Analysis Overview
SHA256
fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811
Threat Level: Known bad
The file fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 04:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 04:02
Reported
2021-05-15 08:40
Platform
win7v20210410
Max time kernel
151s
Max time network
11s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1084 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1084 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1084 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1084 wrote to memory of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe
"C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a147122d6b5c5e82dafa3ddf92bcf002 |
| SHA1 | 9d570d530598df4bd070ea68c5e52c749d50884b |
| SHA256 | 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce |
| SHA512 | 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2 |
memory/1604-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a147122d6b5c5e82dafa3ddf92bcf002 |
| SHA1 | 9d570d530598df4bd070ea68c5e52c749d50884b |
| SHA256 | 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce |
| SHA512 | 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a147122d6b5c5e82dafa3ddf92bcf002 |
| SHA1 | 9d570d530598df4bd070ea68c5e52c749d50884b |
| SHA256 | 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce |
| SHA512 | 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2 |
memory/1084-66-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a147122d6b5c5e82dafa3ddf92bcf002 |
| SHA1 | 9d570d530598df4bd070ea68c5e52c749d50884b |
| SHA256 | 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce |
| SHA512 | 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 04:02
Reported
2021-05-15 08:41
Platform
win10v20210408
Max time kernel
150s
Max time network
60s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4804 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4804 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4804 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe
"C:\Users\Admin\AppData\Local\Temp\fb39cc980f61715880a96484e377f963a9a9598580e70f43c1ff762cd2355811.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/4804-114-0x0000000002470000-0x0000000002471000-memory.dmp
memory/2432-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a147122d6b5c5e82dafa3ddf92bcf002 |
| SHA1 | 9d570d530598df4bd070ea68c5e52c749d50884b |
| SHA256 | 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce |
| SHA512 | 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a147122d6b5c5e82dafa3ddf92bcf002 |
| SHA1 | 9d570d530598df4bd070ea68c5e52c749d50884b |
| SHA256 | 75b48d654209177407ae2b12165f0bd8238b18e12c1ba51e3453ff6be55760ce |
| SHA512 | 19fad02cd65b527ae20720293d7612a022052ae3cd504e953ccb0f5d2995c6068e26637504376dbe7c1129d18e3905442d1d6478c6660f014345875ca1f355b2 |