Analysis

  • max time kernel
    152s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    09-05-2021 20:28

General

  • Target

    8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe

  • Size

    28KB

  • MD5

    ecd1de0f7827569af78ab4192dc9be48

  • SHA1

    1aff944ce54083991374fb1926585bc8ce110818

  • SHA256

    8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997

  • SHA512

    033f92f17aea19299c46f470a09632cf5cac533601859e163e1b7931a7ef655a6e35425423d7a2cbe9182fd18e41bcd5c3464024fdacc09fb809a5280640ed21

Score
10/10

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe
    "C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe

    MD5

    ac2d93dde499736a2dd57e885517ad9b

    SHA1

    950b39a53d41a8bfc9adebb521bd104415000d41

    SHA256

    c9931a5d8af0b8e86ed8230ce39b8f6b2b0440efe108734125d2dcd76955f363

    SHA512

    06c0156575ec38376916b0e2709ed6a3ae599f870fbe5696d8e697433a29ef0d8d25819195bbdbf8cb96195586fec37a1d5e26e36512d4f597f83895c8115238

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe

    MD5

    ac2d93dde499736a2dd57e885517ad9b

    SHA1

    950b39a53d41a8bfc9adebb521bd104415000d41

    SHA256

    c9931a5d8af0b8e86ed8230ce39b8f6b2b0440efe108734125d2dcd76955f363

    SHA512

    06c0156575ec38376916b0e2709ed6a3ae599f870fbe5696d8e697433a29ef0d8d25819195bbdbf8cb96195586fec37a1d5e26e36512d4f597f83895c8115238

  • memory/652-114-0x0000000000980000-0x0000000000981000-memory.dmp

    Filesize

    4KB

  • memory/2660-115-0x0000000000000000-mapping.dmp

  • memory/2660-118-0x0000000000410000-0x000000000055A000-memory.dmp

    Filesize

    1.3MB