upatre | 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-02-2022 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
Size

36KB
MD5

56a2dad254438d56cbab545f24faf72b
SHA1

3bd697d8dec1db399ae5f32e35afaa7fa67e76d9
SHA256

9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f
SHA512

4e74f7cc85b21659ef235aa4fd7e2482babbcf3183f683ea91e48c3a630355ccdd941298c2f49edc384de3f2e588e486e79fa3e743d957e07db7860fe1e74450

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2032	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2032	1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe	27
PID 1340 wrote to memory of 2032	1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe	27
PID 1340 wrote to memory of 2032	1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe	27
PID 1340 wrote to memory of 2032	1340	9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe	27

C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
"C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/2032-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download