upatre | e3089705b373298bd3341e47b64afd4fb280ebd6bd93946e0a5dcfd895093fb2

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
31/08/2024, 01:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe
Size

42KB
MD5

5ca3f16021f308c9698481798878b4fa
SHA1

7bfb8f3591dd25cb450057b316c878f82840607f
SHA256

7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0
SHA512

38439251d46f851a7a23b16c039f536a5019768e9d7a26d0f379d3b8ca74361bbc66060b3b7c4470d9d364e0fd6283a080e00156a5568d152bfb91fecc602313
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rCBsPGTWikRyyyxOJyyyylqD7Q:GY9jw/dUT62rGdiUOWWrC6P6Ts

Score

10^/10

upatre discovery downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2744	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe
2416	7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2744	2416	7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe	30
PID 2416 wrote to memory of 2744	2416	7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe	30
PID 2416 wrote to memory of 2744	2416	7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe	30
PID 2416 wrote to memory of 2744	2416	7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe	30

C:\Users\Admin\AppData\Local\Temp\7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe
"C:\Users\Admin\AppData\Local\Temp\7327d8a6011b4fe417c8232e3481688a27accd88cec9a4f217de9bcdbba8c0d0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
42KB

MD5
37401d42ac5e08afacf5fd7d625ec9c7

SHA1
e334112254816dbeff0b80a945714b2232c4a1c4

SHA256
567cdb190bd7b78603c4c9a488f1f9fa80dd7c59c419a758de22dcca8e91c80e

SHA512
e5870759087dd8e9cd3b9c63965b0480b278638a1237fe8de7152aa0247ff7d3437da0257d5f966c195f77f4cbbabd2ec0d7ce847fb18bf720f62d76df7a0309

Download Submit
memory/2416-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2416-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2744-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download