Analysis Overview
SHA256
df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2
Threat Level: Known bad
The file df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-09 15:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-09 15:22
Reported
2021-05-09 16:21
Platform
win7v20210410
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1268 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1268 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1268 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1268 wrote to memory of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe
"C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1268-60-0x0000000075591000-0x0000000075593000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62cf9fe09f64c66ae8bec043bf007036 |
| SHA1 | 8f21beaf55dcd05716db7299a75b2726e6ccc4c5 |
| SHA256 | 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033 |
| SHA512 | f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62cf9fe09f64c66ae8bec043bf007036 |
| SHA1 | 8f21beaf55dcd05716db7299a75b2726e6ccc4c5 |
| SHA256 | 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033 |
| SHA512 | f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997 |
memory/1500-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62cf9fe09f64c66ae8bec043bf007036 |
| SHA1 | 8f21beaf55dcd05716db7299a75b2726e6ccc4c5 |
| SHA256 | 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033 |
| SHA512 | f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997 |
memory/1268-66-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62cf9fe09f64c66ae8bec043bf007036 |
| SHA1 | 8f21beaf55dcd05716db7299a75b2726e6ccc4c5 |
| SHA256 | 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033 |
| SHA512 | f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-09 15:22
Reported
2021-05-09 16:21
Platform
win10v20210410
Max time kernel
150s
Max time network
110s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3952 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 3952 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 3952 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe
"C:\Users\Admin\AppData\Local\Temp\df1934e161093894ea8bfcd0e119f0f81a0c2bd6cbd226eed67d4e5397d9e8c2.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/3928-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62cf9fe09f64c66ae8bec043bf007036 |
| SHA1 | 8f21beaf55dcd05716db7299a75b2726e6ccc4c5 |
| SHA256 | 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033 |
| SHA512 | f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62cf9fe09f64c66ae8bec043bf007036 |
| SHA1 | 8f21beaf55dcd05716db7299a75b2726e6ccc4c5 |
| SHA256 | 2cfc417e559b822198013f3e49cfe1fbc36df7b75c6e29ec2c1b0e6bdf778033 |
| SHA512 | f1041ef2b9d2a3c6984396857d5b4563bf2d4943fdf9b3679a94c18614b7280548257943ba1e161375bcc1d1395921021f3a5af831ca104f79a130ca07da0997 |
memory/3952-117-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/3928-118-0x0000000000410000-0x000000000055A000-memory.dmp