Analysis Overview
SHA256
e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a
Threat Level: Known bad
The file e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-10 16:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-10 16:05
Reported
2021-05-10 16:14
Platform
win7v20210408
Max time kernel
153s
Max time network
17s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1028 wrote to memory of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1028 wrote to memory of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1028 wrote to memory of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1028 wrote to memory of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe
"C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1028-60-0x0000000076A01000-0x0000000076A03000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 7cab6784a16860c8df2c4c4f4a8652fd |
| SHA1 | 997d7035b0666abf30eeeb17d2766088787d82a5 |
| SHA256 | 7cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de |
| SHA512 | 3ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 7cab6784a16860c8df2c4c4f4a8652fd |
| SHA1 | 997d7035b0666abf30eeeb17d2766088787d82a5 |
| SHA256 | 7cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de |
| SHA512 | 3ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9 |
memory/2032-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 7cab6784a16860c8df2c4c4f4a8652fd |
| SHA1 | 997d7035b0666abf30eeeb17d2766088787d82a5 |
| SHA256 | 7cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de |
| SHA512 | 3ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 7cab6784a16860c8df2c4c4f4a8652fd |
| SHA1 | 997d7035b0666abf30eeeb17d2766088787d82a5 |
| SHA256 | 7cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de |
| SHA512 | 3ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-10 16:05
Reported
2021-05-10 16:14
Platform
win10v20210408
Max time kernel
152s
Max time network
139s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1456 wrote to memory of 576 | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1456 wrote to memory of 576 | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1456 wrote to memory of 576 | N/A | C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe
"C:\Users\Admin\AppData\Local\Temp\e8bd44457d2a351608ac16ad2440758a2c0a6619aa60bb9d966735d10971fd3a.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/576-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 7cab6784a16860c8df2c4c4f4a8652fd |
| SHA1 | 997d7035b0666abf30eeeb17d2766088787d82a5 |
| SHA256 | 7cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de |
| SHA512 | 3ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 7cab6784a16860c8df2c4c4f4a8652fd |
| SHA1 | 997d7035b0666abf30eeeb17d2766088787d82a5 |
| SHA256 | 7cae6331f8cf194aeea5560ffd3a0e6bf9f6786822880895ffc7814b940112de |
| SHA512 | 3ac4bd08a62bc871b7d17f6f7d6280856f23fbb0d4743907e99b70ce939313b83db491c43fc07543635bc39fc7a83f2221d566ccc840151d19f25b88e6e680b9 |