Analysis Overview
SHA256
e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50
Threat Level: Known bad
The file e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-13 02:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-13 02:28
Reported
2021-05-14 10:59
Platform
win7v20210410
Max time kernel
150s
Max time network
11s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1072 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1072 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1072 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1072 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe
"C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1072-60-0x0000000075411000-0x0000000075413000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 68a937a939d8fe3a7d2c7af3fee09ec5 |
| SHA1 | d15870e5ec02147cfdb6d0f64fa636c901b04a80 |
| SHA256 | ca71c461156986927795d42f3f256a5f43ba040e107ffe5c7e5ec2835ee1e9f7 |
| SHA512 | 2bee0b9b8802ee3a9b2393425bc8a390bfed41f58e642ff83da43333af426d6a9cfb5efdff22e418f690973aa69949919a9104e2dacb64257a3f0b86919f42d4 |
memory/1524-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 68a937a939d8fe3a7d2c7af3fee09ec5 |
| SHA1 | d15870e5ec02147cfdb6d0f64fa636c901b04a80 |
| SHA256 | ca71c461156986927795d42f3f256a5f43ba040e107ffe5c7e5ec2835ee1e9f7 |
| SHA512 | 2bee0b9b8802ee3a9b2393425bc8a390bfed41f58e642ff83da43333af426d6a9cfb5efdff22e418f690973aa69949919a9104e2dacb64257a3f0b86919f42d4 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 68a937a939d8fe3a7d2c7af3fee09ec5 |
| SHA1 | d15870e5ec02147cfdb6d0f64fa636c901b04a80 |
| SHA256 | ca71c461156986927795d42f3f256a5f43ba040e107ffe5c7e5ec2835ee1e9f7 |
| SHA512 | 2bee0b9b8802ee3a9b2393425bc8a390bfed41f58e642ff83da43333af426d6a9cfb5efdff22e418f690973aa69949919a9104e2dacb64257a3f0b86919f42d4 |
memory/1072-66-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 68a937a939d8fe3a7d2c7af3fee09ec5 |
| SHA1 | d15870e5ec02147cfdb6d0f64fa636c901b04a80 |
| SHA256 | ca71c461156986927795d42f3f256a5f43ba040e107ffe5c7e5ec2835ee1e9f7 |
| SHA512 | 2bee0b9b8802ee3a9b2393425bc8a390bfed41f58e642ff83da43333af426d6a9cfb5efdff22e418f690973aa69949919a9104e2dacb64257a3f0b86919f42d4 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-13 02:28
Reported
2021-05-14 10:59
Platform
win10v20210410
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3176 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 3176 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 3176 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe
"C:\Users\Admin\AppData\Local\Temp\e5b03b94b3a30c6cbc2239052edfe92cc4b7456fcaf664b32e439c5e571c7e50.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/2828-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 68a937a939d8fe3a7d2c7af3fee09ec5 |
| SHA1 | d15870e5ec02147cfdb6d0f64fa636c901b04a80 |
| SHA256 | ca71c461156986927795d42f3f256a5f43ba040e107ffe5c7e5ec2835ee1e9f7 |
| SHA512 | 2bee0b9b8802ee3a9b2393425bc8a390bfed41f58e642ff83da43333af426d6a9cfb5efdff22e418f690973aa69949919a9104e2dacb64257a3f0b86919f42d4 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 68a937a939d8fe3a7d2c7af3fee09ec5 |
| SHA1 | d15870e5ec02147cfdb6d0f64fa636c901b04a80 |
| SHA256 | ca71c461156986927795d42f3f256a5f43ba040e107ffe5c7e5ec2835ee1e9f7 |
| SHA512 | 2bee0b9b8802ee3a9b2393425bc8a390bfed41f58e642ff83da43333af426d6a9cfb5efdff22e418f690973aa69949919a9104e2dacb64257a3f0b86919f42d4 |
memory/3176-117-0x0000000000410000-0x000000000055A000-memory.dmp