upatre | d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-02-2022 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe
Size

8KB
MD5

a49236db790de4a77b6140c8ba215cd8
SHA1

a25f31c5a5b3d4bbc5bec188211fc84073955001
SHA256

d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706
SHA512

1058ea8bdf358824f478449f8c7171748d26bd1be767308d1d2ec2c6606cad0af8402cab06e700a76401ce9f20ec6517e0e583f35c7187ba35ac62f3990bf156

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
848	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1668	d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe
1668	d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 848	1668	d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe	27
PID 1668 wrote to memory of 848	1668	d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe	27
PID 1668 wrote to memory of 848	1668	d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe	27
PID 1668 wrote to memory of 848	1668	d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe	27

C:\Users\Admin\AppData\Local\Temp\d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe
"C:\Users\Admin\AppData\Local\Temp\d936cdd3b9a2327b310dab013d92d7aca6abc82471ee2ce3a70ebb13590d3706.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download