upatre | b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe
Size

9KB
MD5

95bf60a97a6769e959971ef2b8deaee8
SHA1

d712cdcab2c8fc4435f7a5f1c236304ddf45ccd4
SHA256

b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187
SHA512

e3b12277a81cf71e7f3b323228707469bbb2c5ef87a690e8f2976b474075f3394f1c5dcdc648490db414ff26dfbbe22b840058dd896865e7cd39bf9a906c5ece

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2012	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1748	b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe
1748	b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2012	1748	b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe	26
PID 1748 wrote to memory of 2012	1748	b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe	26
PID 1748 wrote to memory of 2012	1748	b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe	26
PID 1748 wrote to memory of 2012	1748	b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe	26

C:\Users\Admin\AppData\Local\Temp\b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe
"C:\Users\Admin\AppData\Local\Temp\b538da5dfbe1794ad6966e153b1f6f0ddcd95bb82eef65a6e050bc8a3a023187.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-59-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download