cbeceafb0f26ab6bfcc0d21d2171c774ec88841058c86bb972eddc163743143a

Analysis

max time kernel
55s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbeceafb0f26ab6bfcc0d21d2171c774ec88841058c86bb972eddc163743143a.exe
Size

272KB
MD5

6e366e5e11747fb24e72e2047fd00140
SHA1

974e5a896008ec1021f7fdf14de1dd3137fba263
SHA256

cbeceafb0f26ab6bfcc0d21d2171c774ec88841058c86bb972eddc163743143a
SHA512

ce8f05820a2b4d5f1e06661dae11c7adc7c9ba27289aa4d2567ad3afaf286a6f851768e9718efa0e2dc61dc6f0353a998242014100b90131e494d26df0c85642
SSDEEP

6144:MfRuSxFMY2uYmVAvivBHDpr88CtFO4y3vVkzjIfO5Lr:MgSxFMiYmVAviv5Z8nt1UkAI

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1316	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	cbeceafb0f26ab6bfcc0d21d2171c774ec88841058c86bb972eddc163743143a.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1316	2012	taskeng.exe	29
PID 2012 wrote to memory of 1316	2012	taskeng.exe	29
PID 2012 wrote to memory of 1316	2012	taskeng.exe	29
PID 2012 wrote to memory of 1316	2012	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\cbeceafb0f26ab6bfcc0d21d2171c774ec88841058c86bb972eddc163743143a.exe
"C:\Users\Admin\AppData\Local\Temp\cbeceafb0f26ab6bfcc0d21d2171c774ec88841058c86bb972eddc163743143a.exe"
1⤵
- Drops file in Program Files directory
PID:1848

C:\Windows\system32\taskeng.exe
taskeng.exe {7D741315-BB91-42D5-B6B9-458F1B13442F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
272KB

MD5
3cbf5453a543dfd8d0e1d270ae216d92

SHA1
4bb39f943772021f0c47f4cd8022efcc272c379f

SHA256
9a7c0c7b97a59b3e3c9eb9a3de0e817b1973f2c4625b132e823a12537aeba864

SHA512
93aab6cd9c0fc6f9377333e2cd5892817f7d99950e9c2fa017c2f1f9df0f5ada0030a339555d894e448bc6ad191ba5ddda11fd2cbccee6d36234c75cc29bc1d2

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
272KB

MD5
3cbf5453a543dfd8d0e1d270ae216d92

SHA1
4bb39f943772021f0c47f4cd8022efcc272c379f

SHA256
9a7c0c7b97a59b3e3c9eb9a3de0e817b1973f2c4625b132e823a12537aeba864

SHA512
93aab6cd9c0fc6f9377333e2cd5892817f7d99950e9c2fa017c2f1f9df0f5ada0030a339555d894e448bc6ad191ba5ddda11fd2cbccee6d36234c75cc29bc1d2

Download Submit
memory/1316-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-55-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1848-56-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download