upatre | 25b43df44432900f2a1239d986d19d48e6730adf2a1a68cd38a76e8596d1727c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e7a567a7bb170154c22a1278c1820a6.exe
Size

39KB
MD5

3e7a567a7bb170154c22a1278c1820a6
SHA1

8a8e810bab4bdfa7668fd1034ebb49a8f4a7edbb
SHA256

25b43df44432900f2a1239d986d19d48e6730adf2a1a68cd38a76e8596d1727c
SHA512

e46eb262d1075b3e018cee51ee22daf58216cdae5f3153b86c1631113c2a79ff185e345b35eb9ec496244881ae4b7df6fdd4a98876544c63c608bcce356b8584
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rh95k5bNITnJy/rQIAWPQ:GY9jw/dUT62rGdiUOWWrNmBsr

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid	Process
2332	szgfw.exe

Loads dropped DLL 2 IoCs

Processes:

3e7a567a7bb170154c22a1278c1820a6.exe

pid	Process
1676	3e7a567a7bb170154c22a1278c1820a6.exe
1676	3e7a567a7bb170154c22a1278c1820a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3e7a567a7bb170154c22a1278c1820a6.exe

description	pid	Process	procid_target
PID 1676 wrote to memory of 2332	1676	3e7a567a7bb170154c22a1278c1820a6.exe	28
PID 1676 wrote to memory of 2332	1676	3e7a567a7bb170154c22a1278c1820a6.exe	28
PID 1676 wrote to memory of 2332	1676	3e7a567a7bb170154c22a1278c1820a6.exe	28
PID 1676 wrote to memory of 2332	1676	3e7a567a7bb170154c22a1278c1820a6.exe	28

C:\Users\Admin\AppData\Local\Temp\3e7a567a7bb170154c22a1278c1820a6.exe
"C:\Users\Admin\AppData\Local\Temp\3e7a567a7bb170154c22a1278c1820a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
39KB

MD5
eb6b5ae4f6089ff089b0800773695ed3

SHA1
fa310a493f4453b9d5fd3bfcf51568adde2e02e0

SHA256
876134cd1d041935eaafda927de8cadb3b74a3373f986756b48b218ade2f59b7

SHA512
c154c7c061ba5e83cf106e54d27e76f05f1e97d63cd930bcc0b797e8566c29c75f42577f1ac54b6185855f42aa9edfcab3be60bbedf031fe320c69bbec727b48

Download Submit
memory/1676-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1676-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download