upatre | ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454

General

Target

ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe
Size

50KB
MD5

1e36904aa9c6247753ec7b2e7a191384
SHA1

a68e783571c47f6a1e580a2e4b5dc10282bc0c18
SHA256

ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454
SHA512

0c2cc07e9737fac6504040c95b8b80c86d9a638630b70dbf9f1d43289ea2a4e102a712069e69cdb809bc5a9ffdbeead31f68e6c1a08002c5b38e4928baa028ba

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1792	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe
1788	ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1792	1788	ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe	28
PID 1788 wrote to memory of 1792	1788	ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe	28
PID 1788 wrote to memory of 1792	1788	ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe	28
PID 1788 wrote to memory of 1792	1788	ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe	28

C:\Users\Admin\AppData\Local\Temp\ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe
"C:\Users\Admin\AppData\Local\Temp\ce2207286fbd4a1b12c4005667810d88656b540e840628514571548ac2cab454.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
50KB

MD5
0de6f54e7686158e62923dfcb14afb85

SHA1
9b64624cb46b1f8e5b1eba397100fb5b53aa136d

SHA256
b483e49d36c511ea77c006acb3110b4cce4622a470f1c8d84ce6e4a99a19fef1

SHA512
7ec5d1a6c02c6a59caa3c70ae88ad09d8a28d6ee274663e091a7f81e98f21c427d87b260dfc5e3ff0ed837382ec15d8bb4fe6c0b353bc19b5a7465cebc3d454e

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
50KB

MD5
0de6f54e7686158e62923dfcb14afb85

SHA1
9b64624cb46b1f8e5b1eba397100fb5b53aa136d

SHA256
b483e49d36c511ea77c006acb3110b4cce4622a470f1c8d84ce6e4a99a19fef1

SHA512
7ec5d1a6c02c6a59caa3c70ae88ad09d8a28d6ee274663e091a7f81e98f21c427d87b260dfc5e3ff0ed837382ec15d8bb4fe6c0b353bc19b5a7465cebc3d454e

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
50KB

MD5
0de6f54e7686158e62923dfcb14afb85

SHA1
9b64624cb46b1f8e5b1eba397100fb5b53aa136d

SHA256
b483e49d36c511ea77c006acb3110b4cce4622a470f1c8d84ce6e4a99a19fef1

SHA512
7ec5d1a6c02c6a59caa3c70ae88ad09d8a28d6ee274663e091a7f81e98f21c427d87b260dfc5e3ff0ed837382ec15d8bb4fe6c0b353bc19b5a7465cebc3d454e

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
50KB

MD5
0de6f54e7686158e62923dfcb14afb85

SHA1
9b64624cb46b1f8e5b1eba397100fb5b53aa136d

SHA256
b483e49d36c511ea77c006acb3110b4cce4622a470f1c8d84ce6e4a99a19fef1

SHA512
7ec5d1a6c02c6a59caa3c70ae88ad09d8a28d6ee274663e091a7f81e98f21c427d87b260dfc5e3ff0ed837382ec15d8bb4fe6c0b353bc19b5a7465cebc3d454e

Download Submit
memory/1788-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing