Analysis

  • max time kernel
    151s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    09-05-2021 16:21

General

  • Target

    b00a289023a36bfc512f39fb1d05c2fb702e7c56ad496ee234dda1285cab0abd.exe

  • Size

    38KB

  • MD5

    ab0f93eb0403b083c81a941ce494c11e

  • SHA1

    696914f2bf1f43055e90907ef66d62d95f862793

  • SHA256

    b00a289023a36bfc512f39fb1d05c2fb702e7c56ad496ee234dda1285cab0abd

  • SHA512

    b699bebc49ca82edab41e50a09fa95d02a1bb4c90198a710ae73ef064d80eab5502c382036a04eed635954ed9fb2ebc5c2b5f1493b1f39f87fabbd9d81e5c524

Score
10/10

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b00a289023a36bfc512f39fb1d05c2fb702e7c56ad496ee234dda1285cab0abd.exe
    "C:\Users\Admin\AppData\Local\Temp\b00a289023a36bfc512f39fb1d05c2fb702e7c56ad496ee234dda1285cab0abd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:1452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe

    MD5

    507438bb835deb90116adff5db4eeda9

    SHA1

    7849305bfe459a94f51a41cf3d82e2997ee6a9a2

    SHA256

    f599776b84ea194f3ecd2c323bdb6eb06fb72af0f6f571aa052ea29fb3e68b00

    SHA512

    02a2adfbc976bde647359ec9935f502955a2e80557b3684affd4bd0606b774cb25550e0a8e279a17d6c32f00e42ac66e8e1d2ac6ea332f48d3ad25cc961f465c

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe

    MD5

    507438bb835deb90116adff5db4eeda9

    SHA1

    7849305bfe459a94f51a41cf3d82e2997ee6a9a2

    SHA256

    f599776b84ea194f3ecd2c323bdb6eb06fb72af0f6f571aa052ea29fb3e68b00

    SHA512

    02a2adfbc976bde647359ec9935f502955a2e80557b3684affd4bd0606b774cb25550e0a8e279a17d6c32f00e42ac66e8e1d2ac6ea332f48d3ad25cc961f465c

  • \Users\Admin\AppData\Local\Temp\szgfw.exe

    MD5

    507438bb835deb90116adff5db4eeda9

    SHA1

    7849305bfe459a94f51a41cf3d82e2997ee6a9a2

    SHA256

    f599776b84ea194f3ecd2c323bdb6eb06fb72af0f6f571aa052ea29fb3e68b00

    SHA512

    02a2adfbc976bde647359ec9935f502955a2e80557b3684affd4bd0606b774cb25550e0a8e279a17d6c32f00e42ac66e8e1d2ac6ea332f48d3ad25cc961f465c

  • \Users\Admin\AppData\Local\Temp\szgfw.exe

    MD5

    507438bb835deb90116adff5db4eeda9

    SHA1

    7849305bfe459a94f51a41cf3d82e2997ee6a9a2

    SHA256

    f599776b84ea194f3ecd2c323bdb6eb06fb72af0f6f571aa052ea29fb3e68b00

    SHA512

    02a2adfbc976bde647359ec9935f502955a2e80557b3684affd4bd0606b774cb25550e0a8e279a17d6c32f00e42ac66e8e1d2ac6ea332f48d3ad25cc961f465c

  • memory/1452-63-0x0000000000000000-mapping.dmp

  • memory/1776-60-0x0000000075C31000-0x0000000075C33000-memory.dmp

    Filesize

    8KB

  • memory/1776-66-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB