upatre | 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf

Analysis

max time kernel
150s
max time network
114s
platform
windows7_x64
resource
win7v20210410
submitted
11-05-2021 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe
Size

34KB
MD5

3c1e71fc593219b7002adc771f23333a
SHA1

2060f434a814f86612c9d76e1a29436c448b3ec6
SHA256

91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf
SHA512

1cb259baba85829f5d82a1b0f9da3c469f406e4276e666a19a37683abb05d2496d4443ef31107f2067a268fcd9d533c933899bc780b13e123ee3401efe2bbfa3

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1348	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1088	91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe
1088	91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1348	1088	91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe	29
PID 1088 wrote to memory of 1348	1088	91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe	29
PID 1088 wrote to memory of 1348	1088	91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe	29
PID 1088 wrote to memory of 1348	1088	91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe	29

C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe
"C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1088-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download