Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 07:54

General

  • Target

    c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe

  • Size

    13KB

  • MD5

    335c88456648790ac95362c50db3f8dc

  • SHA1

    27a28742a7cd5fd5be1400ca2cd307cfbe3d6eac

  • SHA256

    c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb

  • SHA512

    ba193d4481e3dcbd86a27a10968b8abe126110a230293d488e22e8274f72c89e39a33e076179d6704ee7bdb1b6a0ff51ecadc087ae876b3d2437aa5adb81a933

  • SSDEEP

    384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKhYsKUAylUmWmtsb:v+dAURFxna4QAPQlYghxKUAyl9Wm4

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

  • Upatre family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe
    "C:\Users\Admin\AppData\Local\Temp\c7f81d6b54477b269f2dc29344bd56b95ffed1f445a0f5bf5999ad265b238efb.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\szgfw.exe

    Filesize

    13KB

    MD5

    ad6588a0dc48253f9ca7d58060cb0295

    SHA1

    e0830cd21fbe40d36efb8eb5b0eb5187a17b4396

    SHA256

    d126932445fb0039eae7ec5b26dbdbaa3fe921ce3c8382f34fee81fbff713ec7

    SHA512

    b6c0128b57f5246c17315d809a7ff7523a4f13575ecb42c42501cd3d9fb7fb478f37cd2484dc8dff7de36f78b544d6d28fc57a473c82dbeb6cb4e0e33115aecc