upatre | 47261709e00ac59fcf67c2ae5ce7de47185f4ee1f370a520cfe030090f48d660

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7232299e2255e8399dff79f545b52f97.exe
Size

135KB
MD5

7232299e2255e8399dff79f545b52f97
SHA1

b4ffd08ed61aec8ae446c5423a53964874f03053
SHA256

47261709e00ac59fcf67c2ae5ce7de47185f4ee1f370a520cfe030090f48d660
SHA512

bdc55d07ac4c568c83376f9f349b98f87d25f48616397daafb77b3a56e6b689e7c7cf1c875559c100d071919aae5c6546746a7351220545b1c2030804a6ea33d
SSDEEP

3072:tY9CUT62/UOVMgJsgJMgJogJwgJ0zqgJ01J3RgJ01JygJ01JK8gJ01JK2gJ01JK8:tY9C8QyFJlJFJRJZJqJyJ3CJyJbJyJWs

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2972	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	7232299e2255e8399dff79f545b52f97.exe
1960	7232299e2255e8399dff79f545b52f97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2972	1960	7232299e2255e8399dff79f545b52f97.exe	28
PID 1960 wrote to memory of 2972	1960	7232299e2255e8399dff79f545b52f97.exe	28
PID 1960 wrote to memory of 2972	1960	7232299e2255e8399dff79f545b52f97.exe	28
PID 1960 wrote to memory of 2972	1960	7232299e2255e8399dff79f545b52f97.exe	28

C:\Users\Admin\AppData\Local\Temp\7232299e2255e8399dff79f545b52f97.exe
"C:\Users\Admin\AppData\Local\Temp\7232299e2255e8399dff79f545b52f97.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
20KB

MD5
d7f85fcb16e80e5bb3358770ab84f584

SHA1
0e496fdd010c534278796f96f9a37e5c728872ec

SHA256
3f88d2581ea8e8f52575a1397a7b8663583a2825285a1e2a2f2ad21ce8ac8bb8

SHA512
f2092a567427e4ff5a2782d639f815c2716a0012b9b595ecc41421022a53054dc85cdd3a938581d532237ee493df243e0f05df75a742be37aaf04c8a26f93e5f

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
17KB

MD5
9e4051da88054dc5e930243c2c0cd1d7

SHA1
5bca2f22439cd71d68cc862279c427f321e75c88

SHA256
b4e01759d6d4cef739119bc1a84cb8cfe1f457a97aab719bf08f44b7a38804e1

SHA512
ad39b57762abcf7c6cba0f63c3ebf59985c8ef61a5e28c19f99aabeaa4d82d14633ff5c6b6473fa3894fb2c3b25e1d7577cc20b7dce76cd1ad4807d48cfc2253

Download Submit
memory/1960-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1960-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1960-12-0x0000000003380000-0x00000000033A6000-memory.dmp

Filesize
152KB

Download
memory/1960-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2972-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download