upatre | 8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe
Size

65KB
MD5

9ad747d9089ac73c418ca3436ff6822f
SHA1

3117ea00ed5cb6f2dd6510a525f3dd3caef5e334
SHA256

8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6
SHA512

72f9874f4909a09811c11d490aeda8710cb8effc38ba9359ef6a035e48cb3805ce0a83fd67d4587dfa227a385cfc997fa22704025899c1dd920c2bc0a73fc60d
SSDEEP

1536:5Y9jw/dUT62rGdiUOWWrMffJ+AxM+I+ceWgP/Sez:5Y9CUT62/UOVMffJ+AW+I+cw

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2864	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1784	8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe
1784	8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2864	1784	8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe	28
PID 1784 wrote to memory of 2864	1784	8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe	28
PID 1784 wrote to memory of 2864	1784	8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe	28
PID 1784 wrote to memory of 2864	1784	8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe	28

C:\Users\Admin\AppData\Local\Temp\8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe
"C:\Users\Admin\AppData\Local\Temp\8f8103ff4f1d6a3fc4806f5df3172b3f1e98cb4aebbb50e2faa29f2d73aa27a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
66KB

MD5
330dee5fb329bda488aa13748a015013

SHA1
9fe89d3d825b9d1987bf101f1f1dcad38c99e9bd

SHA256
0e2d3f4017797b634d377ca6af85e08a6716d2f089f991f30af8ae8710d943fb

SHA512
3823b6797dede0e53047e3d13cc31003fe9fd89d5f7da7fad19b2938ca3dd63184b07624bccbc1ad134b317535b4659aaa8cc2e9879e76405e2a9743ec264d9b

Download Submit
memory/1784-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1784-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download