Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19-02-2022 19:51
Static task
static1
Behavioral task
behavioral1
Sample
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
Resource
win10v2004-en-20220113
General
-
Target
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
-
Size
36KB
-
MD5
56a2dad254438d56cbab545f24faf72b
-
SHA1
3bd697d8dec1db399ae5f32e35afaa7fa67e76d9
-
SHA256
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f
-
SHA512
4e74f7cc85b21659ef235aa4fd7e2482babbcf3183f683ea91e48c3a630355ccdd941298c2f49edc384de3f2e588e486e79fa3e743d957e07db7860fe1e74450
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 2032 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exepid process 1340 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe 1340 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exedescription pid process target process PID 1340 wrote to memory of 2032 1340 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe szgfw.exe PID 1340 wrote to memory of 2032 1340 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe szgfw.exe PID 1340 wrote to memory of 2032 1340 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe szgfw.exe PID 1340 wrote to memory of 2032 1340 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe"C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeMD5
e707e937cfbcb0d0a2fdf4f7542c9068
SHA1d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37
SHA25651d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5
SHA512c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeMD5
e707e937cfbcb0d0a2fdf4f7542c9068
SHA1d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37
SHA25651d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5
SHA512c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7
-
\Users\Admin\AppData\Local\Temp\szgfw.exeMD5
e707e937cfbcb0d0a2fdf4f7542c9068
SHA1d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37
SHA25651d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5
SHA512c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7
-
\Users\Admin\AppData\Local\Temp\szgfw.exeMD5
e707e937cfbcb0d0a2fdf4f7542c9068
SHA1d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37
SHA25651d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5
SHA512c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7
-
memory/1340-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/2032-60-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB