upatre | 96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe
Size

4KB
MD5

05073e5c1babb45031e99c0a17b5f819
SHA1

c88b477beac62c0724b0e296af85db5ccd8d79ff
SHA256

96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2
SHA512

fc925d61b6a8a6a1a9d89a709ce82c6e1d18b3ce5eea39f211b970cf06eacb03f98ebc9be2b2786ed5e2e9c43abfa1b2c3dc012c8e261da22bc5d4f97af36cef
SSDEEP

48:Zdni+Wyi18DN0nCvTaE6nc9fhXcGEY3sJd9ga91RsuYnA7B8mOo4jUx7OtKGc:Z0v4mUWKh9ctgC1R3YnKymV44Sh

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Deletes itself 1 IoCs

pid	Process
2240	szgfw.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe
2768	96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2240	2768	96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe	28
PID 2768 wrote to memory of 2240	2768	96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe	28
PID 2768 wrote to memory of 2240	2768	96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe	28
PID 2768 wrote to memory of 2240	2768	96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe	28

C:\Users\Admin\AppData\Local\Temp\96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe
"C:\Users\Admin\AppData\Local\Temp\96617a64af06e3bbddf86c904e5835e645ef0f1e35ee7bfdcf87664f0d5956a2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
4KB

MD5
6d9b6b031c0c25bf1c69d17306ce22c4

SHA1
6c07cd8bca8813dcf65c47630a8b93a30affb686

SHA256
a9c5619b44887a88e68d03f6dee5751e2c142f345216a9731e331fe71fb9fd69

SHA512
1fe925021cbc42e95fd83680aa53e896973434d593b1554b0a2a537dcd214ad5468020153f426bf7da444b40d1c99de0280811e60138c30477f35c1d70744e8b

Download Submit