upatre | e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a

Analysis

max time kernel
153s
max time network
17s
platform
windows7_x64
resource
win7v20210408
submitted
10-05-2021 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe
Size

51KB
MD5

f559d99a297876bd0e694b771d25802f
SHA1

e05079501a4028e85ee432667f3e314beca475df
SHA256

e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a
SHA512

bf22893205e4bccbff4047a048fd85de16d8f40dc870909e7fabc779f6ee45354872dbca41e3dd49b0e03790e35faaceaf88b18c47c4b129f6232b28a040fc78

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2032	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1028	e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe
1028	e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2032	1028	e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe	25
PID 1028 wrote to memory of 2032	1028	e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe	25
PID 1028 wrote to memory of 2032	1028	e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe	25
PID 1028 wrote to memory of 2032	1028	e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe	25

C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe
"C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-60-0x0000000076A01000-0x0000000076A03000-memory.dmp

Filesize
8KB

Download