upatre | 4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe
Size

7KB
MD5

34c2cb4e8654afbbb5aa16a7440da550
SHA1

58afaf585e7da7840df9385009c2512b15a1dc6c
SHA256

4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf
SHA512

5df2544e55cd99dd4a85ab46d6fdfee4c5b5c33c502ea77ae0656f33035664fc659e4d25915cf7ed7419fe3b18f15abe4fb926349f67e3e959feec62c2701a9e
SSDEEP

96:Z0v4mUWKh9ctgC1Re/YnKymV44ShFa8cfD+mGICK7vCaGR++DH5weYvDrJGR0DwX:9mUWKs/hnKfzShF6SQvXIHgbrWWwX

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
1220	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe
864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1220	864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe	23
PID 864 wrote to memory of 1220	864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe	23
PID 864 wrote to memory of 1220	864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe	23
PID 864 wrote to memory of 1220	864	4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe	23

C:\Users\Admin\AppData\Local\Temp\4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe
"C:\Users\Admin\AppData\Local\Temp\4e39a22482c45bce5f3c5bea56014534358f6780ed4fedb979a121fc667ae4bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
7KB

MD5
812862ac9e2ef42d4b006d3269e05281

SHA1
28346d72542fdcf2f23c528c608b1ba030ff7796

SHA256
f9ff1d7416e595bc4d962b92aad8dc1290b2f9b467e84b72203ab49dcc0f99ef

SHA512
3bdf8eef2a29a55ad453363fa13be9a83a82a50895c4b3e664242088702a663b4016be2190209087ee83c7a8f7dcdd374af29ce6ea708df6f2f8c5434654dacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
7KB

MD5
812862ac9e2ef42d4b006d3269e05281

SHA1
28346d72542fdcf2f23c528c608b1ba030ff7796

SHA256
f9ff1d7416e595bc4d962b92aad8dc1290b2f9b467e84b72203ab49dcc0f99ef

SHA512
3bdf8eef2a29a55ad453363fa13be9a83a82a50895c4b3e664242088702a663b4016be2190209087ee83c7a8f7dcdd374af29ce6ea708df6f2f8c5434654dacc

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
7KB

MD5
812862ac9e2ef42d4b006d3269e05281

SHA1
28346d72542fdcf2f23c528c608b1ba030ff7796

SHA256
f9ff1d7416e595bc4d962b92aad8dc1290b2f9b467e84b72203ab49dcc0f99ef

SHA512
3bdf8eef2a29a55ad453363fa13be9a83a82a50895c4b3e664242088702a663b4016be2190209087ee83c7a8f7dcdd374af29ce6ea708df6f2f8c5434654dacc

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
7KB

MD5
812862ac9e2ef42d4b006d3269e05281

SHA1
28346d72542fdcf2f23c528c608b1ba030ff7796

SHA256
f9ff1d7416e595bc4d962b92aad8dc1290b2f9b467e84b72203ab49dcc0f99ef

SHA512
3bdf8eef2a29a55ad453363fa13be9a83a82a50895c4b3e664242088702a663b4016be2190209087ee83c7a8f7dcdd374af29ce6ea708df6f2f8c5434654dacc

Download Submit
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download