95765957fd5a3bdc71af4f9fb9fc64142784568ac25ad8cb6701e8395100965a

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 22:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

95765957fd5a3bdc71af4f9fb9fc64142784568ac25ad8cb6701e8395100965a.exe
Size

135KB
MD5

843a3a811a6c9bc050793472505a3180
SHA1

c0e0a1bad404f78d6696182a4bc86bab77ac7c29
SHA256

95765957fd5a3bdc71af4f9fb9fc64142784568ac25ad8cb6701e8395100965a
SHA512

dfed274e9be6e110821c677943d7516915c51d653971322c52fa94e93907b24b0f4886dd664e51151e771c888945284217767f849f7584092e3c8156ebe2c037
SSDEEP

3072:HAwEvRRdqcqpaiVPfGHO4xATzlypxd7CQn3piYtWZ:TcRWcslXWRpjCS5TWZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1312	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	95765957fd5a3bdc71af4f9fb9fc64142784568ac25ad8cb6701e8395100965a.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1312	952	taskeng.exe	29
PID 952 wrote to memory of 1312	952	taskeng.exe	29
PID 952 wrote to memory of 1312	952	taskeng.exe	29
PID 952 wrote to memory of 1312	952	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\95765957fd5a3bdc71af4f9fb9fc64142784568ac25ad8cb6701e8395100965a.exe
"C:\Users\Admin\AppData\Local\Temp\95765957fd5a3bdc71af4f9fb9fc64142784568ac25ad8cb6701e8395100965a.exe"
1⤵
- Drops file in Program Files directory
PID:1392

C:\Windows\system32\taskeng.exe
taskeng.exe {394466D6-04AC-4F7F-82AA-869DF92E83DA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
135KB

MD5
c42f38ae03139d0ddd8d580f9cce5678

SHA1
e45942c124206738d1bf0a067668f139e728d183

SHA256
0d58b1943e6f8fca5188a3f49024d0d4f33a3eb739e33dc5ca5a7f80b941c22e

SHA512
f3ad07e046198a07bff469199304ec40793d93fe2be17130daa8b697e435f962edd5481acbc0937f348bb79ece001e8002181025da699a37cd3098f770ab9cbb

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
135KB

MD5
c42f38ae03139d0ddd8d580f9cce5678

SHA1
e45942c124206738d1bf0a067668f139e728d183

SHA256
0d58b1943e6f8fca5188a3f49024d0d4f33a3eb739e33dc5ca5a7f80b941c22e

SHA512
f3ad07e046198a07bff469199304ec40793d93fe2be17130daa8b697e435f962edd5481acbc0937f348bb79ece001e8002181025da699a37cd3098f770ab9cbb

Download Submit
memory/1392-54-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1392-55-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1392-56-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download