Analysis Overview
SHA256
d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5
Threat Level: Known bad
The file d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5 was found to be: Known bad.
Malicious Activity Summary
Upatre
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-17 23:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-17 23:31
Reported
2021-05-18 03:47
Platform
win7v20210410
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 1040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe
"C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/1040-59-0x0000000074F31000-0x0000000074F33000-memory.dmp
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 043948ad7f853e7f5974fc71d3f8eb1f |
| SHA1 | 636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6 |
| SHA256 | 56817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43 |
| SHA512 | 4ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640 |
\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 043948ad7f853e7f5974fc71d3f8eb1f |
| SHA1 | 636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6 |
| SHA256 | 56817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43 |
| SHA512 | 4ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 043948ad7f853e7f5974fc71d3f8eb1f |
| SHA1 | 636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6 |
| SHA256 | 56817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43 |
| SHA512 | 4ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640 |
memory/1588-62-0x0000000000000000-mapping.dmp
memory/1040-65-0x00000000003B0000-0x00000000003B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 043948ad7f853e7f5974fc71d3f8eb1f |
| SHA1 | 636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6 |
| SHA256 | 56817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43 |
| SHA512 | 4ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-17 23:31
Reported
2021-05-18 03:47
Platform
win10v20210410
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Upatre
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\szgfw.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 512 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 512 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
| PID 512 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe | C:\Users\Admin\AppData\Local\Temp\szgfw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe
"C:\Users\Admin\AppData\Local\Temp\d57254bc47220ce91897a37c74078015d74730060117ae728f9fb3ed934bf3a5.exe"
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
Network
Files
memory/512-114-0x0000000000460000-0x0000000000461000-memory.dmp
memory/2716-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 043948ad7f853e7f5974fc71d3f8eb1f |
| SHA1 | 636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6 |
| SHA256 | 56817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43 |
| SHA512 | 4ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640 |
C:\Users\Admin\AppData\Local\Temp\szgfw.exe
| MD5 | 043948ad7f853e7f5974fc71d3f8eb1f |
| SHA1 | 636a691e9a9c4655a210b9a1a003f6bb6fcdaaa6 |
| SHA256 | 56817942cc2a65f2091bfa15515f2e99e6b3b58676d2966ab6b359d7f7918d43 |
| SHA512 | 4ab5ff586eb4ac8b9d63400d49a8f5121b634000576cf65703dad81ec7f29cb1f3b170430df84e9b734ac2d27a3606850b7e6b29faf355a8e58e12c9c1ed7640 |