94014a92244c5b1abee0cccedd8eba4f393d41d499def2f7baf8de832b5606e6

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94014a92244c5b1abee0cccedd8eba4f393d41d499def2f7baf8de832b5606e6.exe
Size

771KB
MD5

1fbaccf8a0ae6c21912f65e4be082b10
SHA1

08b939cf06b89f6da5ad4e0d310d1011465173d3
SHA256

94014a92244c5b1abee0cccedd8eba4f393d41d499def2f7baf8de832b5606e6
SHA512

169256fe156a651668eeb201ff74ed39034c29440c9d1fafb7480a3be4607c4f62f66f2bae7f9988884760e2cbd55c94d1aad3cb3388984bc3d2a84aad19e6db
SSDEEP

24576:C25a552VAUDaaKAOq6QHv+RP+4Lcam+0VIRqg8g:C25arYAq6QHw2MmPIBh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1116	sgfgrig.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\sgfgrig.exe	94014a92244c5b1abee0cccedd8eba4f393d41d499def2f7baf8de832b5606e6.exe
File created	C:\PROGRA~3\Mozilla\ogcwmgm.dll	sgfgrig.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1116	2044	taskeng.exe	28
PID 2044 wrote to memory of 1116	2044	taskeng.exe	28
PID 2044 wrote to memory of 1116	2044	taskeng.exe	28
PID 2044 wrote to memory of 1116	2044	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\94014a92244c5b1abee0cccedd8eba4f393d41d499def2f7baf8de832b5606e6.exe
"C:\Users\Admin\AppData\Local\Temp\94014a92244c5b1abee0cccedd8eba4f393d41d499def2f7baf8de832b5606e6.exe"
1⤵
- Drops file in Program Files directory
PID:1504

C:\Windows\system32\taskeng.exe
taskeng.exe {B5D304EB-473E-4B8F-B06B-7EAC6BFD7EB8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\PROGRA~3\Mozilla\sgfgrig.exe
  C:\PROGRA~3\Mozilla\sgfgrig.exe -smuvcxh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
771KB

MD5
1e17b41b8633de26e7c0e7f6dd4c0996

SHA1
c88fd583923cb7e94438eea95602191078460491

SHA256
8dc4aad1aed0e5e28916643a493edf455534224513cbcda0e567dbb904341d64

SHA512
8e43882091e7aac31cc8d260ae454665a81eeb203a8ef84808adead2268706e3494d76b917b348fbc78e83cdc708e8e5f1ef55583076b14dc5855e521d3ae383

Download Submit
C:\PROGRA~3\Mozilla\sgfgrig.exe

Filesize
771KB

MD5
1e17b41b8633de26e7c0e7f6dd4c0996

SHA1
c88fd583923cb7e94438eea95602191078460491

SHA256
8dc4aad1aed0e5e28916643a493edf455534224513cbcda0e567dbb904341d64

SHA512
8e43882091e7aac31cc8d260ae454665a81eeb203a8ef84808adead2268706e3494d76b917b348fbc78e83cdc708e8e5f1ef55583076b14dc5855e521d3ae383

Download Submit
memory/1116-65-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1116-66-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1116-69-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1116-70-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1504-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1504-55-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1504-56-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1504-59-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1504-60-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download