upatre | 93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df

Analysis

max time kernel
150s
max time network
9s
platform
windows7_x64
resource
win7v20210410
submitted
17-05-2021 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe
Size

6KB
MD5

8972008123e06285f31ac670452b073e
SHA1

47696472be021bae0ebbd9ae2f952cea49d83eb4
SHA256

93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df
SHA512

3c0178b23b3ed954097b8d54bd07df11839a0569da8e746af5cd3e21f897e0ae5add11aa85c292281c362e8d9ee7d9b6202689fb1d4a890072c81a75ba2db7dd

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1360	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1084	93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe
1084	93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1360	1084	93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe	26
PID 1084 wrote to memory of 1360	1084	93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe	26
PID 1084 wrote to memory of 1360	1084	93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe	26
PID 1084 wrote to memory of 1360	1084	93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe	26

C:\Users\Admin\AppData\Local\Temp\93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe
"C:\Users\Admin\AppData\Local\Temp\93fae32a9f34eacd3552674f39244e24d35450e15eea40ef5bed81d4dd77f7df.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download