upatre | e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50

Analysis

max time kernel
150s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe
Size

37KB
MD5

28c86684494054977a80990f240b0cdb
SHA1

027fa7ed6b914f37f8c9b516be0622da80a8e582
SHA256

e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50
SHA512

164ba7d2a8e123862539e2b7fe58c84be8604344aba9acf7df57bc140c9be964847d1653d69f65dfdbe40ff1f5a3db0f00dc13e41cce7a8b7b1cf3ed0b877615

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1524	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1072	e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe
1072	e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1524	1072	e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe	29
PID 1072 wrote to memory of 1524	1072	e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe	29
PID 1072 wrote to memory of 1524	1072	e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe	29
PID 1072 wrote to memory of 1524	1072	e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe	29

C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe
"C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-60-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1072-66-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download