upatre | 0161d78d705eb5f4dbe560041955ce9fa757b65a6331bf53226d467ac90b4603

Analysis

max time kernel
161s
max time network
144s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
10-11-2023 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ea55726f0329030149bf72fcf70342bd.exe
Size

130KB
MD5

ea55726f0329030149bf72fcf70342bd
SHA1

92402935d44498e943f9da28767e1abc08d9ac23
SHA256

0161d78d705eb5f4dbe560041955ce9fa757b65a6331bf53226d467ac90b4603
SHA512

e6d73b1ecde21c3015b90aa964b46208e50f1050e4962707c9a420dc077d56e4c893c7f3237013db0a14012e48f45368b22f9c9e0edff2c6a24bc4c94d54732b
SSDEEP

3072:tY9CUT62/UOVMgJsgJMgJogJwgJ0zqgJ01J3RgJ01JygJ01JK8gJ01JK2gJ01JKz:tY9C8QyFJlJFJRJZJqJyJ3CJyJbJyJWD

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2776	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	NEAS.ea55726f0329030149bf72fcf70342bd.exe
2196	NEAS.ea55726f0329030149bf72fcf70342bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2776	2196	NEAS.ea55726f0329030149bf72fcf70342bd.exe	29
PID 2196 wrote to memory of 2776	2196	NEAS.ea55726f0329030149bf72fcf70342bd.exe	29
PID 2196 wrote to memory of 2776	2196	NEAS.ea55726f0329030149bf72fcf70342bd.exe	29
PID 2196 wrote to memory of 2776	2196	NEAS.ea55726f0329030149bf72fcf70342bd.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.ea55726f0329030149bf72fcf70342bd.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ea55726f0329030149bf72fcf70342bd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
43231c49d2dac927741ddc613c94cb29

SHA1
f66e141973124cf50a265405cf1a25853fca572d

SHA256
ddc1c46a68765063f6bd092e81b6b889b601e636a0944b3d25c9ca48f453170f

SHA512
f96d0254df74a086dfcb8f4d968aea01838a347b516a2b8b6a3c6f17f92ccaa18723db0e771a5ed20bb37555544fdcd5d480deeb2e72e5d6ef82e89cf357d301

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
43231c49d2dac927741ddc613c94cb29

SHA1
f66e141973124cf50a265405cf1a25853fca572d

SHA256
ddc1c46a68765063f6bd092e81b6b889b601e636a0944b3d25c9ca48f453170f

SHA512
f96d0254df74a086dfcb8f4d968aea01838a347b516a2b8b6a3c6f17f92ccaa18723db0e771a5ed20bb37555544fdcd5d480deeb2e72e5d6ef82e89cf357d301

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
43231c49d2dac927741ddc613c94cb29

SHA1
f66e141973124cf50a265405cf1a25853fca572d

SHA256
ddc1c46a68765063f6bd092e81b6b889b601e636a0944b3d25c9ca48f453170f

SHA512
f96d0254df74a086dfcb8f4d968aea01838a347b516a2b8b6a3c6f17f92ccaa18723db0e771a5ed20bb37555544fdcd5d480deeb2e72e5d6ef82e89cf357d301

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
43231c49d2dac927741ddc613c94cb29

SHA1
f66e141973124cf50a265405cf1a25853fca572d

SHA256
ddc1c46a68765063f6bd092e81b6b889b601e636a0944b3d25c9ca48f453170f

SHA512
f96d0254df74a086dfcb8f4d968aea01838a347b516a2b8b6a3c6f17f92ccaa18723db0e771a5ed20bb37555544fdcd5d480deeb2e72e5d6ef82e89cf357d301

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
130KB

MD5
43231c49d2dac927741ddc613c94cb29

SHA1
f66e141973124cf50a265405cf1a25853fca572d

SHA256
ddc1c46a68765063f6bd092e81b6b889b601e636a0944b3d25c9ca48f453170f

SHA512
f96d0254df74a086dfcb8f4d968aea01838a347b516a2b8b6a3c6f17f92ccaa18723db0e771a5ed20bb37555544fdcd5d480deeb2e72e5d6ef82e89cf357d301

Download Submit
memory/2196-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2196-2-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2196-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2196-12-0x00000000030F0000-0x0000000003116000-memory.dmp

Filesize
152KB

Download
memory/2776-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download