Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
17-05-2021 23:31
Static task
static1
Behavioral task
behavioral1
Sample
d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe
Resource
win10v20210410
General
-
Target
d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe
-
Size
605KB
-
MD5
fa6f37a85bb2fbc2a6c1ba5ae945e679
-
SHA1
44119386fc5293c911a2919d417bfef26cfcbf62
-
SHA256
d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5
-
SHA512
2636892fabd453ce0f03ef2089a9136711b23b66bf8bedca0aac2fa4f3df175f33d2a1eada6e7901a2f2ce3337124ebbdf80adb8676e655732949407a42a209e
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 1588 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exepid process 1040 d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe 1040 d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exedescription pid process target process PID 1040 wrote to memory of 1588 1040 d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe szgfw.exe PID 1040 wrote to memory of 1588 1040 d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe szgfw.exe PID 1040 wrote to memory of 1588 1040 d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe szgfw.exe PID 1040 wrote to memory of 1588 1040 d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe"C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:1588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
043948ad7f853e7f5974fc71d3f8eb1f
SHA1636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6
SHA25656817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43
SHA5124ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640
-
MD5
043948ad7f853e7f5974fc71d3f8eb1f
SHA1636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6
SHA25656817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43
SHA5124ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640
-
MD5
043948ad7f853e7f5974fc71d3f8eb1f
SHA1636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6
SHA25656817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43
SHA5124ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640
-
MD5
043948ad7f853e7f5974fc71d3f8eb1f
SHA1636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6
SHA25656817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43
SHA5124ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640