fddbd04dd61d33c5f214a74f0dd2dd898f358edc60e56faacf3497be5f2e9b8d

Analysis

max time kernel
55s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fddbd04dd61d33c5f214a74f0dd2dd898f358edc60e56faacf3497be5f2e9b8d.exe
Size

145KB
MD5

402630d047877e696dfdade22679b6a0
SHA1

4c2f0d1964d53c737c6aee4de2dfd6badc00fd61
SHA256

fddbd04dd61d33c5f214a74f0dd2dd898f358edc60e56faacf3497be5f2e9b8d
SHA512

67078e48aac5225df705022404dd5ff29255d435cc5819442c371fbd5239d560c2b92b8ed4274e819558aff00276c69f9733ad1896756fd3a6754cd99362a4c4
SSDEEP

3072:ixSEI6rvvMV0nE17B+TnFnW5/bi13lNvuCLeEPbUXHrxn1eLR:ixlHMV0nE1l+LtuTS/aSUXLxI

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
932	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	fddbd04dd61d33c5f214a74f0dd2dd898f358edc60e56faacf3497be5f2e9b8d.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 932	1388	taskeng.exe	28
PID 1388 wrote to memory of 932	1388	taskeng.exe	28
PID 1388 wrote to memory of 932	1388	taskeng.exe	28
PID 1388 wrote to memory of 932	1388	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\fddbd04dd61d33c5f214a74f0dd2dd898f358edc60e56faacf3497be5f2e9b8d.exe
"C:\Users\Admin\AppData\Local\Temp\fddbd04dd61d33c5f214a74f0dd2dd898f358edc60e56faacf3497be5f2e9b8d.exe"
1⤵
- Drops file in Program Files directory
PID:1084

C:\Windows\system32\taskeng.exe
taskeng.exe {46544EB9-B30D-4909-9B5B-FF88A28C989D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
145KB

MD5
9330710639bd5c9caa3465babe1e1de9

SHA1
9a0345470fcffc74a1356649d115f70f195624fa

SHA256
63036375f083b30a748db0263d97793ca180ba3f6ec717ef15d04e73ff51990c

SHA512
fa2bd59782bd7b506780103e997241f5f67b00e8f0a6bb9bd4906619ecc5f161f0caa8e2106d77bf9000e08527b42f90dbc6389b56e228922c94e24f9aff2126

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
145KB

MD5
9330710639bd5c9caa3465babe1e1de9

SHA1
9a0345470fcffc74a1356649d115f70f195624fa

SHA256
63036375f083b30a748db0263d97793ca180ba3f6ec717ef15d04e73ff51990c

SHA512
fa2bd59782bd7b506780103e997241f5f67b00e8f0a6bb9bd4906619ecc5f161f0caa8e2106d77bf9000e08527b42f90dbc6389b56e228922c94e24f9aff2126

Download Submit
memory/932-61-0x0000000000000000-mapping.dmp

Download
memory/932-64-0x0000000000370000-0x00000000003CB000-memory.dmp

Filesize
364KB

Download
memory/1084-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1084-55-0x0000000000240000-0x000000000029B000-memory.dmp

Filesize
364KB

Download