Analysis Overview
SHA256
7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69
Threat Level: Known bad
The file 7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-17 09:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-17 09:48
Reported
2021-05-18 00:41
Platform
win7v20210408
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1840 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1840 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1840 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1840 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe
"C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1840-59-0x00000000762C1000-0x00000000762C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 8d675440005d20341cae63a86c4b375b |
| SHA1 | ef3d1c71675526a08b0b2188c744146e31393f63 |
| SHA256 | 1e8b289514f4f133c44fe7727e9a53b3afbb248130be708d7fc8f94b602c95e8 |
| SHA512 | 704526bc46f9e2e55f7499b20885811b74a2618c7d428379146eb34a97101976ca0bfda6b0a6ae9d48256cbe9371a7457332778153dc8103d3bfd9d6a33c0770 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 8d675440005d20341cae63a86c4b375b |
| SHA1 | ef3d1c71675526a08b0b2188c744146e31393f63 |
| SHA256 | 1e8b289514f4f133c44fe7727e9a53b3afbb248130be708d7fc8f94b602c95e8 |
| SHA512 | 704526bc46f9e2e55f7499b20885811b74a2618c7d428379146eb34a97101976ca0bfda6b0a6ae9d48256cbe9371a7457332778153dc8103d3bfd9d6a33c0770 |
memory/1052-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 8d675440005d20341cae63a86c4b375b |
| SHA1 | ef3d1c71675526a08b0b2188c744146e31393f63 |
| SHA256 | 1e8b289514f4f133c44fe7727e9a53b3afbb248130be708d7fc8f94b602c95e8 |
| SHA512 | 704526bc46f9e2e55f7499b20885811b74a2618c7d428379146eb34a97101976ca0bfda6b0a6ae9d48256cbe9371a7457332778153dc8103d3bfd9d6a33c0770 |
memory/1840-65-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 8d675440005d20341cae63a86c4b375b |
| SHA1 | ef3d1c71675526a08b0b2188c744146e31393f63 |
| SHA256 | 1e8b289514f4f133c44fe7727e9a53b3afbb248130be708d7fc8f94b602c95e8 |
| SHA512 | 704526bc46f9e2e55f7499b20885811b74a2618c7d428379146eb34a97101976ca0bfda6b0a6ae9d48256cbe9371a7457332778153dc8103d3bfd9d6a33c0770 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-17 09:48
Reported
2021-05-18 00:41
Platform
win10v20210408
Max time kernel
150s
Max time network
46s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 636 wrote to memory of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 636 wrote to memory of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 636 wrote to memory of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe
"C:\Users\Admin\AppData\Local\Temp\7fa37440e0322c2a1bf3f4bbf272afc6d74e6ca68a8fde08467b95bd8ab38b69.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/2860-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 8d675440005d20341cae63a86c4b375b |
| SHA1 | ef3d1c71675526a08b0b2188c744146e31393f63 |
| SHA256 | 1e8b289514f4f133c44fe7727e9a53b3afbb248130be708d7fc8f94b602c95e8 |
| SHA512 | 704526bc46f9e2e55f7499b20885811b74a2618c7d428379146eb34a97101976ca0bfda6b0a6ae9d48256cbe9371a7457332778153dc8103d3bfd9d6a33c0770 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 8d675440005d20341cae63a86c4b375b |
| SHA1 | ef3d1c71675526a08b0b2188c744146e31393f63 |
| SHA256 | 1e8b289514f4f133c44fe7727e9a53b3afbb248130be708d7fc8f94b602c95e8 |
| SHA512 | 704526bc46f9e2e55f7499b20885811b74a2618c7d428379146eb34a97101976ca0bfda6b0a6ae9d48256cbe9371a7457332778153dc8103d3bfd9d6a33c0770 |
memory/636-117-0x0000000000460000-0x0000000000461000-memory.dmp