Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 15:52

General

  • Target

    7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe

  • Size

    31KB

  • MD5

    c3d9fb4244fd46565bb34b9d158555bf

  • SHA1

    d313b868c8e8e08744d65f9bbcd59266dc16de87

  • SHA256

    7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0

  • SHA512

    ded5845da44ce9c18c1c6a0a71247ea3d9d4d7f75dab982dbef49665404d1a027a87a4573ab1244a2e79ebbc7ea1d3c066428432935ada8da8b05206c591e662

Score
10/10

Malware Config

Signatures

  • Upatre

    Upatre is a generic malware downloader.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe
    "C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Users\Admin\AppData\Local\Temp\szgfw.exe
      "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
      2⤵
      • Executes dropped EXE
      PID:2112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe

    MD5

    3a17838a3e960d91d295f6109bf5d43b

    SHA1

    9b37c02e5102029a3c654b692ffb6cebb09af813

    SHA256

    c41cb2e01a8a04f6a013bb8fdbd15ea25072758d5632739e12b4500fa77d4227

    SHA512

    dfaf44c3c8079ceac036bab1bc7f43d2644a83f77874b4822d9ca05a4a9d0b08412521c712539754df3e546983e31fac4de10bbf4328118e8195addcdee8e464

  • C:\Users\Admin\AppData\Local\Temp\szgfw.exe

    MD5

    3a17838a3e960d91d295f6109bf5d43b

    SHA1

    9b37c02e5102029a3c654b692ffb6cebb09af813

    SHA256

    c41cb2e01a8a04f6a013bb8fdbd15ea25072758d5632739e12b4500fa77d4227

    SHA512

    dfaf44c3c8079ceac036bab1bc7f43d2644a83f77874b4822d9ca05a4a9d0b08412521c712539754df3e546983e31fac4de10bbf4328118e8195addcdee8e464

  • memory/2112-114-0x0000000000000000-mapping.dmp

  • memory/4048-117-0x0000000000410000-0x000000000055A000-memory.dmp

    Filesize

    1.3MB