Analysis Overview
SHA256
7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0
Threat Level: Known bad
The file 7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 15:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 15:52
Reported
2021-05-16 02:48
Platform
win7v20210408
Max time kernel
152s
Max time network
127s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1348 wrote to memory of 1056 | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1348 wrote to memory of 1056 | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1348 wrote to memory of 1056 | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1348 wrote to memory of 1056 | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe
"C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1348-60-0x00000000762C1000-0x00000000762C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 3a17838a3e960d91d295f6109bf5d43b |
| SHA1 | 9b37c02e5102029a3c654b692ffb6cebb09af813 |
| SHA256 | c41cb2e01a8a04f6a013bb8fdbd15ea25072758d5632739e12b4500fa77d4227 |
| SHA512 | dfaf44c3c8079ceac036bab1bc7f43d2644a83f77874b4822d9ca05a4a9d0b08412521c712539754df3e546983e31fac4de10bbf4328118e8195addcdee8e464 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 3a17838a3e960d91d295f6109bf5d43b |
| SHA1 | 9b37c02e5102029a3c654b692ffb6cebb09af813 |
| SHA256 | c41cb2e01a8a04f6a013bb8fdbd15ea25072758d5632739e12b4500fa77d4227 |
| SHA512 | dfaf44c3c8079ceac036bab1bc7f43d2644a83f77874b4822d9ca05a4a9d0b08412521c712539754df3e546983e31fac4de10bbf4328118e8195addcdee8e464 |
memory/1056-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 3a17838a3e960d91d295f6109bf5d43b |
| SHA1 | 9b37c02e5102029a3c654b692ffb6cebb09af813 |
| SHA256 | c41cb2e01a8a04f6a013bb8fdbd15ea25072758d5632739e12b4500fa77d4227 |
| SHA512 | dfaf44c3c8079ceac036bab1bc7f43d2644a83f77874b4822d9ca05a4a9d0b08412521c712539754df3e546983e31fac4de10bbf4328118e8195addcdee8e464 |
memory/1348-66-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 3a17838a3e960d91d295f6109bf5d43b |
| SHA1 | 9b37c02e5102029a3c654b692ffb6cebb09af813 |
| SHA256 | c41cb2e01a8a04f6a013bb8fdbd15ea25072758d5632739e12b4500fa77d4227 |
| SHA512 | dfaf44c3c8079ceac036bab1bc7f43d2644a83f77874b4822d9ca05a4a9d0b08412521c712539754df3e546983e31fac4de10bbf4328118e8195addcdee8e464 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 15:52
Reported
2021-05-16 02:48
Platform
win10v20210410
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4048 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 4048 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe
"C:\Users\Admin\AppData\Local\Temp\7eca31920c299988bbccb99eb2b30f31eab1dfafc0b663eda68812f0dc07d8f0.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/2112-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 3a17838a3e960d91d295f6109bf5d43b |
| SHA1 | 9b37c02e5102029a3c654b692ffb6cebb09af813 |
| SHA256 | c41cb2e01a8a04f6a013bb8fdbd15ea25072758d5632739e12b4500fa77d4227 |
| SHA512 | dfaf44c3c8079ceac036bab1bc7f43d2644a83f77874b4822d9ca05a4a9d0b08412521c712539754df3e546983e31fac4de10bbf4328118e8195addcdee8e464 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 3a17838a3e960d91d295f6109bf5d43b |
| SHA1 | 9b37c02e5102029a3c654b692ffb6cebb09af813 |
| SHA256 | c41cb2e01a8a04f6a013bb8fdbd15ea25072758d5632739e12b4500fa77d4227 |
| SHA512 | dfaf44c3c8079ceac036bab1bc7f43d2644a83f77874b4822d9ca05a4a9d0b08412521c712539754df3e546983e31fac4de10bbf4328118e8195addcdee8e464 |
memory/4048-117-0x0000000000410000-0x000000000055A000-memory.dmp