Analysis Overview
SHA256
fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308
Threat Level: Known bad
The file fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-17 10:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-17 10:34
Reported
2021-05-18 02:14
Platform
win7v20210408
Max time kernel
149s
Max time network
45s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1984 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1984 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1984 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1984 wrote to memory of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe
"C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1984-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 21a98deccc869e8ecbc39375701b8cb8 |
| SHA1 | 5c32f776e4e4c021d0e0bcf2af0cdb508516663b |
| SHA256 | ddcb8c12cc1a034c491f2924411bf22dd2ff69282aabf153e9f036de905769ed |
| SHA512 | b30cf88f589ffab20323a2502115355db93a99404d05f07255527869dc4fff1d4edc20f906b500abdd64d5e41b63203b64372a8b52620b1f3fb9282ee4b7db96 |
memory/656-62-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 21a98deccc869e8ecbc39375701b8cb8 |
| SHA1 | 5c32f776e4e4c021d0e0bcf2af0cdb508516663b |
| SHA256 | ddcb8c12cc1a034c491f2924411bf22dd2ff69282aabf153e9f036de905769ed |
| SHA512 | b30cf88f589ffab20323a2502115355db93a99404d05f07255527869dc4fff1d4edc20f906b500abdd64d5e41b63203b64372a8b52620b1f3fb9282ee4b7db96 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 21a98deccc869e8ecbc39375701b8cb8 |
| SHA1 | 5c32f776e4e4c021d0e0bcf2af0cdb508516663b |
| SHA256 | ddcb8c12cc1a034c491f2924411bf22dd2ff69282aabf153e9f036de905769ed |
| SHA512 | b30cf88f589ffab20323a2502115355db93a99404d05f07255527869dc4fff1d4edc20f906b500abdd64d5e41b63203b64372a8b52620b1f3fb9282ee4b7db96 |
memory/1984-65-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 21a98deccc869e8ecbc39375701b8cb8 |
| SHA1 | 5c32f776e4e4c021d0e0bcf2af0cdb508516663b |
| SHA256 | ddcb8c12cc1a034c491f2924411bf22dd2ff69282aabf153e9f036de905769ed |
| SHA512 | b30cf88f589ffab20323a2502115355db93a99404d05f07255527869dc4fff1d4edc20f906b500abdd64d5e41b63203b64372a8b52620b1f3fb9282ee4b7db96 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-17 10:34
Reported
2021-05-18 02:13
Platform
win10v20210408
Max time kernel
151s
Max time network
61s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 624 wrote to memory of 708 | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 624 wrote to memory of 708 | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 624 wrote to memory of 708 | N/A | C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe
"C:\Users\Admin\AppData\Local\Temp\fa4c429aba5232aa2d98dbf68228746714e50978c8cdb304e766c9b385303308.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/624-114-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/708-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 21a98deccc869e8ecbc39375701b8cb8 |
| SHA1 | 5c32f776e4e4c021d0e0bcf2af0cdb508516663b |
| SHA256 | ddcb8c12cc1a034c491f2924411bf22dd2ff69282aabf153e9f036de905769ed |
| SHA512 | b30cf88f589ffab20323a2502115355db93a99404d05f07255527869dc4fff1d4edc20f906b500abdd64d5e41b63203b64372a8b52620b1f3fb9282ee4b7db96 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 21a98deccc869e8ecbc39375701b8cb8 |
| SHA1 | 5c32f776e4e4c021d0e0bcf2af0cdb508516663b |
| SHA256 | ddcb8c12cc1a034c491f2924411bf22dd2ff69282aabf153e9f036de905769ed |
| SHA512 | b30cf88f589ffab20323a2502115355db93a99404d05f07255527869dc4fff1d4edc20f906b500abdd64d5e41b63203b64372a8b52620b1f3fb9282ee4b7db96 |
memory/708-118-0x0000000000410000-0x000000000055A000-memory.dmp