upatre | 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f

General

Target

9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
Size

36KB
MD5

56a2dad254438d56cbab545f24faf72b
SHA1

3bd697d8dec1db399ae5f32e35afaa7fa67e76d9
SHA256

9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f
SHA512

4e74f7cc85b21659ef235aa4fd7e2482babbcf3183f683ea91e48c3a630355ccdd941298c2f49edc384de3f2e588e486e79fa3e743d957e07db7860fe1e74450

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

2032 szgfw.exe

pid	process
2032	szgfw.exe

Loads dropped DLL 2 IoCs

Processes:

9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe

pid	process
1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe

description	pid	process	target process
PID 1340 wrote to memory of 2032	1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe	szgfw.exe
PID 1340 wrote to memory of 2032	1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe	szgfw.exe
PID 1340 wrote to memory of 2032	1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe	szgfw.exe
PID 1340 wrote to memory of 2032	1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
"C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
e707e937cfbcb0d0a2fdf4f7542c9068

SHA1
d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37

SHA256
51d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5

SHA512
c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
e707e937cfbcb0d0a2fdf4f7542c9068

SHA1
d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37

SHA256
51d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5

SHA512
c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
e707e937cfbcb0d0a2fdf4f7542c9068

SHA1
d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37

SHA256
51d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5

SHA512
c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
e707e937cfbcb0d0a2fdf4f7542c9068

SHA1
d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37

SHA256
51d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5

SHA512
c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7

Download Submit
memory/1340-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/2032-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing