Analysis
-
max time kernel
151s -
max time network
66s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 14:58
Static task
static1
Behavioral task
behavioral1
Sample
b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe
Resource
win10v20210408
General
-
Target
b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe
-
Size
29KB
-
MD5
4788bdc84069aaa28ba46a4be62fbdaf
-
SHA1
36fbe0ba3ff8fd574554d77dabb476d1be984ca1
-
SHA256
b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971
-
SHA512
e15b2c7c36b0e4bcf5f5fd27dbbaa5dc2e13f584e9953aeef5655a421a1f86d822273319fd37d28b830792c2fc56ec7470e2b69b34d44c12e6b6ccb3a8a10622
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 1296 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exepid process 1748 b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe 1748 b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exedescription pid process target process PID 1748 wrote to memory of 1296 1748 b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe szgfw.exe PID 1748 wrote to memory of 1296 1748 b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe szgfw.exe PID 1748 wrote to memory of 1296 1748 b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe szgfw.exe PID 1748 wrote to memory of 1296 1748 b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe"C:\Users\Admin\AppData\Local\Temp\b716c1f8c61c039570c8f8402e63a137b362d1f516f8fcf0232734d8faf47971.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:1296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e77bfe02b547e5d53cc2bb790e0ccf2b
SHA16365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA5121f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30
-
MD5
e77bfe02b547e5d53cc2bb790e0ccf2b
SHA16365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA5121f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30
-
MD5
e77bfe02b547e5d53cc2bb790e0ccf2b
SHA16365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA5121f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30
-
MD5
e77bfe02b547e5d53cc2bb790e0ccf2b
SHA16365447d7cb9fa1613a7ed225633cfc87f06688e
SHA256af62afff72bdec462ca23e5247b584a1a2e9ab2008614c629011e0ada39fa837
SHA5121f4a6f14b4c6ff929eae84b8d479665f29a335abde18e7fe0335a0afdee58608a741efbec754b9d92a3c63eb7854f4abfe27ef2b85428e92f92ee8d8a9ac6d30