7360e5879b4c1b33a72e60288566c64e7d8b0caa1b37b7f35144a9cfaa17f202

Analysis

max time kernel
72s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7360e5879b4c1b33a72e60288566c64e7d8b0caa1b37b7f35144a9cfaa17f202.exe
Size

202KB
MD5

8c983f75325d6e0813f614633e358fb0
SHA1

88415d18966529c49073022b75401613e99dd8bc
SHA256

7360e5879b4c1b33a72e60288566c64e7d8b0caa1b37b7f35144a9cfaa17f202
SHA512

a3cfa6a45f5b3bfff41c819d2c6e851d15ddce96ada5a2ce3db88d7897e068e748340f0f9db0cb0ee879d423f785d612879602dfeb1382f493a39002478b8cc0
SSDEEP

6144:CDJVazMKV31FdaQvXluxqU+A/0y+nt75voqQEu:CDJM/bXntAh+nhZoqQEu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1720	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	7360e5879b4c1b33a72e60288566c64e7d8b0caa1b37b7f35144a9cfaa17f202.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1720	1268	taskeng.exe	29
PID 1268 wrote to memory of 1720	1268	taskeng.exe	29
PID 1268 wrote to memory of 1720	1268	taskeng.exe	29
PID 1268 wrote to memory of 1720	1268	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\7360e5879b4c1b33a72e60288566c64e7d8b0caa1b37b7f35144a9cfaa17f202.exe
"C:\Users\Admin\AppData\Local\Temp\7360e5879b4c1b33a72e60288566c64e7d8b0caa1b37b7f35144a9cfaa17f202.exe"
1⤵
- Drops file in Program Files directory
PID:1848

C:\Windows\system32\taskeng.exe
taskeng.exe {7D741315-BB91-42D5-B6B9-458F1B13442F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
202KB

MD5
a99de3978bb8066972dd2653d6a4abc0

SHA1
f685c20d5d01ef1a15f8f3c263b6914ea9c88e0a

SHA256
e1c022e4c087b966647701681a7a353cd8c805f663de5bacb63f1e427d598fc2

SHA512
76af985f09d9f8c2bc57317263ad9c09906598d37d9595f8b440c2feda42d1c2a21e7b80d9f2fdd02ca359df18a25947717a399bdb7fbd120d89007fc6592992

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
202KB

MD5
a99de3978bb8066972dd2653d6a4abc0

SHA1
f685c20d5d01ef1a15f8f3c263b6914ea9c88e0a

SHA256
e1c022e4c087b966647701681a7a353cd8c805f663de5bacb63f1e427d598fc2

SHA512
76af985f09d9f8c2bc57317263ad9c09906598d37d9595f8b440c2feda42d1c2a21e7b80d9f2fdd02ca359df18a25947717a399bdb7fbd120d89007fc6592992

Download Submit
memory/1720-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1720-66-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/1848-54-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1848-56-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/1848-55-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download