Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-05-2021 05:32
Static task
static1
Behavioral task
behavioral1
Sample
7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe
Resource
win10v20210410
General
-
Target
7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe
-
Size
33KB
-
MD5
b845c5edf17c3e5c53cf45a11cee687d
-
SHA1
5c8de755f6711fa1fe566501386ecd09c3bbe674
-
SHA256
7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505
-
SHA512
dc84c46f8be52d76374eabf5d16631c9c59447eea55fa7ffc5436d4c9953dbc7ccefa50b3c3b601cd7eac5bfc8d848e07a91cb0424ad1954bf78aefd61d5f27d
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 1400 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exepid process 1820 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe 1820 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exedescription pid process target process PID 1820 wrote to memory of 1400 1820 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe szgfw.exe PID 1820 wrote to memory of 1400 1820 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe szgfw.exe PID 1820 wrote to memory of 1400 1820 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe szgfw.exe PID 1820 wrote to memory of 1400 1820 7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe"C:\Users\Admin\AppData\Local\Temp\7f2af53acc9b9884ff7e0aa90548a3b4c6639ad9b594b2326394a86743b41505.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:1400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fb876a6ad113595bf7b3acd1f5b9d23e
SHA171fb7757053633941b0a2bb09f82313006e4fc47
SHA2568d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29
-
MD5
fb876a6ad113595bf7b3acd1f5b9d23e
SHA171fb7757053633941b0a2bb09f82313006e4fc47
SHA2568d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29
-
MD5
fb876a6ad113595bf7b3acd1f5b9d23e
SHA171fb7757053633941b0a2bb09f82313006e4fc47
SHA2568d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29
-
MD5
fb876a6ad113595bf7b3acd1f5b9d23e
SHA171fb7757053633941b0a2bb09f82313006e4fc47
SHA2568d926d2d5c0ea16f198e2a80f577f39953b7c9837efc06b7c3d13428f7d9fd01
SHA512203397a0b6663a018336ed9029462936b849776ea46d5d63f966535c8c3b96c2bffdee2e2a054c89e60f94806705aba27f234b0cd7531a8bda51b8be4de72b29