upatre | 4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe
Size

7KB
MD5

34c2cb4e8654afbbb5aa16a7440da550
SHA1

58afaf585e7da7840df9385009c2512b15a1dc6c
SHA256

4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf
SHA512

5df2544e55cd99dd4a85ab46d6fdfee4c5b5c33c502ea77ae0656f33035664fc659e4d25915cf7ed7419fe3b18f15abe4fb926349f67e3e959feec62c2701a9e
SSDEEP

96:Z0v4mUWKh9ctgC1Re/YnKymV44ShFa8cfD+mGICK7vCaGR++DH5weYvDrJGR0DwX:9mUWKs/hnKfzShF6SQvXIHgbrWWwX

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre
Executes dropped EXE 1 IoCs

Processes:

szgfw.exe

pid process

1220 szgfw.exe

pid	process
1220	szgfw.exe

Loads dropped DLL 2 IoCs

Processes:

4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe

pid	process
864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe
864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe

description	pid	process	target process
PID 864 wrote to memory of 1220	864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe	szgfw.exe
PID 864 wrote to memory of 1220	864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe	szgfw.exe
PID 864 wrote to memory of 1220	864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe	szgfw.exe
PID 864 wrote to memory of 1220	864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe	szgfw.exe

C:\Users\Admin\AppData\Local\Temp\4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe
"C:\Users\Admin\AppData\Local\Temp\4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
2⤵
- Executes dropped EXE
PID:1220

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
7KB

MD5
812862ac9e2ef42d4b006d3269e05281

SHA1
28346d72542fdcf2f23c528c608b1ba030ff7796

SHA256
f9ff1d7416e595bc4d962b92aad8dc1290b2f9b467e84b72203ab49dcc0f99ef

SHA512
3bdf8eef2a29a55ad453363fa13be9a83a82a50895c4b3e664242088702a663b4016be2190209087ee83c7a8f7dcdd374af29ce6ea708df6f2f8c5434654dacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
7KB

MD5
812862ac9e2ef42d4b006d3269e05281

SHA1
28346d72542fdcf2f23c528c608b1ba030ff7796

SHA256
f9ff1d7416e595bc4d962b92aad8dc1290b2f9b467e84b72203ab49dcc0f99ef

SHA512
3bdf8eef2a29a55ad453363fa13be9a83a82a50895c4b3e664242088702a663b4016be2190209087ee83c7a8f7dcdd374af29ce6ea708df6f2f8c5434654dacc

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
7KB

MD5
812862ac9e2ef42d4b006d3269e05281

SHA1
28346d72542fdcf2f23c528c608b1ba030ff7796

SHA256
f9ff1d7416e595bc4d962b92aad8dc1290b2f9b467e84b72203ab49dcc0f99ef

SHA512
3bdf8eef2a29a55ad453363fa13be9a83a82a50895c4b3e664242088702a663b4016be2190209087ee83c7a8f7dcdd374af29ce6ea708df6f2f8c5434654dacc

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe
Filesize
7KB

MD5
812862ac9e2ef42d4b006d3269e05281

SHA1
28346d72542fdcf2f23c528c608b1ba030ff7796

SHA256
f9ff1d7416e595bc4d962b92aad8dc1290b2f9b467e84b72203ab49dcc0f99ef

SHA512
3bdf8eef2a29a55ad453363fa13be9a83a82a50895c4b3e664242088702a663b4016be2190209087ee83c7a8f7dcdd374af29ce6ea708df6f2f8c5434654dacc

Download Submit
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1220-57-0x0000000000000000-mapping.dmp

Download