upatre | 1d36240d8f2b011b25d8bf4f905ce31416f18139081aa43841bde842de7a5664

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e2631edbe5181b7cf199f28621de8a5.exe
Size

11KB
MD5

7e2631edbe5181b7cf199f28621de8a5
SHA1

6bc2d1e2814981e484ea8043dab47a8774df6696
SHA256

1d36240d8f2b011b25d8bf4f905ce31416f18139081aa43841bde842de7a5664
SHA512

63d74669c2bc40bc15f60a17c29bca518c4cf5cd33547c29292312ddb5ca6f03d8af1b94826c66eaa668a485ac72ddd5b91806a6182b752d5cb531c2e36bcbd7
SSDEEP

192:9mUWKs/RnKfzShH/JFxRmyja4QhiP7UlZSyGjpjWDkDb5HBQ:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKkA

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2892	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	7e2631edbe5181b7cf199f28621de8a5.exe
1996	7e2631edbe5181b7cf199f28621de8a5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2892	1996	7e2631edbe5181b7cf199f28621de8a5.exe	28
PID 1996 wrote to memory of 2892	1996	7e2631edbe5181b7cf199f28621de8a5.exe	28
PID 1996 wrote to memory of 2892	1996	7e2631edbe5181b7cf199f28621de8a5.exe	28
PID 1996 wrote to memory of 2892	1996	7e2631edbe5181b7cf199f28621de8a5.exe	28

C:\Users\Admin\AppData\Local\Temp\7e2631edbe5181b7cf199f28621de8a5.exe
"C:\Users\Admin\AppData\Local\Temp\7e2631edbe5181b7cf199f28621de8a5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
11KB

MD5
642c263a51c88b023d87350e6ff2a35f

SHA1
000a5ffae414d06fd9ad57ccc0a4f41953232140

SHA256
8b7831739f52e2fb260c4b6c004078bf2350190b08c65c9553adc8821b182131

SHA512
ac48095cbdb76764528952a44d685a4ee4e216f9feda5a3a78439d91ca3eb572240614e8b749b6d740fa4bb4b2c0ff2fe8aaf3ad63c08928952f34519099c877

Download Submit