7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5

Analysis

max time kernel
124s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 16:50

Target

7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
Size

407KB
MD5

ac1bf5c38abb09be737d7b48ebc5d553
SHA1

6bc0a3dde35d3be636cb2f9d783318956e0fcc4a
SHA256

7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5
SHA512

5ef7998b0545b14e8a291339c312c756273896ee11d736252abefb2103facad2fcc53d98a8769645119e9d875a422a1df5ca54236a9e92c0a2fce6a757da31d9
SSDEEP

12288:xE2N3AHQg6mTb5wm7kRSu3kI6SAx9Uj+antxFQ:xtNQHQgxbkRL7w1Kt3Q

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

scgdttsl.exe

pid process

1944 scgdttsl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1472 1944 WerFault.exe

pid	process
1944	scgdttsl.exe

pid	pid_target	process
1472	1944	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exescgdttsl.exe

description	pid	process	target process
PID 980 wrote to memory of 1944	980	7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe	scgdttsl.exe
PID 980 wrote to memory of 1944	980	7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe	scgdttsl.exe
PID 980 wrote to memory of 1944	980	7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe	scgdttsl.exe
PID 1944 wrote to memory of 1368	1944	scgdttsl.exe	scgdttsl.exe
PID 1944 wrote to memory of 1368	1944	scgdttsl.exe	scgdttsl.exe
PID 1944 wrote to memory of 1368	1944	scgdttsl.exe	scgdttsl.exe

C:\Users\Admin\AppData\Local\Temp\7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
"C:\Users\Admin\AppData\Local\Temp\7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1944 -ip 1944
1⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe
"C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 560
1⤵
- Program crash
PID:1472

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe

Filesize
173KB

MD5
6f8cb7bcb4ea8b900e00b3557231aed6

SHA1
ec424177535362f8e3d699b0875740a9272cd844

SHA256
49917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd

SHA512
63c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe

Filesize
173KB

MD5
6f8cb7bcb4ea8b900e00b3557231aed6

SHA1
ec424177535362f8e3d699b0875740a9272cd844

SHA256
49917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd

SHA512
63c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zetnk.q

Filesize
334KB

MD5
7d3d03e5e9ce95b6a39a83fb2347e250

SHA1
652f4c084a92cfca3292ada7653ea20283f849bd

SHA256
420e91d0e3befadbb1e09faea8dab8e6502d3d3172b074512b61b64d812478cd

SHA512
5ecd7043f16bd80b3933403e1d473032054e38c767efa09b47c822be4c90cd432d63036b78335f1c67b7d8243c0ac064ab0cc0bdaa70067e140ec62a0b602df9

Download Submit
memory/1944-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download