Analysis Overview
SHA256
626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4
Threat Level: Known bad
The file 626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-11 14:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-11 14:22
Reported
2021-05-11 21:33
Platform
win7v20210410
Max time kernel
151s
Max time network
115s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1208 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1208 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1208 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe
"C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.7.0.30:53869 | udp |
Files
memory/1208-59-0x0000000075561000-0x0000000075563000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | f227460c96a8fcffef6b1aa2fc6ddb7e |
| SHA1 | d28e4ba4a685de5e85415fe1d919fede6f870a79 |
| SHA256 | 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e |
| SHA512 | e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | f227460c96a8fcffef6b1aa2fc6ddb7e |
| SHA1 | d28e4ba4a685de5e85415fe1d919fede6f870a79 |
| SHA256 | 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e |
| SHA512 | e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395 |
memory/1368-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | f227460c96a8fcffef6b1aa2fc6ddb7e |
| SHA1 | d28e4ba4a685de5e85415fe1d919fede6f870a79 |
| SHA256 | 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e |
| SHA512 | e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395 |
memory/1208-65-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | f227460c96a8fcffef6b1aa2fc6ddb7e |
| SHA1 | d28e4ba4a685de5e85415fe1d919fede6f870a79 |
| SHA256 | 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e |
| SHA512 | e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-11 14:22
Reported
2021-05-11 21:34
Platform
win10v20210408
Max time kernel
150s
Max time network
112s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 784 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 784 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 784 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe
"C:\Users\Admin\AppData\Local\Temp\626dfcb96d94d0e0d350a271fd4e74be029171adcec4277e46a0bb44c3b324d4.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/784-114-0x0000000000500000-0x000000000064A000-memory.dmp
memory/1904-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | f227460c96a8fcffef6b1aa2fc6ddb7e |
| SHA1 | d28e4ba4a685de5e85415fe1d919fede6f870a79 |
| SHA256 | 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e |
| SHA512 | e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | f227460c96a8fcffef6b1aa2fc6ddb7e |
| SHA1 | d28e4ba4a685de5e85415fe1d919fede6f870a79 |
| SHA256 | 3435444e7954cbb7e274466666a3e70ccdc20fbb834557b11c823c0d1577225e |
| SHA512 | e12b801f519c77311079db4e64e79b2a170e53732b8fe75b34b0ce4a44d414cb8b699ec71df39e9a35b305a2b8672b2c37ab6c88305500cd425e19bd96de5395 |
memory/1904-118-0x0000000000530000-0x0000000000531000-memory.dmp