6974449cc1cd90346227a4515bba8a8f30a8845dd840efa5331893e4728061c6

Analysis

max time kernel
51s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6974449cc1cd90346227a4515bba8a8f30a8845dd840efa5331893e4728061c6.exe
Size

136KB
MD5

5a66ef8651d2f65cf2ede4da4e370bf0
SHA1

7702ca7b99930328d28382cbf6c4559fefa5ecf2
SHA256

6974449cc1cd90346227a4515bba8a8f30a8845dd840efa5331893e4728061c6
SHA512

bb8a66efd0f266e59bc92cfddf39420c9b0f6011e5cbdd2250279fa6f3c9618ba6ca8b24696444051cdae29f51262de9b220aae8d165f0a23e7016689ab34fa4
SSDEEP

3072:+WAf5zKL4y8hrNxhlYDKgXTXd5o9e+9lqOLVrhq+:vm5zo4yGY+gXTVsldLVVP

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1228	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	6974449cc1cd90346227a4515bba8a8f30a8845dd840efa5331893e4728061c6.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1228	1232	taskeng.exe	29
PID 1232 wrote to memory of 1228	1232	taskeng.exe	29
PID 1232 wrote to memory of 1228	1232	taskeng.exe	29
PID 1232 wrote to memory of 1228	1232	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\6974449cc1cd90346227a4515bba8a8f30a8845dd840efa5331893e4728061c6.exe
"C:\Users\Admin\AppData\Local\Temp\6974449cc1cd90346227a4515bba8a8f30a8845dd840efa5331893e4728061c6.exe"
1⤵
- Drops file in Program Files directory
PID:1912

C:\Windows\system32\taskeng.exe
taskeng.exe {54A40627-259C-4223-BB8B-3E5093BFE48B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
136KB

MD5
fae169085dfec303ce5a5ea476617564

SHA1
0034a927a5ad462923c3330675eee51b47ce54d5

SHA256
81bfe2091f316fd02af3e947a6b6cc8b0d5d6a3381bc2657ea12acc09f19febd

SHA512
db14b455f24a7ef8dd2f4c373968dec05218e2eef121070b061df13b92e1a5604d7dfae341dff19d110f0d0404917c1b4959a6e6c96bd3b1fb4ac469d534ca99

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
136KB

MD5
fae169085dfec303ce5a5ea476617564

SHA1
0034a927a5ad462923c3330675eee51b47ce54d5

SHA256
81bfe2091f316fd02af3e947a6b6cc8b0d5d6a3381bc2657ea12acc09f19febd

SHA512
db14b455f24a7ef8dd2f4c373968dec05218e2eef121070b061df13b92e1a5604d7dfae341dff19d110f0d0404917c1b4959a6e6c96bd3b1fb4ac469d534ca99

Download Submit
memory/1228-64-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1228-66-0x00000000004F0000-0x000000000054B000-memory.dmp

Filesize
364KB

Download
memory/1912-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1912-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1912-56-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download