upatre | ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa

Resubmissions

08-03-2024 13:26

240308-qpvsjaga76 10

07-03-2024 23:43

240307-3qy8kaad9v 10

Analysis

max time kernel
1797s
max time network
1800s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe
Size

40KB
MD5

a73607e431097f1e74130d2bf6c5a2fd
SHA1

7f8f3ad4bd02a46071a0a10f5bba4071a129d5e9
SHA256

ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa
SHA512

60cd69504b583e72c9e392dbcde49eca52b6589ddb0911df9d584521138f187b53ffa9af15e3eb0648e759ed90e589776df3c63cecbab875aa75a15d9cdf98ce
SSDEEP

768:kf1Y9RRw/dUT6vurGd/pkUOyGAv+rPy8Fj6wtVeldaBy6ERb3/kQCjWtBkQhMWG7:GY9jw/dUT62rGdiUOWWra8FcHb3uBWt+

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

768 szgfw.exe
Loads dropped DLL 2 IoCs

Processes:

ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe

pid process

2308 ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe
2308 ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
768	szgfw.exe

pid	process
2308	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe
2308	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe

description	pid	process	target process
PID 2308 wrote to memory of 768	2308	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe	szgfw.exe
PID 2308 wrote to memory of 768	2308	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe	szgfw.exe
PID 2308 wrote to memory of 768	2308	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe	szgfw.exe
PID 2308 wrote to memory of 768	2308	ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe
"C:\Users\Admin\AppData\Local\Temp\ba1d8b575d19c10651312a8c75221b81b1abeb1d89e58d3574070871194c35fa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
40KB

MD5
70c2c9bc91853a71d36eb8502b73b513

SHA1
02df4804fdbfced0a7454b108391ee68e81c0847

SHA256
3a5bd88d1bbb96a3e4e1dbce115629f6931a30c59f3861bbbd8232aef2f645a1

SHA512
d598d7bf15862e87752fc92971f082ea192a21666b5ab126aa9906b67bb95f14b2ef0bcec7cea3784382e2afd9bb6498630a5b854832bdda5dec889325ce0587

Download Submit
memory/2308-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2308-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download