Analysis Overview
SHA256
8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e
Threat Level: Known bad
The file 8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-09 21:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-09 21:41
Reported
2021-05-10 04:09
Platform
win7v20210408
Max time kernel
154s
Max time network
108s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 756 wrote to memory of 1764 | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 756 wrote to memory of 1764 | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 756 wrote to memory of 1764 | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 756 wrote to memory of 1764 | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe
"C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/756-60-0x00000000750C1000-0x00000000750C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | c0f95eabcd62311c871391c2cb43b63a |
| SHA1 | dd09f553ec80f979cea25a15023aa2b81bc82e27 |
| SHA256 | 5b8c0414ce355d8798811d313bd301f40d5955fcac3bdfd34b0609528a0bce10 |
| SHA512 | 7799365d19a01a6e4a6f9bedf13c3ce63347e134dc2f1848650ad7c1ada96f49138813939f48c273b5d61b257fc7a5e2b3d8414c78106f46a05fb7f513507554 |
memory/1764-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | c0f95eabcd62311c871391c2cb43b63a |
| SHA1 | dd09f553ec80f979cea25a15023aa2b81bc82e27 |
| SHA256 | 5b8c0414ce355d8798811d313bd301f40d5955fcac3bdfd34b0609528a0bce10 |
| SHA512 | 7799365d19a01a6e4a6f9bedf13c3ce63347e134dc2f1848650ad7c1ada96f49138813939f48c273b5d61b257fc7a5e2b3d8414c78106f46a05fb7f513507554 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | c0f95eabcd62311c871391c2cb43b63a |
| SHA1 | dd09f553ec80f979cea25a15023aa2b81bc82e27 |
| SHA256 | 5b8c0414ce355d8798811d313bd301f40d5955fcac3bdfd34b0609528a0bce10 |
| SHA512 | 7799365d19a01a6e4a6f9bedf13c3ce63347e134dc2f1848650ad7c1ada96f49138813939f48c273b5d61b257fc7a5e2b3d8414c78106f46a05fb7f513507554 |
memory/756-66-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | c0f95eabcd62311c871391c2cb43b63a |
| SHA1 | dd09f553ec80f979cea25a15023aa2b81bc82e27 |
| SHA256 | 5b8c0414ce355d8798811d313bd301f40d5955fcac3bdfd34b0609528a0bce10 |
| SHA512 | 7799365d19a01a6e4a6f9bedf13c3ce63347e134dc2f1848650ad7c1ada96f49138813939f48c273b5d61b257fc7a5e2b3d8414c78106f46a05fb7f513507554 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-09 21:41
Reported
2021-05-10 04:09
Platform
win10v20210408
Max time kernel
154s
Max time network
153s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4652 wrote to memory of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4652 wrote to memory of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4652 wrote to memory of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe
"C:\Users\Admin\AppData\Local\Temp\8580d74afbec2e72276337a8ff5b1115bec88eba2fd2163b1e14585ec62a850e.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/4652-114-0x00000000004B0000-0x00000000005FA000-memory.dmp
memory/4200-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | c0f95eabcd62311c871391c2cb43b63a |
| SHA1 | dd09f553ec80f979cea25a15023aa2b81bc82e27 |
| SHA256 | 5b8c0414ce355d8798811d313bd301f40d5955fcac3bdfd34b0609528a0bce10 |
| SHA512 | 7799365d19a01a6e4a6f9bedf13c3ce63347e134dc2f1848650ad7c1ada96f49138813939f48c273b5d61b257fc7a5e2b3d8414c78106f46a05fb7f513507554 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | c0f95eabcd62311c871391c2cb43b63a |
| SHA1 | dd09f553ec80f979cea25a15023aa2b81bc82e27 |
| SHA256 | 5b8c0414ce355d8798811d313bd301f40d5955fcac3bdfd34b0609528a0bce10 |
| SHA512 | 7799365d19a01a6e4a6f9bedf13c3ce63347e134dc2f1848650ad7c1ada96f49138813939f48c273b5d61b257fc7a5e2b3d8414c78106f46a05fb7f513507554 |
memory/4200-118-0x00000000004F0000-0x00000000004F1000-memory.dmp