Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 12:21
Static task
static1
Behavioral task
behavioral1
Sample
91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe
Resource
win10v20210410
General
-
Target
91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe
-
Size
34KB
-
MD5
3c1e71fc593219b7002adc771f23333a
-
SHA1
2060f434a814f86612c9d76e1a29436c448b3ec6
-
SHA256
91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf
-
SHA512
1cb259baba85829f5d82a1b0f9da3c469f406e4276e666a19a37683abb05d2496d4443ef31107f2067a268fcd9d533c933899bc780b13e123ee3401efe2bbfa3
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 1348 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exepid process 1088 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe 1088 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exedescription pid process target process PID 1088 wrote to memory of 1348 1088 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe szgfw.exe PID 1088 wrote to memory of 1348 1088 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe szgfw.exe PID 1088 wrote to memory of 1348 1088 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe szgfw.exe PID 1088 wrote to memory of 1348 1088 91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe"C:\Users\Admin\AppData\Local\Temp\91dec01c4c83854f5a5773ac7d35236e0d076ee8cb337ce2e1dedd1b009798cf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:1348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
532ab42ab0be50660b7e7e4c78b925e8
SHA10b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78
-
MD5
532ab42ab0be50660b7e7e4c78b925e8
SHA10b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78
-
MD5
532ab42ab0be50660b7e7e4c78b925e8
SHA10b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78
-
MD5
532ab42ab0be50660b7e7e4c78b925e8
SHA10b9e93d43e0bb0a58c5e2b95ac9b6870a0f3488b
SHA256c3e2159aeb899b62a0cc7ec77b61b796b1fff64d27e3430ac8330041f8a1a221
SHA512de21c7b79603b24163ebda2c30548116217d67f4cf2305666c9724aee1c19e3bdb839f44682d3acd781f0f2d62c6765e0e2d2436653ad5d8928b59c86e4afa78