upatre | 328524d05f66792df30101dadf686b6e084db46e9b697cc87121c871982611dd

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

445d450e5f3e20c26aa598f1aaf9bc22.exe
Size

77KB
MD5

445d450e5f3e20c26aa598f1aaf9bc22
SHA1

46b7d716e54ee6921c352bbc302c986996882dd8
SHA256

328524d05f66792df30101dadf686b6e084db46e9b697cc87121c871982611dd
SHA512

485146efd11b38c06bd3045e16a9518bac98f33a3a3bd62e38ca739a4a6e5bc6d5d5661601c9053da6356e2b09d8545257c4f50699bd4d43c19e1fe84add426b
SSDEEP

1536:vCWDKUlsCZD1mh8txVQnlRIFYK4Ncp1wDLqHE:6hjTOE

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2448	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2436	445d450e5f3e20c26aa598f1aaf9bc22.exe
2436	445d450e5f3e20c26aa598f1aaf9bc22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2448	2436	445d450e5f3e20c26aa598f1aaf9bc22.exe	28
PID 2436 wrote to memory of 2448	2436	445d450e5f3e20c26aa598f1aaf9bc22.exe	28
PID 2436 wrote to memory of 2448	2436	445d450e5f3e20c26aa598f1aaf9bc22.exe	28
PID 2436 wrote to memory of 2448	2436	445d450e5f3e20c26aa598f1aaf9bc22.exe	28

C:\Users\Admin\AppData\Local\Temp\445d450e5f3e20c26aa598f1aaf9bc22.exe
"C:\Users\Admin\AppData\Local\Temp\445d450e5f3e20c26aa598f1aaf9bc22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
77KB

MD5
f7958cc4f7365f206bbb1253e0c1985e

SHA1
305f87a4abdbaf9d4b15608faee34a778c600c17

SHA256
342906cfa30481896a48caf809727efbfb171657f706be280967b55480cbede5

SHA512
f9391cf148eed30e60593c3ba8eaf5a9f0ac4832244141c50b4aaac7624ce8f234f89a3755dd88da6f174d9823a78c944278ef916d13c6fdd51a690f7b3b0b12

Download Submit