Analysis Overview
SHA256
e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31
Threat Level: Known bad
The file e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 08:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 08:00
Reported
2021-05-15 16:19
Platform
win7v20210408
Max time kernel
149s
Max time network
57s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1724 wrote to memory of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1724 wrote to memory of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1724 wrote to memory of 828 | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe
"C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1724-59-0x00000000769B1000-0x00000000769B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | e5a56fdf31338009071c2f2628332a27 |
| SHA1 | 977e6a9833f3d27f6e08df147b9d65baccf6f058 |
| SHA256 | 108b9f3b24eaa8348472e5323b693513084c15e785eedca4749c7b3f9e5e3a9e |
| SHA512 | 9284e600516aeedd805028943e488df59433f9deaf03e8f797b7bd528468c8c6a4bcce6afaf1b33afc5ee7d923ad045bf0b6a3f428d852113521bc280d9c67c0 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | e5a56fdf31338009071c2f2628332a27 |
| SHA1 | 977e6a9833f3d27f6e08df147b9d65baccf6f058 |
| SHA256 | 108b9f3b24eaa8348472e5323b693513084c15e785eedca4749c7b3f9e5e3a9e |
| SHA512 | 9284e600516aeedd805028943e488df59433f9deaf03e8f797b7bd528468c8c6a4bcce6afaf1b33afc5ee7d923ad045bf0b6a3f428d852113521bc280d9c67c0 |
memory/828-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | e5a56fdf31338009071c2f2628332a27 |
| SHA1 | 977e6a9833f3d27f6e08df147b9d65baccf6f058 |
| SHA256 | 108b9f3b24eaa8348472e5323b693513084c15e785eedca4749c7b3f9e5e3a9e |
| SHA512 | 9284e600516aeedd805028943e488df59433f9deaf03e8f797b7bd528468c8c6a4bcce6afaf1b33afc5ee7d923ad045bf0b6a3f428d852113521bc280d9c67c0 |
memory/1724-65-0x00000000003C0000-0x00000000003C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | e5a56fdf31338009071c2f2628332a27 |
| SHA1 | 977e6a9833f3d27f6e08df147b9d65baccf6f058 |
| SHA256 | 108b9f3b24eaa8348472e5323b693513084c15e785eedca4749c7b3f9e5e3a9e |
| SHA512 | 9284e600516aeedd805028943e488df59433f9deaf03e8f797b7bd528468c8c6a4bcce6afaf1b33afc5ee7d923ad045bf0b6a3f428d852113521bc280d9c67c0 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 08:00
Reported
2021-05-15 16:18
Platform
win10v20210410
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3560 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 3560 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 3560 wrote to memory of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe
"C:\Users\Admin\AppData\Local\Temp\e4e84c5e7336ad0bbf41b623aee4b7956f7a0533b94194ec8fa24b922a9b7b31.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/2284-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | e5a56fdf31338009071c2f2628332a27 |
| SHA1 | 977e6a9833f3d27f6e08df147b9d65baccf6f058 |
| SHA256 | 108b9f3b24eaa8348472e5323b693513084c15e785eedca4749c7b3f9e5e3a9e |
| SHA512 | 9284e600516aeedd805028943e488df59433f9deaf03e8f797b7bd528468c8c6a4bcce6afaf1b33afc5ee7d923ad045bf0b6a3f428d852113521bc280d9c67c0 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | e5a56fdf31338009071c2f2628332a27 |
| SHA1 | 977e6a9833f3d27f6e08df147b9d65baccf6f058 |
| SHA256 | 108b9f3b24eaa8348472e5323b693513084c15e785eedca4749c7b3f9e5e3a9e |
| SHA512 | 9284e600516aeedd805028943e488df59433f9deaf03e8f797b7bd528468c8c6a4bcce6afaf1b33afc5ee7d923ad045bf0b6a3f428d852113521bc280d9c67c0 |
memory/3560-117-0x0000000000740000-0x0000000000741000-memory.dmp