Analysis
-
max time kernel
124s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 16:50
Static task
static1
Behavioral task
behavioral1
Sample
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
Resource
win10v2004-20231130-en
General
-
Target
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
-
Size
407KB
-
MD5
ac1bf5c38abb09be737d7b48ebc5d553
-
SHA1
6bc0a3dde35d3be636cb2f9d783318956e0fcc4a
-
SHA256
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5
-
SHA512
5ef7998b0545b14e8a291339c312c756273896ee11d736252abefb2103facad2fcc53d98a8769645119e9d875a422a1df5ca54236a9e92c0a2fce6a757da31d9
-
SSDEEP
12288:xE2N3AHQg6mTb5wm7kRSu3kI6SAx9Uj+antxFQ:xtNQHQgxbkRL7w1Kt3Q
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
scgdttsl.exepid process 1944 scgdttsl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 1472 1944 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exescgdttsl.exedescription pid process target process PID 980 wrote to memory of 1944 980 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe scgdttsl.exe PID 980 wrote to memory of 1944 980 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe scgdttsl.exe PID 980 wrote to memory of 1944 980 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe scgdttsl.exe PID 1944 wrote to memory of 1368 1944 scgdttsl.exe scgdttsl.exe PID 1944 wrote to memory of 1368 1944 scgdttsl.exe scgdttsl.exe PID 1944 wrote to memory of 1368 1944 scgdttsl.exe scgdttsl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe"C:\Users\Admin\AppData\Local\Temp\7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1944 -ip 19441⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"1⤵PID:1368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 5601⤵
- Program crash
PID:1472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD56f8cb7bcb4ea8b900e00b3557231aed6
SHA1ec424177535362f8e3d699b0875740a9272cd844
SHA25649917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd
SHA51263c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d
-
Filesize
173KB
MD56f8cb7bcb4ea8b900e00b3557231aed6
SHA1ec424177535362f8e3d699b0875740a9272cd844
SHA25649917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd
SHA51263c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d
-
Filesize
334KB
MD57d3d03e5e9ce95b6a39a83fb2347e250
SHA1652f4c084a92cfca3292ada7653ea20283f849bd
SHA256420e91d0e3befadbb1e09faea8dab8e6502d3d3172b074512b61b64d812478cd
SHA5125ecd7043f16bd80b3933403e1d473032054e38c767efa09b47c822be4c90cd432d63036b78335f1c67b7d8243c0ac064ab0cc0bdaa70067e140ec62a0b602df9