Analysis Overview
SHA256
900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a
Threat Level: Known bad
The file 900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 15:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 15:01
Reported
2021-05-16 01:13
Platform
win7v20210410
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1052 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1052 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1052 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1052 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe
"C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1052-59-0x0000000075721000-0x0000000075723000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a7ce9b959e0456aa43b0243a15d484e9 |
| SHA1 | d7de590574f9bc0ba73db2fcff6785ad2999ba76 |
| SHA256 | b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be |
| SHA512 | 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a7ce9b959e0456aa43b0243a15d484e9 |
| SHA1 | d7de590574f9bc0ba73db2fcff6785ad2999ba76 |
| SHA256 | b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be |
| SHA512 | 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339 |
memory/1692-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a7ce9b959e0456aa43b0243a15d484e9 |
| SHA1 | d7de590574f9bc0ba73db2fcff6785ad2999ba76 |
| SHA256 | b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be |
| SHA512 | 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339 |
memory/1052-65-0x00000000003B0000-0x00000000003B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a7ce9b959e0456aa43b0243a15d484e9 |
| SHA1 | d7de590574f9bc0ba73db2fcff6785ad2999ba76 |
| SHA256 | b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be |
| SHA512 | 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 15:01
Reported
2021-05-16 01:13
Platform
win10v20210410
Max time kernel
150s
Max time network
113s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4060 wrote to memory of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4060 wrote to memory of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4060 wrote to memory of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe
"C:\Users\Admin\AppData\Local\Temp\900d3aa0344d8ceeac6d8b538dc508a052a4f07e90c23374e6c8c20bf0da994a.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/520-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a7ce9b959e0456aa43b0243a15d484e9 |
| SHA1 | d7de590574f9bc0ba73db2fcff6785ad2999ba76 |
| SHA256 | b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be |
| SHA512 | 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | a7ce9b959e0456aa43b0243a15d484e9 |
| SHA1 | d7de590574f9bc0ba73db2fcff6785ad2999ba76 |
| SHA256 | b7333c7bcebff486d0dedd8ce5d970d24de8bfe53538898d2731f223d4d496be |
| SHA512 | 1e9cbb7a17c2da7743d262996765a6ab6fdd642ead74bfd238d6b990799458e085fe058581e6c1c0a9662d78892c9f1fe6f61cf79c07e00038cacb3421c00339 |
memory/4060-117-0x00000000005F0000-0x00000000005F1000-memory.dmp