upatre | 6442fd754368fc641c9eff6e16e95b0646152f80e384b9f150ba2b01415a75ad

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb80817e08f490ebfa47bba6337796a.exe
Size

12KB
MD5

1fb80817e08f490ebfa47bba6337796a
SHA1

6d37a111928a0749847497b2ddf73b4255e3a2f2
SHA256

6442fd754368fc641c9eff6e16e95b0646152f80e384b9f150ba2b01415a75ad
SHA512

370bca056296904993966b4d12668f146063f19e273b18e7c7ba16c74aa93517458754b334de0d77e39784604db03f4c0317f3e1ecabee0569abdcd39c5bdd82
SSDEEP

384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKhYsKkyyl7n9m:v+dAURFxna4QAPQlYghxKkyyl7no

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2216	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	1fb80817e08f490ebfa47bba6337796a.exe
2248	1fb80817e08f490ebfa47bba6337796a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2216	2248	1fb80817e08f490ebfa47bba6337796a.exe	17
PID 2248 wrote to memory of 2216	2248	1fb80817e08f490ebfa47bba6337796a.exe	17
PID 2248 wrote to memory of 2216	2248	1fb80817e08f490ebfa47bba6337796a.exe	17
PID 2248 wrote to memory of 2216	2248	1fb80817e08f490ebfa47bba6337796a.exe	17

C:\Users\Admin\AppData\Local\Temp\1fb80817e08f490ebfa47bba6337796a.exe
"C:\Users\Admin\AppData\Local\Temp\1fb80817e08f490ebfa47bba6337796a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
12KB

MD5
9261df9e10b9a79fd03c8655479d8915

SHA1
7056135dc3d1c56fbeb9226ca3eea8fc82926fb9

SHA256
afeb21e41dd37ff74464f7bc76857089dcf9c5df1f53f2468ab531a03a9d97d6

SHA512
240344c6d4c6b8f37b47ddbaab097356b2c0f31079df36fcdb0a44faa06b92d39edb422fc8e264dba521a805ab8a66f017c46ad200c1117e80ca072bcde8a9e3

Download Submit