sgm.bin

General
Target

sgm.bin.dll

Filesize

40KB

Completed

12-03-2021 05:34

Score
10 /10
MD5

8a9a8739404210e7e454dc2466872f23

SHA1

a3dbb6cb1eed87147f734c933e087bd66954ca18

SHA256

8229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4

Malware Config
Signatures 6

Filter: none

  • Nloader

    Description

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

  • Nloader Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1668-5-0x0000000010000000-0x0000000010007000-memory.dmpnloader
    behavioral1/memory/1668-4-0x0000000000170000-0x0000000000179000-memory.dmpnloader
    behavioral1/memory/1668-8-0x0000000000160000-0x0000000000167000-memory.dmpnloader
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocess
    19161668WerFault.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1916WerFault.exe
    1916WerFault.exe
    1916WerFault.exe
    1916WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1916WerFault.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1724 wrote to memory of 16681724rundll32.exerundll32.exe
    PID 1724 wrote to memory of 16681724rundll32.exerundll32.exe
    PID 1724 wrote to memory of 16681724rundll32.exerundll32.exe
    PID 1724 wrote to memory of 16681724rundll32.exerundll32.exe
    PID 1724 wrote to memory of 16681724rundll32.exerundll32.exe
    PID 1724 wrote to memory of 16681724rundll32.exerundll32.exe
    PID 1724 wrote to memory of 16681724rundll32.exerundll32.exe
    PID 1668 wrote to memory of 19161668rundll32.exeWerFault.exe
    PID 1668 wrote to memory of 19161668rundll32.exeWerFault.exe
    PID 1668 wrote to memory of 19161668rundll32.exeWerFault.exe
    PID 1668 wrote to memory of 19161668rundll32.exeWerFault.exe
Processes 3
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\sgm.bin.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\sgm.bin.dll,#1
      Suspicious use of WriteProcessMemory
      PID:1668
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 332
    Program crash
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1916
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1668-5-0x0000000010000000-0x0000000010007000-memory.dmp

                          • memory/1668-4-0x0000000000170000-0x0000000000179000-memory.dmp

                          • memory/1668-3-0x00000000761E1000-0x00000000761E3000-memory.dmp

                          • memory/1668-2-0x0000000000000000-mapping.dmp

                          • memory/1668-8-0x0000000000160000-0x0000000000167000-memory.dmp

                          • memory/1668-10-0x0000000000190000-0x0000000000191000-memory.dmp

                          • memory/1916-6-0x0000000000000000-mapping.dmp

                          • memory/1916-7-0x0000000001F70000-0x0000000001F81000-memory.dmp

                          • memory/1916-9-0x00000000002C0000-0x00000000002C1000-memory.dmp