upatre | 7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b

Analysis

Target

dea0e56e_by_Libranalysis.exe
Size

6KB
MD5

dea0e56e4ce2fafb80ace3b818eb44fe
SHA1

ce252a12317c0d0cac83b87a76db375baf05cb94
SHA256

7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b
SHA512

d04ba2daa722bc929628605cc0dfa4bc2ae34e485d13685a8f8a5747754c88915f32621363955640cac49c890ac01136aef7444d3fd62ab26be048ebae50e4ee

Score

10^/10

upatre downloader

Executes dropped EXE 1 IoCs

pid	Process
3052	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3052	3680	dea0e56e_by_Libranalysis.exe	75
PID 3680 wrote to memory of 3052	3680	dea0e56e_by_Libranalysis.exe	75
PID 3680 wrote to memory of 3052	3680	dea0e56e_by_Libranalysis.exe	75

C:\Users\Admin\AppData\Local\Temp\dea0e56e_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\dea0e56e_by_Libranalysis.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3052

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact