upatre | 38e1a29c7a3fae493b745ebf1f5b66a926a99550b23fe7f1c210ee1eccfdae2a

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82592d3a83f32ce7b85dd5ead270f8d2.exe
Size

13KB
MD5

82592d3a83f32ce7b85dd5ead270f8d2
SHA1

32b3da33cbeb617332ad2a5731340ed0e0d408d1
SHA256

38e1a29c7a3fae493b745ebf1f5b66a926a99550b23fe7f1c210ee1eccfdae2a
SHA512

b488ff43f61d94e47607c2c7d851f76d8b4923b388394679a856039032841dead64256efe7910ce0d3e3a6921e479a683199297462bd0be1012aeee9eb79c55f
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjK7aylryyylQlylW/lyyyyyQ:v+dAURFxna4QAPQlYg7aylryyylQlylC

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2184	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	82592d3a83f32ce7b85dd5ead270f8d2.exe
2336	82592d3a83f32ce7b85dd5ead270f8d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2184	2336	82592d3a83f32ce7b85dd5ead270f8d2.exe	28
PID 2336 wrote to memory of 2184	2336	82592d3a83f32ce7b85dd5ead270f8d2.exe	28
PID 2336 wrote to memory of 2184	2336	82592d3a83f32ce7b85dd5ead270f8d2.exe	28
PID 2336 wrote to memory of 2184	2336	82592d3a83f32ce7b85dd5ead270f8d2.exe	28

C:\Users\Admin\AppData\Local\Temp\82592d3a83f32ce7b85dd5ead270f8d2.exe
"C:\Users\Admin\AppData\Local\Temp\82592d3a83f32ce7b85dd5ead270f8d2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
13KB

MD5
2cd3dba4b6f5e3bb2af755b71ea9c924

SHA1
fe880709425eb65c9250a03722dfe7dcdccd8f1a

SHA256
13fead3786e0c4d4b8137c6d3dea7061ed9a22c3f8fcc6d17ffdfce2673ff35e

SHA512
d0e2fbfc4a3af95edebb374d47f8c887fef6a42144281e5ebdeb7558d705a835d25f4e4e7e8cfd53965cd9e273daf21bcb3f348837f4bea37e9cc346897d6c2d

Download Submit