4cfde7af6939f84e8de576eea1b27fd66dcb0801a73cc8745f6cfb8d79025700

Analysis

max time kernel
57s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cfde7af6939f84e8de576eea1b27fd66dcb0801a73cc8745f6cfb8d79025700.exe
Size

141KB
MD5

a12b9761dca0bfcfde37f1da2e4d4f10
SHA1

bb7272a03396d25e2dad702afdfcfa2faab86721
SHA256

4cfde7af6939f84e8de576eea1b27fd66dcb0801a73cc8745f6cfb8d79025700
SHA512

c6999d5c09fd8fa9e6f8ef98f4f13dec24113db38c58f07b9bdd096ccfcccfa74472c1c5ea5fcf548053db545014be99eeacb94fb7e3c34ecccdbc31d50025f4
SSDEEP

3072:T6BT4OO+Ig7j1p6cpgbZ0UCQB0vpe+cD0bCVUhP/RI:SEjFKj18cOZ0LksxcDJVqP/G

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1596	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	4cfde7af6939f84e8de576eea1b27fd66dcb0801a73cc8745f6cfb8d79025700.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1596	1660	taskeng.exe	29
PID 1660 wrote to memory of 1596	1660	taskeng.exe	29
PID 1660 wrote to memory of 1596	1660	taskeng.exe	29
PID 1660 wrote to memory of 1596	1660	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\4cfde7af6939f84e8de576eea1b27fd66dcb0801a73cc8745f6cfb8d79025700.exe
"C:\Users\Admin\AppData\Local\Temp\4cfde7af6939f84e8de576eea1b27fd66dcb0801a73cc8745f6cfb8d79025700.exe"
1⤵
- Drops file in Program Files directory
PID:1760

C:\Windows\system32\taskeng.exe
taskeng.exe {5E244B2B-5966-42A9-B7B8-C93E5482B8C2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
141KB

MD5
044bc4ea1d8cc4e8e31adc5b3724fb39

SHA1
a21aac4b4c016405f8731e60dfa6ed653132b0aa

SHA256
db883ad136c5d8cb512942e5096887e69a31c8a6619778e295de19242c4c195a

SHA512
c27d76ccf630cf8ac7583769f4135309c5f3812aeeeb3230b32d0cc4dce392ca1381badee209ac3eabd7c097d5374f0529606d194954631b4da33dd2baa87472

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
141KB

MD5
044bc4ea1d8cc4e8e31adc5b3724fb39

SHA1
a21aac4b4c016405f8731e60dfa6ed653132b0aa

SHA256
db883ad136c5d8cb512942e5096887e69a31c8a6619778e295de19242c4c195a

SHA512
c27d76ccf630cf8ac7583769f4135309c5f3812aeeeb3230b32d0cc4dce392ca1381badee209ac3eabd7c097d5374f0529606d194954631b4da33dd2baa87472

Download Submit
memory/1596-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1596-66-0x0000000000390000-0x00000000003EB000-memory.dmp

Filesize
364KB

Download
memory/1596-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1760-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1760-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1760-56-0x0000000001BA0000-0x0000000001BFB000-memory.dmp

Filesize
364KB

Download