upatre | 80a9acf19f576c8449e29840b61d757cb5615e9b9cece45609e37c57f7fa182c

Analysis

Target

80a9acf19f576c8449e29840b61d757cb5615e9b9cece45609e37c57f7fa182c.exe
Size

9KB
MD5

02f9fdbad10a5915c4320ca783d2740b
SHA1

ce32da4ca17e5c5352bbee031349a0556942aa25
SHA256

80a9acf19f576c8449e29840b61d757cb5615e9b9cece45609e37c57f7fa182c
SHA512

d761a3fcef68d07cda86b9be0986f0f511b17bb870013a805271606de04e4b64e7be4830acc272bb324ab7d471ff6b07e3c8719545a9e71957f7de98146ccff9

Score

10^/10

upatre downloader

Executes dropped EXE 1 IoCs

pid	Process
416	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 416	736	80a9acf19f576c8449e29840b61d757cb5615e9b9cece45609e37c57f7fa182c.exe	75
PID 736 wrote to memory of 416	736	80a9acf19f576c8449e29840b61d757cb5615e9b9cece45609e37c57f7fa182c.exe	75
PID 736 wrote to memory of 416	736	80a9acf19f576c8449e29840b61d757cb5615e9b9cece45609e37c57f7fa182c.exe	75

C:\Users\Admin\AppData\Local\Temp\80a9acf19f576c8449e29840b61d757cb5615e9b9cece45609e37c57f7fa182c.exe
"C:\Users\Admin\AppData\Local\Temp\80a9acf19f576c8449e29840b61d757cb5615e9b9cece45609e37c57f7fa182c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:416

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact