Analysis Overview
SHA256
de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111
Threat Level: Known bad
The file de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-09 17:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-09 17:35
Reported
2021-05-09 20:12
Platform
win7v20210410
Max time kernel
151s
Max time network
127s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 336 wrote to memory of 824 | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 336 wrote to memory of 824 | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 336 wrote to memory of 824 | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 336 wrote to memory of 824 | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe
"C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.217.20.110:80 | tcp | |
| N/A | 172.217.20.110:80 | tcp | |
| N/A | 172.217.20.110:80 | tcp |
Files
memory/336-60-0x0000000075551000-0x0000000075553000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 40d97b7919332709a9fb45ebabb338ec |
| SHA1 | 272df6a891dede1875570fa94125050959dd5bbe |
| SHA256 | 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9 |
| SHA512 | 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 40d97b7919332709a9fb45ebabb338ec |
| SHA1 | 272df6a891dede1875570fa94125050959dd5bbe |
| SHA256 | 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9 |
| SHA512 | 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32 |
memory/824-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 40d97b7919332709a9fb45ebabb338ec |
| SHA1 | 272df6a891dede1875570fa94125050959dd5bbe |
| SHA256 | 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9 |
| SHA512 | 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32 |
memory/336-66-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 40d97b7919332709a9fb45ebabb338ec |
| SHA1 | 272df6a891dede1875570fa94125050959dd5bbe |
| SHA256 | 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9 |
| SHA512 | 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-09 17:35
Reported
2021-05-09 20:12
Platform
win10v20210410
Max time kernel
149s
Max time network
134s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3892 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 3892 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 3892 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe
"C:\Users\Admin\AppData\Local\Temp\de16bf872e86b5f82d0163db52362384a29a41ea2bd1cbdfe915c71b22ae3111.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/3892-114-0x0000000000470000-0x000000000051E000-memory.dmp
memory/2312-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 40d97b7919332709a9fb45ebabb338ec |
| SHA1 | 272df6a891dede1875570fa94125050959dd5bbe |
| SHA256 | 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9 |
| SHA512 | 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 40d97b7919332709a9fb45ebabb338ec |
| SHA1 | 272df6a891dede1875570fa94125050959dd5bbe |
| SHA256 | 6c79c6991b7e1f4034a17fa617eb77f13b1cc25b205b592032397fc093daaff9 |
| SHA512 | 6af9c8693744ae3953e72f63f9681dfb9cbe502ff645fd9b465940e22314286a7821c7a9ad1bb2cb7fa8aae6de2bb41aaba7533b56079e85556f2361c3d42d32 |
memory/2312-118-0x0000000000460000-0x0000000000461000-memory.dmp