Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:55
Behavioral task
behavioral1
Sample
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe
Resource
win10v2004-20240426-en
General
-
Target
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe
-
Size
9KB
-
MD5
036b9780123ccf9b3ca23e1353e28078
-
SHA1
e4f76b5970ef1b0f9f01a1aecc8037c1ed4f01f7
-
SHA256
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274
-
SHA512
7f50cd548bea36a49e8470bd3662600bba05a54c56131b559c11bbdd7164df7c4d384a4ed4d16515af22c0ecae603b9d1681f28fcc2fde89f62c47b2e6ff3ae8
-
SSDEEP
192:IFsXvZsk3d/ZcfFaQZT6CSJB8Oye3Q4pagU5lLOqN:asX7d/ZctaQZT6CSB8Oye3Q4K5pX
Malware Config
Signatures
-
Upatre
Upatre is a generic malware downloader.
-
UPX dump on OEP (original entry point) 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2356-0-0x0000000000400000-0x0000000000406000-memory.dmp UPX behavioral1/files/0x000c0000000143a8-3.dat UPX behavioral1/memory/2356-5-0x0000000002B10000-0x0000000002B16000-memory.dmp UPX behavioral1/memory/2356-12-0x0000000000400000-0x0000000000406000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
Processes:
szgfw.exepid Process 2128 szgfw.exe -
Loads dropped DLL 2 IoCs
Processes:
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exepid Process 2356 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe 2356 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe -
Processes:
resource yara_rule behavioral1/memory/2356-0-0x0000000000400000-0x0000000000406000-memory.dmp upx behavioral1/files/0x000c0000000143a8-3.dat upx behavioral1/memory/2356-5-0x0000000002B10000-0x0000000002B16000-memory.dmp upx behavioral1/memory/2356-12-0x0000000000400000-0x0000000000406000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exedescription pid Process procid_target PID 2356 wrote to memory of 2128 2356 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe 28 PID 2356 wrote to memory of 2128 2356 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe 28 PID 2356 wrote to memory of 2128 2356 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe 28 PID 2356 wrote to memory of 2128 2356 c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe"C:\Users\Admin\AppData\Local\Temp\c315dcb1963665c2c01c8274c71b484833b89be0604daf54551d1d1975079274.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\szgfw.exe"C:\Users\Admin\AppData\Local\Temp\szgfw.exe"2⤵
- Executes dropped EXE
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD571a9dc1343a0994cb5c68e5832cf634b
SHA138989980eb6df9bc6dd97f0d1f79d9cc13b82601
SHA256704af0c787e3c51003e74c575ed9f5a3da5b2868cde8b228787939c2f06d4d78
SHA512595e841e261aa0640ac10f7f9eaa93b9901ba4e0697c7b5ba86e2e9dc8faa422964933a2179566bcf0d7bccd3dbc49bb246dc3aac2bc061bb5a08830e2e965f6