upatre | db57d70cb349c8db6a0fd0a43a7e2ac68edc258457c9cb6b6dbd19a3e348195c

Analysis

max time kernel
4294210s
max time network
126s
platform
windows7_x64
resource
win7-20220311-en
submitted
26-03-2022 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

minor.exe
Size

27KB
MD5

cc41876131457380518803a6daed9fe3
SHA1

352b01bbd7063ebbd3aedbe8e35408fd51584b1a
SHA256

db57d70cb349c8db6a0fd0a43a7e2ac68edc258457c9cb6b6dbd19a3e348195c
SHA512

284aee559d4734b3ff0732f0e693070498b895cf95de687bc033c113ee195a768d763c05661eaf01171891f517cc27214e1a1e41cfe2900d9a9366dc762c5b25

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

2004 szgfw.exe
Loads dropped DLL 2 IoCs

Processes:

minor.exe

pid process

1836 minor.exe
1836 minor.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2004	szgfw.exe

pid	process
1836	minor.exe
1836	minor.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

minor.exe

description	pid	process	target process
PID 1836 wrote to memory of 2004	1836	minor.exe	szgfw.exe
PID 1836 wrote to memory of 2004	1836	minor.exe	szgfw.exe
PID 1836 wrote to memory of 2004	1836	minor.exe	szgfw.exe
PID 1836 wrote to memory of 2004	1836	minor.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\minor.exe
"C:\Users\Admin\AppData\Local\Temp\minor.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:2004

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
f56d46ed8815a79fd2fa2b3034d967d4

SHA1
9d95cba8ae9789c3ec11cba83c8348c249aee137

SHA256
44081829904e47fbdaf5d62f60bfb6853489170bfd9ef074abd5a0ba4f9593a6

SHA512
1f9e2520c61e33caa1bb623ac7fd263be013dfdac8fd0c757d80938a5691bd9bdc2b4bbc2699f78ab37f36369ddb034a8b8a59906e19c861b7fa92ec1774fed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
f56d46ed8815a79fd2fa2b3034d967d4

SHA1
9d95cba8ae9789c3ec11cba83c8348c249aee137

SHA256
44081829904e47fbdaf5d62f60bfb6853489170bfd9ef074abd5a0ba4f9593a6

SHA512
1f9e2520c61e33caa1bb623ac7fd263be013dfdac8fd0c757d80938a5691bd9bdc2b4bbc2699f78ab37f36369ddb034a8b8a59906e19c861b7fa92ec1774fed8

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
f56d46ed8815a79fd2fa2b3034d967d4

SHA1
9d95cba8ae9789c3ec11cba83c8348c249aee137

SHA256
44081829904e47fbdaf5d62f60bfb6853489170bfd9ef074abd5a0ba4f9593a6

SHA512
1f9e2520c61e33caa1bb623ac7fd263be013dfdac8fd0c757d80938a5691bd9bdc2b4bbc2699f78ab37f36369ddb034a8b8a59906e19c861b7fa92ec1774fed8

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe
MD5
f56d46ed8815a79fd2fa2b3034d967d4

SHA1
9d95cba8ae9789c3ec11cba83c8348c249aee137

SHA256
44081829904e47fbdaf5d62f60bfb6853489170bfd9ef074abd5a0ba4f9593a6

SHA512
1f9e2520c61e33caa1bb623ac7fd263be013dfdac8fd0c757d80938a5691bd9bdc2b4bbc2699f78ab37f36369ddb034a8b8a59906e19c861b7fa92ec1774fed8

Download Submit
memory/1836-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/2004-57-0x0000000000000000-mapping.dmp

Download