Analysis Overview
SHA256
23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4
Threat Level: Known bad
The file 23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-11 15:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-11 15:28
Reported
2021-05-11 23:49
Platform
win7v20210410
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 296 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 296 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 296 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 296 wrote to memory of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe
"C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.217.20.110:80 | tcp | |
| N/A | 172.217.20.110:80 | tcp | |
| N/A | 172.217.20.110:80 | tcp |
Files
memory/296-59-0x00000000757E1000-0x00000000757E3000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62aba4e648e29105f81f089eb660cbf0 |
| SHA1 | 531c17187675a2b4e244ef6e81e43ef471064386 |
| SHA256 | 9db5c6f179c371a1efe3afcb8a29128108948d26189a1327d742d650984712c1 |
| SHA512 | 93014a01765c20b052de03d2b47fe3ecc582c9ddf7b60b8b09f47a79c49045456212f54fbd25e65057ce6d877665bb8a5d2c022dcfbc8d34f4f1cff1854080f0 |
memory/1988-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62aba4e648e29105f81f089eb660cbf0 |
| SHA1 | 531c17187675a2b4e244ef6e81e43ef471064386 |
| SHA256 | 9db5c6f179c371a1efe3afcb8a29128108948d26189a1327d742d650984712c1 |
| SHA512 | 93014a01765c20b052de03d2b47fe3ecc582c9ddf7b60b8b09f47a79c49045456212f54fbd25e65057ce6d877665bb8a5d2c022dcfbc8d34f4f1cff1854080f0 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62aba4e648e29105f81f089eb660cbf0 |
| SHA1 | 531c17187675a2b4e244ef6e81e43ef471064386 |
| SHA256 | 9db5c6f179c371a1efe3afcb8a29128108948d26189a1327d742d650984712c1 |
| SHA512 | 93014a01765c20b052de03d2b47fe3ecc582c9ddf7b60b8b09f47a79c49045456212f54fbd25e65057ce6d877665bb8a5d2c022dcfbc8d34f4f1cff1854080f0 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62aba4e648e29105f81f089eb660cbf0 |
| SHA1 | 531c17187675a2b4e244ef6e81e43ef471064386 |
| SHA256 | 9db5c6f179c371a1efe3afcb8a29128108948d26189a1327d742d650984712c1 |
| SHA512 | 93014a01765c20b052de03d2b47fe3ecc582c9ddf7b60b8b09f47a79c49045456212f54fbd25e65057ce6d877665bb8a5d2c022dcfbc8d34f4f1cff1854080f0 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-11 15:28
Reported
2021-05-11 23:49
Platform
win10v20210408
Max time kernel
151s
Max time network
111s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 796 wrote to memory of 4080 | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 796 wrote to memory of 4080 | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 796 wrote to memory of 4080 | N/A | C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe
"C:\Users\Admin\AppData\Local\Temp\23476fefcdea958721e286472dd3f7a9aa647b6f8c122eeb427971cfc8d210f4.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/4080-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62aba4e648e29105f81f089eb660cbf0 |
| SHA1 | 531c17187675a2b4e244ef6e81e43ef471064386 |
| SHA256 | 9db5c6f179c371a1efe3afcb8a29128108948d26189a1327d742d650984712c1 |
| SHA512 | 93014a01765c20b052de03d2b47fe3ecc582c9ddf7b60b8b09f47a79c49045456212f54fbd25e65057ce6d877665bb8a5d2c022dcfbc8d34f4f1cff1854080f0 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 62aba4e648e29105f81f089eb660cbf0 |
| SHA1 | 531c17187675a2b4e244ef6e81e43ef471064386 |
| SHA256 | 9db5c6f179c371a1efe3afcb8a29128108948d26189a1327d742d650984712c1 |
| SHA512 | 93014a01765c20b052de03d2b47fe3ecc582c9ddf7b60b8b09f47a79c49045456212f54fbd25e65057ce6d877665bb8a5d2c022dcfbc8d34f4f1cff1854080f0 |