upatre | cdfc55b7669c20c7260481d3ed3a91a816e18ed3d0f7880802e92e844cd3381f

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17fdbb6078b3b51413213315a781569d.exe
Size

12KB
MD5

17fdbb6078b3b51413213315a781569d
SHA1

ca2b24c3f41863fd6477c63e4345fb7a1131ec7a
SHA256

cdfc55b7669c20c7260481d3ed3a91a816e18ed3d0f7880802e92e844cd3381f
SHA512

5514e4b4245449efca3d2247f0f6a806681562d28eff7e18acdf35ba28d461a1f28aa31a09e32a3bd952ad66e8172460e9541cbdebb73fc67056f7ebb47ae047
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKhYsKUAylUmWmQ:v+dAURFxna4QAPQlYghxKUAyl9WmQ

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2008	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	17fdbb6078b3b51413213315a781569d.exe
2220	17fdbb6078b3b51413213315a781569d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2008	2220	17fdbb6078b3b51413213315a781569d.exe	28
PID 2220 wrote to memory of 2008	2220	17fdbb6078b3b51413213315a781569d.exe	28
PID 2220 wrote to memory of 2008	2220	17fdbb6078b3b51413213315a781569d.exe	28
PID 2220 wrote to memory of 2008	2220	17fdbb6078b3b51413213315a781569d.exe	28

C:\Users\Admin\AppData\Local\Temp\17fdbb6078b3b51413213315a781569d.exe
"C:\Users\Admin\AppData\Local\Temp\17fdbb6078b3b51413213315a781569d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
12KB

MD5
7ee0be3a94700d92b6b530b8d3f52f88

SHA1
0260cb433bb157c1b60b388d5c9194612536476c

SHA256
c214de823189b25d3995d3a17c97f0f98f7a742bf763cf31f519b816218262b9

SHA512
25d368490ee00e2f635b3a549058830a9ac5a5f8d2252438f93cafac8fa04a2acc2c9c9b626f1da8096f08e231511642402811211cdcb2ebd884dc00f26b2aa6

Download Submit