Analysis Overview
SHA256
ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0
Threat Level: Known bad
The file ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 05:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 05:21
Reported
2021-05-15 11:33
Platform
win7v20210408
Max time kernel
151s
Max time network
40s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1120 wrote to memory of 360 | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1120 wrote to memory of 360 | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1120 wrote to memory of 360 | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1120 wrote to memory of 360 | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe
"C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1120-59-0x0000000074D91000-0x0000000074D93000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 76f3ec304d802ef1c845aff36944cf20 |
| SHA1 | 462c3cd5e9e551271889a14413c90a7dbff681b0 |
| SHA256 | 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309 |
| SHA512 | 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056 |
memory/360-62-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 76f3ec304d802ef1c845aff36944cf20 |
| SHA1 | 462c3cd5e9e551271889a14413c90a7dbff681b0 |
| SHA256 | 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309 |
| SHA512 | 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 76f3ec304d802ef1c845aff36944cf20 |
| SHA1 | 462c3cd5e9e551271889a14413c90a7dbff681b0 |
| SHA256 | 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309 |
| SHA512 | 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056 |
memory/1120-65-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 76f3ec304d802ef1c845aff36944cf20 |
| SHA1 | 462c3cd5e9e551271889a14413c90a7dbff681b0 |
| SHA256 | 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309 |
| SHA512 | 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 05:21
Reported
2021-05-15 11:33
Platform
win10v20210408
Max time kernel
150s
Max time network
135s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 508 wrote to memory of 3420 | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 508 wrote to memory of 3420 | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 508 wrote to memory of 3420 | N/A | C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe
"C:\Users\Admin\AppData\Local\Temp\ba1775b7efc29ea7105e2aeaca058ac5bd60c5f92e4ae43e4edf4d4892d3e0d0.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/508-114-0x0000000000510000-0x000000000065A000-memory.dmp
memory/3420-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 76f3ec304d802ef1c845aff36944cf20 |
| SHA1 | 462c3cd5e9e551271889a14413c90a7dbff681b0 |
| SHA256 | 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309 |
| SHA512 | 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 76f3ec304d802ef1c845aff36944cf20 |
| SHA1 | 462c3cd5e9e551271889a14413c90a7dbff681b0 |
| SHA256 | 9b0766f8c1630116fa7340bf7da47fee2c08c89cb5282162a2d81a66b59a9309 |
| SHA512 | 76fbc4b06b9212b4c4338420b210ecead3d3be535f94bc939b73cf0e3ddc96105ad3f93bd45e2e44af5c5bfc7c18d891c04362119c54c8f7cc60e678b4a7d056 |
memory/3420-118-0x0000000000410000-0x000000000055A000-memory.dmp