Overview

overview

10

Static

static

7

a717e9da71...40.exe

windows7-x64

10

a717e9da71...40.exe

windows10-2004-x64

10

Resubmissions

07-05-2024 15:48

240507-s8zxpsde6t 10

04-05-2024 01:25

240504-bs432shf6t 10

Analysis

  • max time kernel
    52s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a717e9da71424d19616f4d108f7404d1e7d11661adf01786eb5b7c5920795540.exe

  • Size

    18KB

  • MD5

    57f3764c7325ed81dcfbfd8cc497eae3

  • SHA1

    115bf894d6d3801104c640eccf81c59fcf2e97af

  • SHA256

    a717e9da71424d19616f4d108f7404d1e7d11661adf01786eb5b7c5920795540

  • SHA512

    0f08bf58913d301310db214f57e54d666e08f74ad845270db9ca6613e6b495de9c9202448e94adc1b7257b4f59c93f37cf89879082ef32297fd16182e7e51f22

  • SSDEEP

    384:ZKRHBDj1y6sX7d/ZctaQTKfV1T6CSB8Oye3QBYy:URHBfCX7PcAD6CC8Oye3Qay

Score
10/10
upatredownloaderupx

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

    downloaderupatre
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a717e9da71424d19616f4d108f7404d1e7d11661adf01786eb5b7c5920795540.exe
    "C:\Users\Admin\AppData\Local\Temp\a717e9da71424d19616f4d108f7404d1e7d11661adf01786eb5b7c5920795540.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2924
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\szgfw.exe
    Filesize

    18KB

    MD5

    f505114016c4f6e09776ed5e230d0b97

    SHA1

    4b7a144605e8d367b225638f91b6d5dc992bf32d

    SHA256

    5eacfc70616247a47046b0deccd677006269c9a617e4d153c9f1954174bf1b46

    SHA512

    d7e1231742254302d45957a9df34aefcc8fcfb59d4f270b1a479a07f2c87f08e9a2e51a80a68d39fee1def9e256f6b869e7451eb6cd6b9285601a052afcfff8e

    Download Submit
  • memory/2492-12-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/2924-10-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2996-1-0x0000000000400000-0x0000000000407000-memory.dmp
    Filesize

    28KB

    Download