upatre | caec08293b6e392813fc9721d8612cdc2aa409bf8ff82ffc995e5c6558fd17b1

Analysis

Target

caec08293b6e392813fc9721d8612cdc2aa409bf8ff82ffc995e5c6558fd17b1.exe
Size

6KB
MD5

908c33afa775034f96b5ba7cbec464b9
SHA1

57295cd959a2db8cad415d793d5eb44bdebed711
SHA256

caec08293b6e392813fc9721d8612cdc2aa409bf8ff82ffc995e5c6558fd17b1
SHA512

0d6b73324529228e0a7ae677b4a60bf6ea0587c0e1aca03d5387a4d641c9e575c5cc4ac22f25d0718d6b6d61315ecbe8832587de041bbe181ed0b58a6f052d44

Score

10^/10

upatre downloader

Executes dropped EXE 1 IoCs

pid	Process
3680	szgfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3680	4656	caec08293b6e392813fc9721d8612cdc2aa409bf8ff82ffc995e5c6558fd17b1.exe	75
PID 4656 wrote to memory of 3680	4656	caec08293b6e392813fc9721d8612cdc2aa409bf8ff82ffc995e5c6558fd17b1.exe	75
PID 4656 wrote to memory of 3680	4656	caec08293b6e392813fc9721d8612cdc2aa409bf8ff82ffc995e5c6558fd17b1.exe	75

C:\Users\Admin\AppData\Local\Temp\caec08293b6e392813fc9721d8612cdc2aa409bf8ff82ffc995e5c6558fd17b1.exe
"C:\Users\Admin\AppData\Local\Temp\caec08293b6e392813fc9721d8612cdc2aa409bf8ff82ffc995e5c6558fd17b1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3680

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact