upatre | ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa

Resubmissions

08-03-2024 13:26

240308-qpvsjaga76 10

07-03-2024 23:43

240307-3qy8kaad9v 10

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe
Size

40KB
MD5

a73607e431097f1e74130d2bf6c5a2fd
SHA1

7f8f3ad4bd02a46071a0a10f5bba4071a129d5e9
SHA256

ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa
SHA512

60cd69504b583e72c9e392dbcde49eca52b6589ddb0911df9d584521138f187b53ffa9af15e3eb0648e759ed90e589776df3c63cecbab875aa75a15d9cdf98ce
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rPy8Fj6wtVeldaBy6ERb3/kQCjWtBkQhMWG7:GY9jw/dUT62rGdiUOWWra8FcHb3uBWt+

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1340	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe
2312	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1340	2312	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe	28
PID 2312 wrote to memory of 1340	2312	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe	28
PID 2312 wrote to memory of 1340	2312	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe	28
PID 2312 wrote to memory of 1340	2312	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe	28

C:\Users\Admin\AppData\Local\Temp\ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe
"C:\Users\Admin\AppData\Local\Temp\ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
40KB

MD5
70c2c9bc91853a71d36eb8502b73b513

SHA1
02df4804fdbfced0a7454b108391ee68e81c0847

SHA256
3a5bd88d1bbb96a3e4e1dbce115629f6931a30c59f3861bbbd8232aef2f645a1

SHA512
d598d7bf15862e87752fc92971f082ea192a21666b5ab126aa9906b67bb95f14b2ef0bcec7cea3784382e2afd9bb6498630a5b854832bdda5dec889325ce0587

Download Submit
memory/2312-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2312-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download