25d90aebc96f42016f169f8a68dc1d4a0bd4254d144efb6f358667b04785b967

Analysis

max time kernel
123s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d90aebc96f42016f169f8a68dc1d4a0bd4254d144efb6f358667b04785b967.exe
Size

213KB
MD5

633ec558e3c143bbaa32f30c2c4c3190
SHA1

20f03b6979dc7af8778e7f8dc77049c3e3c5a41a
SHA256

25d90aebc96f42016f169f8a68dc1d4a0bd4254d144efb6f358667b04785b967
SHA512

f60049789ce5836b8bdedb880fbd518261e42893305d2729171c3f9ba9a20dec157ec2ef30a8164b3e87db81c5763eed2873727eea9350bde3e6cf0f4fa4305f
SSDEEP

6144:dJ4GsMQN0SjAXisy8DYdaph0vJgH6NfNHfomHRD/G8:dKGusiz8DYd+myO15zn

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1312	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	25d90aebc96f42016f169f8a68dc1d4a0bd4254d144efb6f358667b04785b967.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2000	25d90aebc96f42016f169f8a68dc1d4a0bd4254d144efb6f358667b04785b967.exe
1312	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1312	1340	taskeng.exe	29
PID 1340 wrote to memory of 1312	1340	taskeng.exe	29
PID 1340 wrote to memory of 1312	1340	taskeng.exe	29
PID 1340 wrote to memory of 1312	1340	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\25d90aebc96f42016f169f8a68dc1d4a0bd4254d144efb6f358667b04785b967.exe
"C:\Users\Admin\AppData\Local\Temp\25d90aebc96f42016f169f8a68dc1d4a0bd4254d144efb6f358667b04785b967.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2000

C:\Windows\system32\taskeng.exe
taskeng.exe {2BB7F528-FA61-4242-846A-A6D2211E971B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
213KB

MD5
44322edf3471066affe7c2328e6a30dc

SHA1
2bb157ba6c07692d5683f2c8e8a4085b74f2197e

SHA256
262885ba2cdcb3071ddba8c6a4a93b20e9390bbb37ec1c3deed79b0cf41f324d

SHA512
26d1e0b6a5c60b27b9dc2279ce12ceae018aa9e5166b761bad404b362feb0deca5b955b5632ac78777102ce52bd1d1ac6bdc8cacebd95d3899fbcec3ff53a648

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
213KB

MD5
44322edf3471066affe7c2328e6a30dc

SHA1
2bb157ba6c07692d5683f2c8e8a4085b74f2197e

SHA256
262885ba2cdcb3071ddba8c6a4a93b20e9390bbb37ec1c3deed79b0cf41f324d

SHA512
26d1e0b6a5c60b27b9dc2279ce12ceae018aa9e5166b761bad404b362feb0deca5b955b5632ac78777102ce52bd1d1ac6bdc8cacebd95d3899fbcec3ff53a648

Download Submit
memory/1312-63-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/1312-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1312-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2000-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/2000-55-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/2000-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2000-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2000-58-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download