90ec2486607a08b86cebf341927f9eb2444baca6f47c50cecee73b23dd8182f9

Analysis

max time kernel
80s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 12:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90ec2486607a08b86cebf341927f9eb2444baca6f47c50cecee73b23dd8182f9.exe
Size

463KB
MD5

6d641067980d30407d1c51e52fe114d0
SHA1

ae5768f41317c235e0ce14f0897b6db95911611f
SHA256

90ec2486607a08b86cebf341927f9eb2444baca6f47c50cecee73b23dd8182f9
SHA512

0f79182c6e2171783160c151ac1d059399486a3ce54ffd483142a6ced0ef8b1a9733a36e39e7960e1537e56094d6564d8c93fe9576c5991a0a462693da4c6271
SSDEEP

12288:CDJM/bXntAh+nhZoqQEHvVIzJPz//DdvdYkNQ4:Cd6atqLHNk5TdvK4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1320	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	90ec2486607a08b86cebf341927f9eb2444baca6f47c50cecee73b23dd8182f9.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1320	1748	taskeng.exe	29
PID 1748 wrote to memory of 1320	1748	taskeng.exe	29
PID 1748 wrote to memory of 1320	1748	taskeng.exe	29
PID 1748 wrote to memory of 1320	1748	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\90ec2486607a08b86cebf341927f9eb2444baca6f47c50cecee73b23dd8182f9.exe
"C:\Users\Admin\AppData\Local\Temp\90ec2486607a08b86cebf341927f9eb2444baca6f47c50cecee73b23dd8182f9.exe"
1⤵
- Drops file in Program Files directory
PID:1964

C:\Windows\system32\taskeng.exe
taskeng.exe {77BE630C-2AD9-447A-9B74-02874034697A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
463KB

MD5
fdd23c4c4dd21bb4fb1b8c2e9cc679ac

SHA1
b0134a6a7964d24cd9073f17be806bd33f3d1fd8

SHA256
712f86de74b90835b0d7f8bedfd42b9baddeb60ed5fb1a8df95a68b4bbabc054

SHA512
8f7197b9e0051df25ba499badb5da14ada6ca36bb2808801f9a9631f67d0108f4ccc8d14cc8a5e7be26706105c421f4dc42b993c28b6f21117c0acfe3e24db3e

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
463KB

MD5
fdd23c4c4dd21bb4fb1b8c2e9cc679ac

SHA1
b0134a6a7964d24cd9073f17be806bd33f3d1fd8

SHA256
712f86de74b90835b0d7f8bedfd42b9baddeb60ed5fb1a8df95a68b4bbabc054

SHA512
8f7197b9e0051df25ba499badb5da14ada6ca36bb2808801f9a9631f67d0108f4ccc8d14cc8a5e7be26706105c421f4dc42b993c28b6f21117c0acfe3e24db3e

Download Submit
memory/1320-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1320-66-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/1964-54-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1964-55-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1964-56-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download