Analysis Overview
SHA256
8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997
Threat Level: Known bad
The file 8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-09 20:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-09 20:28
Reported
2021-05-10 01:55
Platform
win7v20210408
Max time kernel
151s
Max time network
14s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1796 wrote to memory of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1796 wrote to memory of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1796 wrote to memory of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1796 wrote to memory of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe
"C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1796-60-0x0000000076A01000-0x0000000076A03000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | ac2d93dde499736a2dd57e885517ad9b |
| SHA1 | 950b39a53d41a8bfc9adebb521bd104415000d41 |
| SHA256 | c9931a5d8af0b8e86ed8230ce39b8f6b2b0440efe108734125d2dcd76955f363 |
| SHA512 | 06c0156575ec38376916b0e2709ed6a3ae599f870fbe5696d8e697433a29ef0d8d25819195bbdbf8cb96195586fec37a1d5e26e36512d4f597f83895c8115238 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | ac2d93dde499736a2dd57e885517ad9b |
| SHA1 | 950b39a53d41a8bfc9adebb521bd104415000d41 |
| SHA256 | c9931a5d8af0b8e86ed8230ce39b8f6b2b0440efe108734125d2dcd76955f363 |
| SHA512 | 06c0156575ec38376916b0e2709ed6a3ae599f870fbe5696d8e697433a29ef0d8d25819195bbdbf8cb96195586fec37a1d5e26e36512d4f597f83895c8115238 |
memory/1548-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | ac2d93dde499736a2dd57e885517ad9b |
| SHA1 | 950b39a53d41a8bfc9adebb521bd104415000d41 |
| SHA256 | c9931a5d8af0b8e86ed8230ce39b8f6b2b0440efe108734125d2dcd76955f363 |
| SHA512 | 06c0156575ec38376916b0e2709ed6a3ae599f870fbe5696d8e697433a29ef0d8d25819195bbdbf8cb96195586fec37a1d5e26e36512d4f597f83895c8115238 |
memory/1796-66-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | ac2d93dde499736a2dd57e885517ad9b |
| SHA1 | 950b39a53d41a8bfc9adebb521bd104415000d41 |
| SHA256 | c9931a5d8af0b8e86ed8230ce39b8f6b2b0440efe108734125d2dcd76955f363 |
| SHA512 | 06c0156575ec38376916b0e2709ed6a3ae599f870fbe5696d8e697433a29ef0d8d25819195bbdbf8cb96195586fec37a1d5e26e36512d4f597f83895c8115238 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-09 20:28
Reported
2021-05-10 01:55
Platform
win10v20210408
Max time kernel
152s
Max time network
140s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 652 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 652 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 652 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe
"C:\Users\Admin\AppData\Local\Temp\8705049e8dc08e6ce300d3653273d23625065c3da4256ab56205872313145997.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.217.20.110:80 | tcp | |
| N/A | 172.217.20.110:80 | tcp | |
| N/A | 172.217.20.110:80 | tcp | |
| N/A | 172.217.20.110:80 | tcp | |
| N/A | 172.217.20.110:80 | tcp |
Files
memory/652-114-0x0000000000980000-0x0000000000981000-memory.dmp
memory/2660-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | ac2d93dde499736a2dd57e885517ad9b |
| SHA1 | 950b39a53d41a8bfc9adebb521bd104415000d41 |
| SHA256 | c9931a5d8af0b8e86ed8230ce39b8f6b2b0440efe108734125d2dcd76955f363 |
| SHA512 | 06c0156575ec38376916b0e2709ed6a3ae599f870fbe5696d8e697433a29ef0d8d25819195bbdbf8cb96195586fec37a1d5e26e36512d4f597f83895c8115238 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | ac2d93dde499736a2dd57e885517ad9b |
| SHA1 | 950b39a53d41a8bfc9adebb521bd104415000d41 |
| SHA256 | c9931a5d8af0b8e86ed8230ce39b8f6b2b0440efe108734125d2dcd76955f363 |
| SHA512 | 06c0156575ec38376916b0e2709ed6a3ae599f870fbe5696d8e697433a29ef0d8d25819195bbdbf8cb96195586fec37a1d5e26e36512d4f597f83895c8115238 |
memory/2660-118-0x0000000000410000-0x000000000055A000-memory.dmp