ff3e5c79d90cab54f8d986e20b64cfab1da081
SHA512

ca27591219fd3a50308321e1f3f339ec26d75f7b6ec9dcd79a1c3d7b62545d84d90e708f89191740bfc1cd7819c25c50893142d28386fda645383a740260f058
SSDEEP

3072:tY9CUT62/UOVMgJsgJMgJogJwgJ0zqgJ01J3RgJ01JygJ01JK8gJ01JK2gJ01JKM:tY9C8QyFJlJFJRJZJqJyJ3CJyJbJyJWc

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2144	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe
2016	NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2144	2016	NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe	28
PID 2016 wrote to memory of 2144	2016	NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe	28
PID 2016 wrote to memory of 2144	2016	NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe	28
PID 2016 wrote to memory of 2144	2016	NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.55c6bc0fcf1273e5bd775d923a5af154_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
3e0a242f9156da377df609fed9762f5d

SHA1
b498331c49257c69be5f6f9cab03e7f368674e09

SHA256
0b1f16f68021d93cb0bef56d202878e20570c54b5f5304573f9ea7013e1cf9f3

SHA512
7136666357dd859f7755a809392cb11122ef5a85197f7575bfe9e593e44452724d8c66a8165c6990ba1a57ff0097efca70ab1e687326f7122931ebd402842d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
3e0a242f9156da377df609fed9762f5d

SHA1
b498331c49257c69be5f6f9cab03e7f368674e09

SHA256
0b1f16f68021d93cb0bef56d202878e20570c54b5f5304573f9ea7013e1cf9f3

SHA512
7136666357dd859f7755a809392cb11122ef5a85197f7575bfe9e593e44452724d8c66a8165c6990ba1a57ff0097efca70ab1e687326f7122931ebd402842d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
3e0a242f9156da377df609fed9762f5d

SHA1
b498331c49257c69be5f6f9cab03e7f368674e09

SHA256
0b1f16f68021d93cb0bef56d202878e20570c54b5f5304573f9ea7013e1cf9f3

SHA512
7136666357dd859f7755a809392cb11122ef5a85197f7575bfe9e593e44452724d8c66a8165c6990ba1a57ff0097efca70ab1e687326f7122931ebd402842d23

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
3e0a242f9156da377df609fed9762f5d

SHA1
b498331c49257c69be5f6f9cab03e7f368674e09

SHA256
0b1f16f68021d93cb0bef56d202878e20570c54b5f5304573f9ea7013e1cf9f3

SHA512
7136666357dd859f7755a809392cb11122ef5a85197f7575bfe9e593e44452724d8c66a8165c6990ba1a57ff0097efca70ab1e687326f7122931ebd402842d23

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
3e0a242f9156da377df609fed9762f5d

SHA1
b498331c49257c69be5f6f9cab03e7f368674e09

SHA256
0b1f16f68021d93cb0bef56d202878e20570c54b5f5304573f9ea7013e1cf9f3

SHA512
7136666357dd859f7755a809392cb11122ef5a85197f7575bfe9e593e44452724d8c66a8165c6990ba1a57ff0097efca70ab1e687326f7122931ebd402842d23

Download Submit
memory/2016-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2016-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2016-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2144-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download