upatre | 8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636

Analysis

max time kernel
150s
max time network
41s
platform
windows7_x64
resource
win7v20210408
submitted
15/05/2021, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe
Size

35KB
MD5

cfcd8e2d980e20e7ef68af9183b662f9
SHA1

ac274727613272df00140e018f972ace602949fa
SHA256

8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636
SHA512

d5b25190dcbb84b23958df7152289e93d568984fd0625b42c35f8ae32dd9858d8bbbb02e360e124b2c18388747db55d799c7c8ab866071f1c5f3658d480b47ad

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1420	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe
1976	8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1420	1976	8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe	29
PID 1976 wrote to memory of 1420	1976	8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe	29
PID 1976 wrote to memory of 1420	1976	8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe	29
PID 1976 wrote to memory of 1420	1976	8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe	29

C:\Users\Admin\AppData\Local\Temp\8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe
"C:\Users\Admin\AppData\Local\Temp\8186e6a8a8747a1b8f79b38fe39e7b408ea2aa35af176db36431b15dacf0d636.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1976-59-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1976-65-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download