upatre | c824d7ee2edc8ee6d3963c25d30981bbfd956a9ae77c4a18c557b826fa2d448f

Analysis

Target

c824d7ee2edc8ee6d3963c25d30981bbfd956a9ae77c4a18c557b826fa2d448f.exe
Size

9KB
MD5

7d71b0d5ed6ccf91990def97a3e28b5c
SHA1

8889021bfc536405c55cc63ff66d17842e534463
SHA256

c824d7ee2edc8ee6d3963c25d30981bbfd956a9ae77c4a18c557b826fa2d448f
SHA512

794d4f1d70b618cfa9ccdf6410b8c778a2bb730baca3e6dcafe1d8b854132ef4db3cf3ee540e2ab00501058c3b2bcbd55e708fa281e1419fa1af333415424031

Score

10^/10

upatre downloader

Executes dropped EXE 1 IoCs

pid	Process
3664	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3664	4656	c824d7ee2edc8ee6d3963c25d30981bbfd956a9ae77c4a18c557b826fa2d448f.exe	75
PID 4656 wrote to memory of 3664	4656	c824d7ee2edc8ee6d3963c25d30981bbfd956a9ae77c4a18c557b826fa2d448f.exe	75
PID 4656 wrote to memory of 3664	4656	c824d7ee2edc8ee6d3963c25d30981bbfd956a9ae77c4a18c557b826fa2d448f.exe	75

C:\Users\Admin\AppData\Local\Temp\c824d7ee2edc8ee6d3963c25d30981bbfd956a9ae77c4a18c557b826fa2d448f.exe
"C:\Users\Admin\AppData\Local\Temp\c824d7ee2edc8ee6d3963c25d30981bbfd956a9ae77c4a18c557b826fa2d448f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3664

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact