Analysis
-
max time kernel
151s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-05-2021 17:35
Static task
static1
Behavioral task
behavioral1
Sample
de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe
Resource
win10v20210410
General
-
Target
de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe
-
Size
151KB
-
MD5
40d3c1a78e678a50daf2b0da09e98113
-
SHA1
d62962c94ac8aa9d59b2afb92f6722654d535ae7
-
SHA256
de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111
-
SHA512
6460d6e4e37645f661d91463581375bbfe17c06b8f4c0f02f74e012abf81c1d7af5b35db5e081a6a445173894be1fe61dbde1d9ff7a0ba3f26129e6722627101
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 824 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exepid process 336 de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe 336 de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exedescription pid process target process PID 336 wrote to memory of 824 336 de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe szgfw.exe PID 336 wrote to memory of 824 336 de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe szgfw.exe PID 336 wrote to memory of 824 336 de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe szgfw.exe PID 336 wrote to memory of 824 336 de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe"C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
40d97b7919332709a9fb45ebabb338ec
SHA1272df6a891dede1875570fa94125050959dd5bbe
SHA2566c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA5126af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32
-
MD5
40d97b7919332709a9fb45ebabb338ec
SHA1272df6a891dede1875570fa94125050959dd5bbe
SHA2566c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA5126af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32
-
MD5
40d97b7919332709a9fb45ebabb338ec
SHA1272df6a891dede1875570fa94125050959dd5bbe
SHA2566c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA5126af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32
-
MD5
40d97b7919332709a9fb45ebabb338ec
SHA1272df6a891dede1875570fa94125050959dd5bbe
SHA2566c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9
SHA5126af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32