upatre | 7b86ea500733e39559f8a8c49d1ffc6f746f3f04d60c8093d97786576c585931

Analysis

max time kernel
152s
max time network
131s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d1e442cec42c13475ea558655d79c9c0.exe
Size

33KB
MD5

d1e442cec42c13475ea558655d79c9c0
SHA1

db6fe1c6e0aa00e1a609626a88ade4aa00c11c04
SHA256

7b86ea500733e39559f8a8c49d1ffc6f746f3f04d60c8093d97786576c585931
SHA512

5e2103d5dc310e608ccab4e2e132f5ec9c5ee6bcb6deaed6e67d66fc66abc314750f08aebe156ac8065acc015cfc88f69728f16eb97feae1a42b82e81951347e
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rPy8FQqDTQ:GY9jw/dUT62rGdiUOWWra8FQn

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1380	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1460	NEAS.d1e442cec42c13475ea558655d79c9c0.exe
1460	NEAS.d1e442cec42c13475ea558655d79c9c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1380	1460	NEAS.d1e442cec42c13475ea558655d79c9c0.exe	28
PID 1460 wrote to memory of 1380	1460	NEAS.d1e442cec42c13475ea558655d79c9c0.exe	28
PID 1460 wrote to memory of 1380	1460	NEAS.d1e442cec42c13475ea558655d79c9c0.exe	28
PID 1460 wrote to memory of 1380	1460	NEAS.d1e442cec42c13475ea558655d79c9c0.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.d1e442cec42c13475ea558655d79c9c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d1e442cec42c13475ea558655d79c9c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
33KB

MD5
22d36cd6667a248a516d865d1f846954

SHA1
b82818b4f102019d8d3d83b58f360b24c28fd7ff

SHA256
9dd73abf591d385bb972a7cb74ed0456e83eab06cd4b28d355e7bbe303805cd0

SHA512
153d3a9f0d7f3791c13ca8ac6ee62dd300a6369595c50e19c7168ecfe6c8833f03303d47d66e89ba0ae08d4ab7d22415d41dddc6d1e6b5c142faa3f3fb6c609a

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
33KB

MD5
22d36cd6667a248a516d865d1f846954

SHA1
b82818b4f102019d8d3d83b58f360b24c28fd7ff

SHA256
9dd73abf591d385bb972a7cb74ed0456e83eab06cd4b28d355e7bbe303805cd0

SHA512
153d3a9f0d7f3791c13ca8ac6ee62dd300a6369595c50e19c7168ecfe6c8833f03303d47d66e89ba0ae08d4ab7d22415d41dddc6d1e6b5c142faa3f3fb6c609a

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
33KB

MD5
22d36cd6667a248a516d865d1f846954

SHA1
b82818b4f102019d8d3d83b58f360b24c28fd7ff

SHA256
9dd73abf591d385bb972a7cb74ed0456e83eab06cd4b28d355e7bbe303805cd0

SHA512
153d3a9f0d7f3791c13ca8ac6ee62dd300a6369595c50e19c7168ecfe6c8833f03303d47d66e89ba0ae08d4ab7d22415d41dddc6d1e6b5c142faa3f3fb6c609a

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
33KB

MD5
22d36cd6667a248a516d865d1f846954

SHA1
b82818b4f102019d8d3d83b58f360b24c28fd7ff

SHA256
9dd73abf591d385bb972a7cb74ed0456e83eab06cd4b28d355e7bbe303805cd0

SHA512
153d3a9f0d7f3791c13ca8ac6ee62dd300a6369595c50e19c7168ecfe6c8833f03303d47d66e89ba0ae08d4ab7d22415d41dddc6d1e6b5c142faa3f3fb6c609a

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
33KB

MD5
22d36cd6667a248a516d865d1f846954

SHA1
b82818b4f102019d8d3d83b58f360b24c28fd7ff

SHA256
9dd73abf591d385bb972a7cb74ed0456e83eab06cd4b28d355e7bbe303805cd0

SHA512
153d3a9f0d7f3791c13ca8ac6ee62dd300a6369595c50e19c7168ecfe6c8833f03303d47d66e89ba0ae08d4ab7d22415d41dddc6d1e6b5c142faa3f3fb6c609a

Download Submit
memory/1460-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1460-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download