Overview

overview

10

Static

static

3

275e0eec07...14.exe

windows7-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe

  • Size

    11KB

  • MD5

    cfb689cffbeca7ceaffdac627b209c13

  • SHA1

    7d37df83a837496f45a8b85f0a37ca3c9a8236c3

  • SHA256

    275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14

  • SHA512

    9ca4726f84cfb592295c6da066c13eb89ba8dfc4c6fcc71aea16af26cc3d236c095a801833aa115e978581376aa8e68254520ce5ede30dcd835ad7a5dbc7b35b

  • SSDEEP

    192:9mUWKs/RnKfzShH/JFxRmyja4QhiP7UlZSyGjpjWD7jqPlyjGwQ:6K+dKfzQHxFxRmyja4QhiP7UlY/pjK7W

Score
10/10
upatrediscoverydownloader

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

    downloaderupatre
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 49 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe
    "C:\Users\Admin\AppData\Local\Temp\275e0eec0743473456e95b590997945f76fad722bff15c2cd43bc2bb8a613c14.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2756
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\szgfw.exe
    Filesize

    11KB

    MD5

    83eb82d88c202e91e54330e39ddb0204

    SHA1

    297ae7928fabcfdc5df4cb157f1015bea78e0698

    SHA256

    4324fc6ca1d3cd7a73f1331e12364cf911f3cbf5636143b600deb2968dbea94d

    SHA512

    522f410d38fb6af7368f36b857142eac38194b2fd4581e5a1868f4e8ba4226bd506ff0c6e670ac1a68ccec2d83231abc5f7a56f0bde14dd9d933cb923caa6d50

    Download Submit

  • memory/2564-10-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2564-11-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2564-12-0x00000000023A0000-0x00000000023B0000-memory.dmp

    Filesize

    64KB

    Download