upatre | 5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7

Analysis

max time kernel
150s
max time network
10s
platform
windows7_x64
resource
win7v20210410
submitted
09-05-2021 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe
Size

34KB
MD5

ed7ba34b6aff9d55965b543dd3c4b670
SHA1

e8ebd238d18e1690e3b814a3f9088d4751efd02f
SHA256

5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7
SHA512

2a0dc999f2af5478178b1e5dca9a81ebfdaa284ff050a9834c707fe2057ce062c0118f1c554794dc87dffba36c066ff29d6692a4c29406e898f3422fad8b7fcb

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1816	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe
2040	5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1816	2040	5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe	29
PID 2040 wrote to memory of 1816	2040	5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe	29
PID 2040 wrote to memory of 1816	2040	5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe	29
PID 2040 wrote to memory of 1816	2040	5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe	29

C:\Users\Admin\AppData\Local\Temp\5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe
"C:\Users\Admin\AppData\Local\Temp\5b7007210f130243a87a24f019485da6807c1768dd4d0a4429ef9d00692de5c7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/2040-66-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download