upatre | 9dbbf9c16cb8338edb14f349e8f9e688e556f5262bf7c7b3783c65bb396984e6

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
29-11-2023 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62bfda431fb5970c7ef246f90314ed9.exe
Size

63KB
MD5

a62bfda431fb5970c7ef246f90314ed9
SHA1

81b9cffa0a3a69a709b2aa90ecd3acc91f6bdfe4
SHA256

9dbbf9c16cb8338edb14f349e8f9e688e556f5262bf7c7b3783c65bb396984e6
SHA512

104623bf1d9f8c8c782a86b400d551771f15ad0513724d5394679317c3b20b6fcb90d950ff838c1844ea4ef05e025540849ad0a0337f1f4eff8e12d9d42672df
SSDEEP

1536:5Y9jw/dUT62rGdiUOWWrMffJ+AxM+I+ceWgG:5Y9CUT62/UOVMffJ+AW+I+cT

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2444	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	a62bfda431fb5970c7ef246f90314ed9.exe
2364	a62bfda431fb5970c7ef246f90314ed9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2444	2364	a62bfda431fb5970c7ef246f90314ed9.exe	28
PID 2364 wrote to memory of 2444	2364	a62bfda431fb5970c7ef246f90314ed9.exe	28
PID 2364 wrote to memory of 2444	2364	a62bfda431fb5970c7ef246f90314ed9.exe	28
PID 2364 wrote to memory of 2444	2364	a62bfda431fb5970c7ef246f90314ed9.exe	28

C:\Users\Admin\AppData\Local\Temp\a62bfda431fb5970c7ef246f90314ed9.exe
"C:\Users\Admin\AppData\Local\Temp\a62bfda431fb5970c7ef246f90314ed9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
63KB

MD5
36424798166757571abca70cc083bbfe

SHA1
069ea9e26681f7d48d7877624004433dc0b31e1e

SHA256
77f14e2359ad181057e6600c68b3d2611a5e72dd21249bc249f46e1c7726d489

SHA512
b7087dab59eb1cbc3626a1b92708ba2efefb12cf2af62f7efaa81d78728acd0033ff75e13d5358c454996a839a4ce4b041bdd01c52321331b0f5e73f179331ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
63KB

MD5
36424798166757571abca70cc083bbfe

SHA1
069ea9e26681f7d48d7877624004433dc0b31e1e

SHA256
77f14e2359ad181057e6600c68b3d2611a5e72dd21249bc249f46e1c7726d489

SHA512
b7087dab59eb1cbc3626a1b92708ba2efefb12cf2af62f7efaa81d78728acd0033ff75e13d5358c454996a839a4ce4b041bdd01c52321331b0f5e73f179331ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
63KB

MD5
36424798166757571abca70cc083bbfe

SHA1
069ea9e26681f7d48d7877624004433dc0b31e1e

SHA256
77f14e2359ad181057e6600c68b3d2611a5e72dd21249bc249f46e1c7726d489

SHA512
b7087dab59eb1cbc3626a1b92708ba2efefb12cf2af62f7efaa81d78728acd0033ff75e13d5358c454996a839a4ce4b041bdd01c52321331b0f5e73f179331ad

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
63KB

MD5
36424798166757571abca70cc083bbfe

SHA1
069ea9e26681f7d48d7877624004433dc0b31e1e

SHA256
77f14e2359ad181057e6600c68b3d2611a5e72dd21249bc249f46e1c7726d489

SHA512
b7087dab59eb1cbc3626a1b92708ba2efefb12cf2af62f7efaa81d78728acd0033ff75e13d5358c454996a839a4ce4b041bdd01c52321331b0f5e73f179331ad

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
63KB

MD5
36424798166757571abca70cc083bbfe

SHA1
069ea9e26681f7d48d7877624004433dc0b31e1e

SHA256
77f14e2359ad181057e6600c68b3d2611a5e72dd21249bc249f46e1c7726d489

SHA512
b7087dab59eb1cbc3626a1b92708ba2efefb12cf2af62f7efaa81d78728acd0033ff75e13d5358c454996a839a4ce4b041bdd01c52321331b0f5e73f179331ad

Download Submit
memory/2364-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2364-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download