upatre | b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe
Size

34KB
MD5

cb036e13d1523d9fd8d232f393bfb426
SHA1

55a4349ff2a1a8f3b4e7e72a7f90a4e21615ca22
SHA256

b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5
SHA512

b59a8e60a66faf910cdb95a11a80bc1a30507218bece08e9d102ce895ae1df322ffd934846107a1821884213105ae43f5e5a047dd4d9c72bcbda4568bac73fcc
SSDEEP

768:v+qAUVByyyNylXUylqylylmMxgMyXAN5IkSFlOxXmk/oghNMor4wmT3dNjgKjW9q:vNVrklhDur+k7

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
3004	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1368	b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe
1368	b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3004	1368	b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe	28
PID 1368 wrote to memory of 3004	1368	b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe	28
PID 1368 wrote to memory of 3004	1368	b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe	28
PID 1368 wrote to memory of 3004	1368	b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe	28

C:\Users\Admin\AppData\Local\Temp\b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe
"C:\Users\Admin\AppData\Local\Temp\b87ed864ef2b3b378ba54bef2e73827fd66dc865f4124f2e28987ba0349471a5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
35KB

MD5
4bc814fc3057f5c028bc3689c9f1914d

SHA1
6739bdc416d448a72710d050140683bb1800574b

SHA256
360165717e5993dbdc69f3e18228c6f1c1e0219b2139bca9c17253b2bd1f8e07

SHA512
5ac859f2b9516c12f4867984361199e95846b7031b7cf2f99ae316ff83476f50e38624ec4288675f55908b5ee53b79d9aea8e563eced1748449f816575129584

Download Submit