6376e3b1aabe2cd78b552d41f0d7fcaaf6f6c0f3bbf25a68dd81d791af062470

Analysis

max time kernel
136s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6376e3b1aabe2cd78b552d41f0d7fcaaf6f6c0f3bbf25a68dd81d791af062470.exe
Size

152KB
MD5

2eaf175473568e9e3b1f94f405c8d220
SHA1

97aa9d2732ff60e22ad30f7ad4ad961db647fbca
SHA256

6376e3b1aabe2cd78b552d41f0d7fcaaf6f6c0f3bbf25a68dd81d791af062470
SHA512

e44ed50072b1ba77b9e839c00d642334ea8cd693fcbf3e36d3bec9521ed608d778952f0c0e255a639d2b70901073774cc91f00d6a3a110464083ef1f90165c8b
SSDEEP

3072:mcLXTpcvocFIALdm3vL52HBnXTmy5xEKJ9W8NRSZ99iEr6:FLX1qoEd2v928DHERSZ99Pr6

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1288	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	6376e3b1aabe2cd78b552d41f0d7fcaaf6f6c0f3bbf25a68dd81d791af062470.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 1288	808	taskeng.exe	28
PID 808 wrote to memory of 1288	808	taskeng.exe	28
PID 808 wrote to memory of 1288	808	taskeng.exe	28
PID 808 wrote to memory of 1288	808	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\6376e3b1aabe2cd78b552d41f0d7fcaaf6f6c0f3bbf25a68dd81d791af062470.exe
"C:\Users\Admin\AppData\Local\Temp\6376e3b1aabe2cd78b552d41f0d7fcaaf6f6c0f3bbf25a68dd81d791af062470.exe"
1⤵
- Drops file in Program Files directory
PID:1776

C:\Windows\system32\taskeng.exe
taskeng.exe {46544EB9-B30D-4909-9B5B-FF88A28C989D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
152KB

MD5
1ddcc1ac569fb566540ffa6760a02fcc

SHA1
4a26a2f4bc480c7e686dd4fdcbc1433d530c41c0

SHA256
a143d00b06d9b9124096e3532eb79a56c4bf4f0e2e202e8b497935aebf9831ba

SHA512
fb07170d043e07b6981ce625c40399155767dcdc2b1565be1fabdeb5add771f09b5131d20c078442315b34028843e43a6bfd6991746e8820fe7765ce1545be71

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
152KB

MD5
1ddcc1ac569fb566540ffa6760a02fcc

SHA1
4a26a2f4bc480c7e686dd4fdcbc1433d530c41c0

SHA256
a143d00b06d9b9124096e3532eb79a56c4bf4f0e2e202e8b497935aebf9831ba

SHA512
fb07170d043e07b6981ce625c40399155767dcdc2b1565be1fabdeb5add771f09b5131d20c078442315b34028843e43a6bfd6991746e8820fe7765ce1545be71

Download Submit
memory/1776-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1776-55-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download