aff9e367cd640a6f1ecaa7a48bf58486a3977914298f062b958de91111443531

Analysis

max time kernel
60s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 22:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aff9e367cd640a6f1ecaa7a48bf58486a3977914298f062b958de91111443531.exe
Size

212KB
MD5

4e8974470e75ed43c08d21b4e91081d0
SHA1

31c165692e8ec7cb2f3933695d2ac5deb53029a8
SHA256

aff9e367cd640a6f1ecaa7a48bf58486a3977914298f062b958de91111443531
SHA512

213c2ff33703632bf942df803ce65f33bbe30b2d12cbcacd515a64fcc021e0374d87725d0af0c6898fabf4edc9cfd09a5de9f6e5e661a6b3ae2311dc73712b36
SSDEEP

6144:mEjpvYc3QxMI7TwmdMlL992VKmKmn1Dk1i7Yqyf:xVnB3R2RlYYYqK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1740	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	aff9e367cd640a6f1ecaa7a48bf58486a3977914298f062b958de91111443531.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1740	1540	taskeng.exe	29
PID 1540 wrote to memory of 1740	1540	taskeng.exe	29
PID 1540 wrote to memory of 1740	1540	taskeng.exe	29
PID 1540 wrote to memory of 1740	1540	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\aff9e367cd640a6f1ecaa7a48bf58486a3977914298f062b958de91111443531.exe
"C:\Users\Admin\AppData\Local\Temp\aff9e367cd640a6f1ecaa7a48bf58486a3977914298f062b958de91111443531.exe"
1⤵
- Drops file in Program Files directory
PID:2004

C:\Windows\system32\taskeng.exe
taskeng.exe {3D101C27-5D9A-4817-ADC3-C8EF16804F04} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
212KB

MD5
2acbc97db86ef4b45293fff104b8037b

SHA1
696ee0ebc3b96d3a5378ff7a04350e15cff8a4ef

SHA256
c68743b9ed30f5c03eecedde2c261eedcf9d7bdfa56cdaf088489e8eb4db8ca7

SHA512
c01a69a08ddd565d021e2b72f68e4abef0cd94ccb27664e0fb3037edd77e457a191069a01672add98914cf41f88b93e64464a58c5ece04901aee67ec8f27b870

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
212KB

MD5
2acbc97db86ef4b45293fff104b8037b

SHA1
696ee0ebc3b96d3a5378ff7a04350e15cff8a4ef

SHA256
c68743b9ed30f5c03eecedde2c261eedcf9d7bdfa56cdaf088489e8eb4db8ca7

SHA512
c01a69a08ddd565d021e2b72f68e4abef0cd94ccb27664e0fb3037edd77e457a191069a01672add98914cf41f88b93e64464a58c5ece04901aee67ec8f27b870

Download Submit
memory/1740-65-0x0000000000540000-0x000000000059B000-memory.dmp

Filesize
364KB

Download
memory/2004-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2004-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/2004-56-0x0000000000370000-0x00000000003CB000-memory.dmp

Filesize
364KB

Download