5c28721d84f191a0a7c3c6955811ff22af676f227b362aff982bff44c22ba1f0

Analysis

max time kernel
63s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c28721d84f191a0a7c3c6955811ff22af676f227b362aff982bff44c22ba1f0.exe
Size

199KB
MD5

5c0515f10f3616e4b186ede83e25c250
SHA1

afad5173d466c360cf5796829e330593ea845ad5
SHA256

5c28721d84f191a0a7c3c6955811ff22af676f227b362aff982bff44c22ba1f0
SHA512

7a49eb10b35bcf87849aa16ca360b08c149864177eae8561cb8f1de353bfc9780a3628a730c72f65ec3c6b984a7ca5932217e2f5adb7b60e1c92407e5a4a52a6
SSDEEP

3072:+eDJHh2QdP8cIltNnTbNf1TTU0cl4UdbI3Cdic1h6qFs3DXwUSxgf:hNwmoNnTd1vqTI3H6h60wDAKf

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1832	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	5c28721d84f191a0a7c3c6955811ff22af676f227b362aff982bff44c22ba1f0.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
800	5c28721d84f191a0a7c3c6955811ff22af676f227b362aff982bff44c22ba1f0.exe
1832	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1832	1300	taskeng.exe	29
PID 1300 wrote to memory of 1832	1300	taskeng.exe	29
PID 1300 wrote to memory of 1832	1300	taskeng.exe	29
PID 1300 wrote to memory of 1832	1300	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\5c28721d84f191a0a7c3c6955811ff22af676f227b362aff982bff44c22ba1f0.exe
"C:\Users\Admin\AppData\Local\Temp\5c28721d84f191a0a7c3c6955811ff22af676f227b362aff982bff44c22ba1f0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:800

C:\Windows\system32\taskeng.exe
taskeng.exe {B9D5C479-7C7F-4E5C-BDC6-860BA0B80551} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
199KB

MD5
b49f30f769448309bb1accc2e8a620c7

SHA1
22f2f335de3417dc1f2d89be18cff1ff08c65392

SHA256
5da016feda94e15e2b90ca14db55e2eab018c44b1a980418571a4d65125af449

SHA512
9bc61ea62682be4ccc9249ed0b3610d8d2bb414797dc244f89194a102ddffa6ad487f0e6668d089df3238eebef8c0657f682c0e9f97af700eb6f2e816ad54361

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
199KB

MD5
b49f30f769448309bb1accc2e8a620c7

SHA1
22f2f335de3417dc1f2d89be18cff1ff08c65392

SHA256
5da016feda94e15e2b90ca14db55e2eab018c44b1a980418571a4d65125af449

SHA512
9bc61ea62682be4ccc9249ed0b3610d8d2bb414797dc244f89194a102ddffa6ad487f0e6668d089df3238eebef8c0657f682c0e9f97af700eb6f2e816ad54361

Download Submit
memory/800-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/800-55-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/800-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/800-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/800-58-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1832-63-0x00000000008C0000-0x000000000091B000-memory.dmp

Filesize
364KB

Download
memory/1832-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1832-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1832-66-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download