Analysis
-
max time kernel
153s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-05-2021 16:05
Static task
static1
Behavioral task
behavioral1
Sample
e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe
Resource
win10v20210408
General
-
Target
e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe
-
Size
51KB
-
MD5
f559d99a297876bd0e694b771d25802f
-
SHA1
e05079501a4028e85ee432667f3e314beca475df
-
SHA256
e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a
-
SHA512
bf22893205e4bccbff4047a048fd85de16d8f40dc870909e7fabc779f6ee45354872dbca41e3dd49b0e03790e35faaceaf88b18c47c4b129f6232b28a040fc78
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 2032 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exepid process 1028 e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe 1028 e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exedescription pid process target process PID 1028 wrote to memory of 2032 1028 e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe szgfw.exe PID 1028 wrote to memory of 2032 1028 e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe szgfw.exe PID 1028 wrote to memory of 2032 1028 e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe szgfw.exe PID 1028 wrote to memory of 2032 1028 e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe"C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7cab6784a16860c8df2c4c4f4a8652fd
SHA1997d7035b0666abf30eeeb17d2766088787d82a5
SHA2567cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de
SHA5123ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9
-
MD5
7cab6784a16860c8df2c4c4f4a8652fd
SHA1997d7035b0666abf30eeeb17d2766088787d82a5
SHA2567cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de
SHA5123ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9
-
MD5
7cab6784a16860c8df2c4c4f4a8652fd
SHA1997d7035b0666abf30eeeb17d2766088787d82a5
SHA2567cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de
SHA5123ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9
-
MD5
7cab6784a16860c8df2c4c4f4a8652fd
SHA1997d7035b0666abf30eeeb17d2766088787d82a5
SHA2567cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de
SHA5123ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9