Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 12:12
Static task
static1
Behavioral task
behavioral1
Sample
8b32579f300e50686f34123cdaba344e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8b32579f300e50686f34123cdaba344e.exe
Resource
win10v2004-20231215-en
General
-
Target
8b32579f300e50686f34123cdaba344e.exe
-
Size
12KB
-
MD5
8b32579f300e50686f34123cdaba344e
-
SHA1
f52cc319b24dcc82a509f662e2e7c57598c3caad
-
SHA256
dd89acf6a917c09c6cadd2a9f6ce1d2b26c8524664da43f95bf7e7db37340ce0
-
SHA512
53073855c5cf2a87ef77a585b416ef8b296a42ca1f5a47afe06297eef78bb8198081a5ce04a906e3a1167186620ba33ecbadead943219d1f4bc817d654e30cf1
-
SSDEEP
384:6K+dKfzQHxFxRmyja4QhiP7UlY/pjKkFlplVDuyk:v+dAURFxna4QAPQlYgkFlplVDuyk
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 1624 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
8b32579f300e50686f34123cdaba344e.exepid process 1940 8b32579f300e50686f34123cdaba344e.exe 1940 8b32579f300e50686f34123cdaba344e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8b32579f300e50686f34123cdaba344e.exedescription pid process target process PID 1940 wrote to memory of 1624 1940 8b32579f300e50686f34123cdaba344e.exe szgfw.exe PID 1940 wrote to memory of 1624 1940 8b32579f300e50686f34123cdaba344e.exe szgfw.exe PID 1940 wrote to memory of 1624 1940 8b32579f300e50686f34123cdaba344e.exe szgfw.exe PID 1940 wrote to memory of 1624 1940 8b32579f300e50686f34123cdaba344e.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b32579f300e50686f34123cdaba344e.exe"C:\Users\Admin\AppData\Local\Temp\8b32579f300e50686f34123cdaba344e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\szgfw.exeFilesize
12KB
MD551f6a23070e26239f9653f293f1a6341
SHA1fd2aa199d160419386413687c193f7ff96e3a4b9
SHA256933547c8e4ad4cf51b12f2d8c7b955c121698d5b58d872a8e9b758014ef37789
SHA512f62e8d68fb68bd25d9d36088721b39abddc985443d87806f7000014b948e70bb5289d4ade4470dbc573f92cb63b3c879d8c7415960f59d45838eec69704270cb