upatre | d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7v20210410
submitted
17-05-2021 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe
Size

605KB
MD5

fa6f37a85bb2fbc2a6c1ba5ae945e679
SHA1

44119386fc5293c911a2919d417bfef26cfcbf62
SHA256

d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5
SHA512

2636892fabd453ce0f03ef2089a9136711b23b66bf8bedca0aac2fa4f3df175f33d2a1eada6e7901a2f2ce3337124ebbdf80adb8676e655732949407a42a209e

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1588	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1040	d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe
1040	d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1588	1040	d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe	29
PID 1040 wrote to memory of 1588	1040	d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe	29
PID 1040 wrote to memory of 1588	1040	d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe	29
PID 1040 wrote to memory of 1588	1040	d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe	29

C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe
"C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-59-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1040-65-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download