Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-02-2022 19:51
Static task
static1
Behavioral task
behavioral1
Sample
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
Resource
win10v2004-en-20220113
General
-
Target
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe
-
Size
36KB
-
MD5
56a2dad254438d56cbab545f24faf72b
-
SHA1
3bd697d8dec1db399ae5f32e35afaa7fa67e76d9
-
SHA256
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f
-
SHA512
4e74f7cc85b21659ef235aa4fd7e2482babbcf3183f683ea91e48c3a630355ccdd941298c2f49edc384de3f2e588e486e79fa3e743d957e07db7860fe1e74450
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid process 2740 szgfw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 1056 svchost.exe Token: SeCreatePagefilePrivilege 1056 svchost.exe Token: SeShutdownPrivilege 1056 svchost.exe Token: SeCreatePagefilePrivilege 1056 svchost.exe Token: SeShutdownPrivilege 1056 svchost.exe Token: SeCreatePagefilePrivilege 1056 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exedescription pid process target process PID 1984 wrote to memory of 2740 1984 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe szgfw.exe PID 1984 wrote to memory of 2740 1984 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe szgfw.exe PID 1984 wrote to memory of 2740 1984 9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe szgfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe"C:\Users\Admin\AppData\Local\Temp\9256da1c270c11bbf7d9207275a64eaee811f2d3fe68ea539999f1d3e285eb1f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeMD5
e707e937cfbcb0d0a2fdf4f7542c9068
SHA1d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37
SHA25651d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5
SHA512c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7
-
C:\Users\Admin\AppData\Local\Temp\szgfw.exeMD5
e707e937cfbcb0d0a2fdf4f7542c9068
SHA1d7d873249c5c3fe6fce2e6a36a8d1d0803c80c37
SHA25651d7f048fee4a86c40fbbb3178bfb43357e95964fd061f8dc7eafe8051351ce5
SHA512c8895e0136b7a4bc6325aeb5d48e85519044409cbcfe01e3525464c5945fe5ba84843025b647242ea0d0a71698aff54a1cf8aa240e3005a6dff0bb88eeb881d7
-
memory/1056-133-0x0000025B72B30000-0x0000025B72B40000-memory.dmpFilesize
64KB
-
memory/1056-134-0x0000025B72B90000-0x0000025B72BA0000-memory.dmpFilesize
64KB
-
memory/1056-135-0x0000025B75880000-0x0000025B75884000-memory.dmpFilesize
16KB
-
memory/1984-130-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB