Analysis Overview
SHA256
73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31
Threat Level: Known bad
The file 73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-11 11:24
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-11 11:24
Reported
2021-05-11 15:50
Platform
win10v20210410
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4008 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4008 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4008 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe
"C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/4008-114-0x0000000000410000-0x00000000004BE000-memory.dmp
memory/1324-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 554fa38e928118d598f1c51ab9518eaf |
| SHA1 | 5872a38a7c0b08abb76fb486f609e0c44288800c |
| SHA256 | 775ee57e17b34fecf609945351990b3fc09864bbbecc3d97c048a4385420761b |
| SHA512 | 13b20dca79448d453eb3066b3ea30617d28eac7bb6394867d19ab43e99f0323b60381081083685cb007ded1c6bdbcba6b1efbfcc67ebad41b547539c4a7c584d |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 554fa38e928118d598f1c51ab9518eaf |
| SHA1 | 5872a38a7c0b08abb76fb486f609e0c44288800c |
| SHA256 | 775ee57e17b34fecf609945351990b3fc09864bbbecc3d97c048a4385420761b |
| SHA512 | 13b20dca79448d453eb3066b3ea30617d28eac7bb6394867d19ab43e99f0323b60381081083685cb007ded1c6bdbcba6b1efbfcc67ebad41b547539c4a7c584d |
memory/1324-118-0x00000000001E0000-0x00000000001E1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-11 11:24
Reported
2021-05-11 15:50
Platform
win7v20210410
Max time kernel
150s
Max time network
10s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 2000 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 2000 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 2000 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe
"C:\Users\Admin\AppData\Local\Temp\73a2f7ffb4bba1b2a871db0b739a91bb5855843584b1875c0631c96fa56afc31.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/2000-60-0x00000000765F1000-0x00000000765F3000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 554fa38e928118d598f1c51ab9518eaf |
| SHA1 | 5872a38a7c0b08abb76fb486f609e0c44288800c |
| SHA256 | 775ee57e17b34fecf609945351990b3fc09864bbbecc3d97c048a4385420761b |
| SHA512 | 13b20dca79448d453eb3066b3ea30617d28eac7bb6394867d19ab43e99f0323b60381081083685cb007ded1c6bdbcba6b1efbfcc67ebad41b547539c4a7c584d |
memory/1696-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 554fa38e928118d598f1c51ab9518eaf |
| SHA1 | 5872a38a7c0b08abb76fb486f609e0c44288800c |
| SHA256 | 775ee57e17b34fecf609945351990b3fc09864bbbecc3d97c048a4385420761b |
| SHA512 | 13b20dca79448d453eb3066b3ea30617d28eac7bb6394867d19ab43e99f0323b60381081083685cb007ded1c6bdbcba6b1efbfcc67ebad41b547539c4a7c584d |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 554fa38e928118d598f1c51ab9518eaf |
| SHA1 | 5872a38a7c0b08abb76fb486f609e0c44288800c |
| SHA256 | 775ee57e17b34fecf609945351990b3fc09864bbbecc3d97c048a4385420761b |
| SHA512 | 13b20dca79448d453eb3066b3ea30617d28eac7bb6394867d19ab43e99f0323b60381081083685cb007ded1c6bdbcba6b1efbfcc67ebad41b547539c4a7c584d |
memory/2000-66-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 554fa38e928118d598f1c51ab9518eaf |
| SHA1 | 5872a38a7c0b08abb76fb486f609e0c44288800c |
| SHA256 | 775ee57e17b34fecf609945351990b3fc09864bbbecc3d97c048a4385420761b |
| SHA512 | 13b20dca79448d453eb3066b3ea30617d28eac7bb6394867d19ab43e99f0323b60381081083685cb007ded1c6bdbcba6b1efbfcc67ebad41b547539c4a7c584d |