upatre | d94711e06770fc56485e14061b63d21184a0a3c4677ad25d28c1485133328015

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bbd1a1ffaab13b7d54822fbd0087d68.exe
Size

11KB
MD5

1bbd1a1ffaab13b7d54822fbd0087d68
SHA1

0301d2b6539d6725e8bd069183a95d3e0336e4e7
SHA256

d94711e06770fc56485e14061b63d21184a0a3c4677ad25d28c1485133328015
SHA512

3990a72ceb7165debb86266035dd3f0aa6db504bc550bb2c2a5507684c4c30880ba83d1a57a2cdf70ff03b88b85cbd71ca5c5b19369191ffc7736d87b1b2d33c
SSDEEP

192:9mUWKs/gonKfzSh8cjPUN1DFpIWpoqZy2u2LTsd4p9gX+yHjqcz4lBUCLXBAm2SA:6K+ggKfzQ8YPUN1DFGWmqo2uQ/DguiLf

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2632	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1544	1bbd1a1ffaab13b7d54822fbd0087d68.exe
1544	1bbd1a1ffaab13b7d54822fbd0087d68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2632	1544	1bbd1a1ffaab13b7d54822fbd0087d68.exe	28
PID 1544 wrote to memory of 2632	1544	1bbd1a1ffaab13b7d54822fbd0087d68.exe	28
PID 1544 wrote to memory of 2632	1544	1bbd1a1ffaab13b7d54822fbd0087d68.exe	28
PID 1544 wrote to memory of 2632	1544	1bbd1a1ffaab13b7d54822fbd0087d68.exe	28

C:\Users\Admin\AppData\Local\Temp\1bbd1a1ffaab13b7d54822fbd0087d68.exe
"C:\Users\Admin\AppData\Local\Temp\1bbd1a1ffaab13b7d54822fbd0087d68.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
12KB

MD5
e1fcca6b74f34b534563e3dd6a1e1f32

SHA1
7403117422bf59dce5dc5418e5d5229f211d0cd1

SHA256
bb0b59c4f2c725d9d54ed0cdc733f3758006975b86320e3151ab81d2c02da110

SHA512
456676814045d0fb0cc1e6620b4c9488a93458da2c462defaaf7db41ec642c3f258236bcdbd5aa682fde51183c2f2aee586ef7ed26c066735a276cfbc61bed64

Download Submit