77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

Analysis

max time kernel
63s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
Size

41KB
MD5

0af339b1893d9dd5aa4987c1ec3242f3
SHA1

0f15d63675d6319eb94409c60edff1bfe00071c8
SHA256

77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5
SHA512

bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718
SSDEEP

768:0Hnd52O181i0x2MRZH1/SlXRSR4KZ4V8eJ8ZvIVFA0zJzXa9r8bm0:0HndEOkiQ2Mz1vqbCeJIIAOhX6r8bm0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
948	glwjmgeb.exe
1552	glwjmgeb.exe

Deletes itself 1 IoCs

pid	Process
948	glwjmgeb.exe

Loads dropped DLL 6 IoCs

pid	Process
1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
948	glwjmgeb.exe
948	glwjmgeb.exe
948	glwjmgeb.exe
948	glwjmgeb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\glwjmgeb.exe	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
File opened for modification	\??\c:\windows\SysWOW64\glwjmgeb.exe	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000001}	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32	glwjmgeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32	glwjmgeb.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 992	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	28
PID 1652 wrote to memory of 992	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	28
PID 1652 wrote to memory of 992	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	28
PID 1652 wrote to memory of 992	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	28
PID 1652 wrote to memory of 992	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	28
PID 1652 wrote to memory of 992	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	28
PID 1652 wrote to memory of 992	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	28
PID 1652 wrote to memory of 948	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	29
PID 1652 wrote to memory of 948	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	29
PID 1652 wrote to memory of 948	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	29
PID 1652 wrote to memory of 948	1652	77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe	29
PID 948 wrote to memory of 1252	948	glwjmgeb.exe	30
PID 948 wrote to memory of 1252	948	glwjmgeb.exe	30
PID 948 wrote to memory of 1252	948	glwjmgeb.exe	30
PID 948 wrote to memory of 1252	948	glwjmgeb.exe	30
PID 948 wrote to memory of 1252	948	glwjmgeb.exe	30
PID 948 wrote to memory of 1252	948	glwjmgeb.exe	30
PID 948 wrote to memory of 1252	948	glwjmgeb.exe	30
PID 948 wrote to memory of 1552	948	glwjmgeb.exe	31
PID 948 wrote to memory of 1552	948	glwjmgeb.exe	31
PID 948 wrote to memory of 1552	948	glwjmgeb.exe	31
PID 948 wrote to memory of 1552	948	glwjmgeb.exe	31
PID 1552 wrote to memory of 904	1552	glwjmgeb.exe	32
PID 1552 wrote to memory of 904	1552	glwjmgeb.exe	32
PID 1552 wrote to memory of 904	1552	glwjmgeb.exe	32
PID 1552 wrote to memory of 904	1552	glwjmgeb.exe	32
PID 1552 wrote to memory of 904	1552	glwjmgeb.exe	32
PID 1552 wrote to memory of 904	1552	glwjmgeb.exe	32
PID 1552 wrote to memory of 904	1552	glwjmgeb.exe	32

C:\Users\Admin\AppData\Local\Temp\77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe
"C:\Users\Admin\AppData\Local\Temp\77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
  2⤵
  PID:992
- C:\windows\SysWOW64\glwjmgeb.exe
  "C:\windows\system32\glwjmgeb.exe" -kill c:\users\admin\appdata\local\temp\77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5.exe /install
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
    3⤵
    PID:1252
- - C:\windows\SysWOW64\glwjmgeb.exe
    "C:\windows\system32\glwjmgeb.exe" -kill c:\windows\syswow64\glwjmgeb.exe /install /install
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s
      4⤵
      PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
C:\Windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
\??\c:\windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
\Windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
\Windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
\Windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
\Windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
\Windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
\Windows\SysWOW64\glwjmgeb.exe

Filesize
41KB

MD5
0af339b1893d9dd5aa4987c1ec3242f3

SHA1
0f15d63675d6319eb94409c60edff1bfe00071c8

SHA256
77e68c7772e13d477d48d48f7f96ac03661114b471a1ce51c2c49a6f654311e5

SHA512
bb0a4ab034326c1a911ec39a3912918988b10a31564c9d47b371540cd57b28b4f7ebe53efe1d1718cf4f045a42b5ff2b29f6c97a34f4a7c608c2d7e641921718

Download Submit
memory/904-74-0x0000000000000000-mapping.dmp

Download
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/992-56-0x0000000000000000-mapping.dmp

Download
memory/1252-64-0x0000000000000000-mapping.dmp

Download
memory/1552-70-0x0000000000000000-mapping.dmp

Download
memory/1652-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1652-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1652-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download