cadc595a9c282c8bda4aff6b498d1cd6ce81502a5c93c3aaa83ea123cecadb85

Resubmissions

12/04/2023, 18:16

230412-wwx45afe4v 3

12/04/2023, 18:13

230412-wtyymsfe3t 3

Analysis

max time kernel
76s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SGDBoop.exe
Size

284KB
MD5

4ecd8c2acbff0fc7b44f9b37dd851857
SHA1

dbfac240821815958306d2048df70236ebad8d5e
SHA256

abb9586a62fb1567f2d7ed40a8683dbc40de38177008c4b3481a5a1113838b0e
SHA512

3ad363427c2ad02e3238b4867a260993c72e168870f304f5ea4ac14e00cb1492a7f3c2a5be3b33df6963400f78f21de268454902260f5b779edd40e6ee35c5f7
SSDEEP

3072:jlKTcgu1jZzrSRZZRMNpXDg4DNtMpxuw6o1ih+fc/020yROGB+0RknX3Fq:RQcguTzrSD7epTg4DMpxp20kvB+nX3M

Score

1^/10

Malware Config

Signatures

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb\Shell\Open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SGDBoop.exe\" \"%1\" -new_console:z"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SGDBoop.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb\URL Protocol	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb\ = "URL:sgdb protocol"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb\Shell\Open\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sgdb	reg.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1240	1640	SGDBoop.exe	84
PID 1640 wrote to memory of 1240	1640	SGDBoop.exe	84
PID 1240 wrote to memory of 1760	1240	cmd.exe	85
PID 1240 wrote to memory of 1760	1240	cmd.exe	85
PID 1640 wrote to memory of 4464	1640	SGDBoop.exe	86
PID 1640 wrote to memory of 4464	1640	SGDBoop.exe	86
PID 4464 wrote to memory of 4428	4464	cmd.exe	87
PID 4464 wrote to memory of 4428	4464	cmd.exe	87
PID 1640 wrote to memory of 1504	1640	SGDBoop.exe	88
PID 1640 wrote to memory of 1504	1640	SGDBoop.exe	88
PID 1504 wrote to memory of 1684	1504	cmd.exe	89
PID 1504 wrote to memory of 1684	1504	cmd.exe	89
PID 1640 wrote to memory of 3576	1640	SGDBoop.exe	90
PID 1640 wrote to memory of 3576	1640	SGDBoop.exe	90
PID 3576 wrote to memory of 4456	3576	cmd.exe	91
PID 3576 wrote to memory of 4456	3576	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\SGDBoop.exe
"C:\Users\Admin\AppData\Local\Temp\SGDBoop.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCR\sgdb /t REG_SZ /d "URL:sgdb protocol" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\system32\reg.exe
    REG ADD HKCR\sgdb /t REG_SZ /d "URL:sgdb protocol" /f
    3⤵
    - Modifies registry class
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCR\sgdb\Shell\Open\Command /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\SGDBoop.exe\" \"%1\" -new_console:z" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\system32\reg.exe
    REG ADD HKCR\sgdb\Shell\Open\Command /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\SGDBoop.exe\" \"%1\" -new_console:z" /f
    3⤵
    - Modifies registry class
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCR\sgdb\DefaultIcon /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SGDBoop.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\reg.exe
    REG ADD HKCR\sgdb\DefaultIcon /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SGDBoop.exe" /f
    3⤵
    - Modifies registry class
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD HKCR\sgdb /v "URL Protocol" /t REG_SZ /d "" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\reg.exe
    REG ADD HKCR\sgdb /v "URL Protocol" /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:4456

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads