upatre | 230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221

General

Target

230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe
Size

41KB
MD5

a480225e454330cadd3032ef1a33680c
SHA1

d4db1606be1b24968f15eedad095743711da90cf
SHA256

230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221
SHA512

380f4a9a3403ea90695cc973c6d9c89ca08ba16652965a864afe7b32b86237f07bf54a59d7924fc90d7995ed8ccd670a9709b790c81c2f3b6009194c9bf196bb

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
960	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
868	230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe
868	230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 960	868	230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe	28
PID 868 wrote to memory of 960	868	230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe	28
PID 868 wrote to memory of 960	868	230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe	28
PID 868 wrote to memory of 960	868	230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe	28

C:\Users\Admin\AppData\Local\Temp\230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe
"C:\Users\Admin\AppData\Local\Temp\230016b8d26b4672b9e441061bbce9bfa73340fd0537f9b5393e37aa598cc221.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
41KB

MD5
fbe23349cd3b828c56012656131665d7

SHA1
f412f347ed3f7cb885ab92717c986971685dc76b

SHA256
6dd207c43369b66e9053ef7c584de8fc7071c196aa5daa8a1a03a4dcbc478f9f

SHA512
ad55e09d04ac202baf8343457552634f9a77026799cf7f9eb2a3b25bdb5a2cc58ac2d409bec6e05cf016bc2f22e9d8f5ca26bc69593a8d2a069aa362c9965409

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
41KB

MD5
fbe23349cd3b828c56012656131665d7

SHA1
f412f347ed3f7cb885ab92717c986971685dc76b

SHA256
6dd207c43369b66e9053ef7c584de8fc7071c196aa5daa8a1a03a4dcbc478f9f

SHA512
ad55e09d04ac202baf8343457552634f9a77026799cf7f9eb2a3b25bdb5a2cc58ac2d409bec6e05cf016bc2f22e9d8f5ca26bc69593a8d2a069aa362c9965409

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
41KB

MD5
fbe23349cd3b828c56012656131665d7

SHA1
f412f347ed3f7cb885ab92717c986971685dc76b

SHA256
6dd207c43369b66e9053ef7c584de8fc7071c196aa5daa8a1a03a4dcbc478f9f

SHA512
ad55e09d04ac202baf8343457552634f9a77026799cf7f9eb2a3b25bdb5a2cc58ac2d409bec6e05cf016bc2f22e9d8f5ca26bc69593a8d2a069aa362c9965409

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
41KB

MD5
fbe23349cd3b828c56012656131665d7

SHA1
f412f347ed3f7cb885ab92717c986971685dc76b

SHA256
6dd207c43369b66e9053ef7c584de8fc7071c196aa5daa8a1a03a4dcbc478f9f

SHA512
ad55e09d04ac202baf8343457552634f9a77026799cf7f9eb2a3b25bdb5a2cc58ac2d409bec6e05cf016bc2f22e9d8f5ca26bc69593a8d2a069aa362c9965409

Download Submit
memory/868-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing