upatre | 22ee1bc310f8cca02975f01dcec46be2d779ebedf96e1732c34ec46c8a6216da

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 07:03

Target

c931a27d111f32674105713fdc964120_NeikiAnalytics.exe
Size

19KB
MD5

c931a27d111f32674105713fdc964120
SHA1

2a280220c4a624e082a6131ef0baf470e737dc7c
SHA256

22ee1bc310f8cca02975f01dcec46be2d779ebedf96e1732c34ec46c8a6216da
SHA512

0cfbb967f3fdb6fae36d640ad955b5bf0e5a3b0b1b1c0683a5ebb49ea9f98221dbe0f8f5c7327c6f6a6a8e929396eb42fb265f3b5bee5c07a77db650abb641df
SSDEEP

384:ZKRHBDj1y6sX7d/ZctaQTKfV1T6CSB8Oye3QBYLO0:URHBfCX7PcAD6CC8Oye3QaS0

Score

10^/10

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

768 szgfw.exe
Loads dropped DLL 2 IoCs

Processes:

c931a27d111f32674105713fdc964120_NeikiAnalytics.exe

pid process

2924 c931a27d111f32674105713fdc964120_NeikiAnalytics.exe
2924 c931a27d111f32674105713fdc964120_NeikiAnalytics.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/2924-1-0x0000000000400000-0x0000000000407000-memory.dmp upx
\Users\Admin\AppData\Local\Temp\szgfw.exe upx

pid	process
768	szgfw.exe

pid	process
2924	c931a27d111f32674105713fdc964120_NeikiAnalytics.exe
2924	c931a27d111f32674105713fdc964120_NeikiAnalytics.exe

resource	yara_rule
behavioral1/memory/2924-1-0x0000000000400000-0x0000000000407000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\szgfw.exe	upx

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c931a27d111f32674105713fdc964120_NeikiAnalytics.exe

description	pid	process	target process
PID 2924 wrote to memory of 768	2924	c931a27d111f32674105713fdc964120_NeikiAnalytics.exe	szgfw.exe
PID 2924 wrote to memory of 768	2924	c931a27d111f32674105713fdc964120_NeikiAnalytics.exe	szgfw.exe
PID 2924 wrote to memory of 768	2924	c931a27d111f32674105713fdc964120_NeikiAnalytics.exe	szgfw.exe
PID 2924 wrote to memory of 768	2924	c931a27d111f32674105713fdc964120_NeikiAnalytics.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:768

\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
19KB

MD5
144d90b48a3b53647bace55c98eff919

SHA1
8606fa1573d2f34538bf3171c04e99917bc831a1

SHA256
9239faba35de4245dbc4ac90c36ddc9c6948a47aa2c624adee03e9d88a0213a4

SHA512
6965977150af8db1b3ed3b588c63eec7da5f47bd5885018f2beffb10b3f5f894e10cbabc48a584c59c4ad6cfbec5db8615da3ceb4540bafc2471d34554742dfc

Download Submit
memory/2924-1-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download