upatre | aef1a153052173ebf15a5fbadd0e1b8f79895552451b2023569ccf1096fa6466

Analysis

max time kernel
150s
max time network
124s
platform
windows10_x64
resource
win10v20210408
submitted
16-05-2021 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aef1a153052173ebf15a5fbadd0e1b8f79895552451b2023569ccf1096fa6466.exe
Size

30KB
MD5

be83925b8e96867fdde3d531b92fd4f5
SHA1

c25948fb13901fdb618240fc5af7a34f0d963b97
SHA256

aef1a153052173ebf15a5fbadd0e1b8f79895552451b2023569ccf1096fa6466
SHA512

f475cec10c29c136fe5a4d96c9836fde78e796b7f68db75ed4cb36cfcc07133e7c9c5ad4dbadb807ddeb54305dde38f525c6bc716fea3bcacc591089ecbda27d

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1940	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 1940	584	aef1a153052173ebf15a5fbadd0e1b8f79895552451b2023569ccf1096fa6466.exe	78
PID 584 wrote to memory of 1940	584	aef1a153052173ebf15a5fbadd0e1b8f79895552451b2023569ccf1096fa6466.exe	78
PID 584 wrote to memory of 1940	584	aef1a153052173ebf15a5fbadd0e1b8f79895552451b2023569ccf1096fa6466.exe	78

C:\Users\Admin\AppData\Local\Temp\aef1a153052173ebf15a5fbadd0e1b8f79895552451b2023569ccf1096fa6466.exe
"C:\Users\Admin\AppData\Local\Temp\aef1a153052173ebf15a5fbadd0e1b8f79895552451b2023569ccf1096fa6466.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:584
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-114-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download