upatre | 40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d

General

Target

40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe
Size

41KB
MD5

a40de375c11eab28f6a76ee330c7656b
SHA1

13d4ffac2398d14f2ec4249f5946639769e0044a
SHA256

40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d
SHA512

da183cc131afd679fd5406ad4a90efd745ef7efa5747188f98459ab406672e85875cf09587062f300c2e3425fd4968994478a819bffa33c9b372b0a45a25bf92

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
836	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1528	40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe
1528	40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 836	1528	40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe	26
PID 1528 wrote to memory of 836	1528	40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe	26
PID 1528 wrote to memory of 836	1528	40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe	26
PID 1528 wrote to memory of 836	1528	40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe	26

C:\Users\Admin\AppData\Local\Temp\40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe
"C:\Users\Admin\AppData\Local\Temp\40e5c3cbbfe196a20d7f93c5254a398478b4b7729ea9d301c3c780dce14a3a2d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
41KB

MD5
14d90ac2a80ab7e3db1defe48292aa64

SHA1
d854d068fcf0d3f19fa5733e35d715be79249dab

SHA256
d0f8ca3051b85307ff617bda32851f94610dfa530813e99664ab0eff7ef83625

SHA512
d4fd93208a068474079c76a8d27cb836ddb546806929857a4b3d4813d1be34a8981635292d79237ee4ce2310634333567dc31a125d7553781bfcb09f0d22d054

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
41KB

MD5
14d90ac2a80ab7e3db1defe48292aa64

SHA1
d854d068fcf0d3f19fa5733e35d715be79249dab

SHA256
d0f8ca3051b85307ff617bda32851f94610dfa530813e99664ab0eff7ef83625

SHA512
d4fd93208a068474079c76a8d27cb836ddb546806929857a4b3d4813d1be34a8981635292d79237ee4ce2310634333567dc31a125d7553781bfcb09f0d22d054

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
41KB

MD5
14d90ac2a80ab7e3db1defe48292aa64

SHA1
d854d068fcf0d3f19fa5733e35d715be79249dab

SHA256
d0f8ca3051b85307ff617bda32851f94610dfa530813e99664ab0eff7ef83625

SHA512
d4fd93208a068474079c76a8d27cb836ddb546806929857a4b3d4813d1be34a8981635292d79237ee4ce2310634333567dc31a125d7553781bfcb09f0d22d054

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
41KB

MD5
14d90ac2a80ab7e3db1defe48292aa64

SHA1
d854d068fcf0d3f19fa5733e35d715be79249dab

SHA256
d0f8ca3051b85307ff617bda32851f94610dfa530813e99664ab0eff7ef83625

SHA512
d4fd93208a068474079c76a8d27cb836ddb546806929857a4b3d4813d1be34a8981635292d79237ee4ce2310634333567dc31a125d7553781bfcb09f0d22d054

Download Submit
memory/1528-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing