77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658

Analysis

max time kernel
120s
max time network
108s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe
Size

444KB
MD5

2795a515f1d8eb3f3ff92739d6229f60
SHA1

b29bc5cac4c7cd462a8080387a4ebc8cca205457
SHA256

77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658
SHA512

5ff87068a2954e2a6c19a355a5fb7c5b2aabeba970ee5df82a08888efb8ae3fe0ac17391e76998a168b8cdd8b61555cf86e934cd278525a7035a0087e16ad798
SSDEEP

6144:iAACPL1Eoqw2vJ3Ctv3SseWneFFAPxAbotJnW4SlmVeXbLR7zYXOPMT5zMHVsUpQ:zov6CuVfv/s0p8+nioBybS6wzx

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
1452	wsgsil3uto1zfw.exe
2976	ewmstore.exe
2796	xogroove.exe
2424	ewmstore.exe
2908	wqwmpdmc.exe
396	xogroove.exe

Loads dropped DLL 10 IoCs

pid	Process
2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe
2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe
1452	wsgsil3uto1zfw.exe
1452	wsgsil3uto1zfw.exe
2976	ewmstore.exe
2976	ewmstore.exe
2796	xogroove.exe
2796	xogroove.exe
2796	xogroove.exe
2908	wqwmpdmc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewmstore = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ewmstore.exe"	ewmstore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewmstore = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ewmstore.exe"	wsgsil3uto1zfw.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\xogroove.exe	ewmstore.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\xogroove.exe	ewmstore.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ewmstore.exe	xogroove.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ewmstore.exe	ewmstore.exe
File created	C:\Program Files (x86)\Windows Media Player\wqwmpdmc.exe	xogroove.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wqwmpdmc.exe	xogroove.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ewmstore.exe	wsgsil3uto1zfw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ewmstore.exe	wsgsil3uto1zfw.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewmstore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewmstore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqwmpdmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogroove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsgsil3uto1zfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xogroove.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	ewmstore.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe
2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe
2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe
1452	wsgsil3uto1zfw.exe
1452	wsgsil3uto1zfw.exe
1452	wsgsil3uto1zfw.exe
2976	ewmstore.exe
2976	ewmstore.exe
2976	ewmstore.exe
2796	xogroove.exe
2796	xogroove.exe
2796	xogroove.exe
2424	ewmstore.exe
2424	ewmstore.exe
2424	ewmstore.exe
2908	wqwmpdmc.exe
2908	wqwmpdmc.exe
2908	wqwmpdmc.exe
396	xogroove.exe
396	xogroove.exe
396	xogroove.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1452	2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe	30
PID 2856 wrote to memory of 1452	2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe	30
PID 2856 wrote to memory of 1452	2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe	30
PID 2856 wrote to memory of 1452	2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe	30
PID 2856 wrote to memory of 2928	2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe	31
PID 2856 wrote to memory of 2928	2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe	31
PID 2856 wrote to memory of 2928	2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe	31
PID 2856 wrote to memory of 2928	2856	77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe	31
PID 2928 wrote to memory of 2808	2928	cmd.exe	33
PID 2928 wrote to memory of 2808	2928	cmd.exe	33
PID 2928 wrote to memory of 2808	2928	cmd.exe	33
PID 2928 wrote to memory of 2808	2928	cmd.exe	33
PID 1452 wrote to memory of 2976	1452	wsgsil3uto1zfw.exe	34
PID 1452 wrote to memory of 2976	1452	wsgsil3uto1zfw.exe	34
PID 1452 wrote to memory of 2976	1452	wsgsil3uto1zfw.exe	34
PID 1452 wrote to memory of 2976	1452	wsgsil3uto1zfw.exe	34
PID 1452 wrote to memory of 2676	1452	wsgsil3uto1zfw.exe	35
PID 1452 wrote to memory of 2676	1452	wsgsil3uto1zfw.exe	35
PID 1452 wrote to memory of 2676	1452	wsgsil3uto1zfw.exe	35
PID 1452 wrote to memory of 2676	1452	wsgsil3uto1zfw.exe	35
PID 2676 wrote to memory of 2428	2676	cmd.exe	37
PID 2676 wrote to memory of 2428	2676	cmd.exe	37
PID 2676 wrote to memory of 2428	2676	cmd.exe	37
PID 2676 wrote to memory of 2428	2676	cmd.exe	37
PID 2976 wrote to memory of 2796	2976	ewmstore.exe	38
PID 2976 wrote to memory of 2796	2976	ewmstore.exe	38
PID 2976 wrote to memory of 2796	2976	ewmstore.exe	38
PID 2976 wrote to memory of 2796	2976	ewmstore.exe	38
PID 2796 wrote to memory of 2424	2796	xogroove.exe	39
PID 2796 wrote to memory of 2424	2796	xogroove.exe	39
PID 2796 wrote to memory of 2424	2796	xogroove.exe	39
PID 2796 wrote to memory of 2424	2796	xogroove.exe	39
PID 2796 wrote to memory of 2908	2796	xogroove.exe	40
PID 2796 wrote to memory of 2908	2796	xogroove.exe	40
PID 2796 wrote to memory of 2908	2796	xogroove.exe	40
PID 2796 wrote to memory of 2908	2796	xogroove.exe	40
PID 2908 wrote to memory of 396	2908	wqwmpdmc.exe	41
PID 2908 wrote to memory of 396	2908	wqwmpdmc.exe	41
PID 2908 wrote to memory of 396	2908	wqwmpdmc.exe	41
PID 2908 wrote to memory of 396	2908	wqwmpdmc.exe	41

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2808	attrib.exe
2428	attrib.exe

C:\Users\Admin\AppData\Local\Temp\77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe
"C:\Users\Admin\AppData\Local\Temp\77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\wsgsil3uto1zfw.exe
  C:\Users\Admin\AppData\Local\Temp\wsgsil3uto1zfw.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Program Files (x86)\Microsoft Office\Office14\ewmstore.exe
    "C:\Program Files (x86)\Microsoft Office\Office14\ewmstore.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Program Files (x86)\Microsoft Office\Office14\xogroove.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\xogroove.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Program Files (x86)\Microsoft Office\Office14\ewmstore.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\ewmstore.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
    - - C:\Program Files (x86)\Windows Media Player\wqwmpdmc.exe
        
        "C:\Program Files (x86)\Windows Media Player\wqwmpdmc.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Program Files (x86)\Microsoft Office\Office14\xogroove.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\xogroove.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\jvyg862er.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\wsgsil3uto1zfw.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\jvyg862er.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\attrib.exe
    attrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jvyg862er.bat

Filesize
407B

MD5
2dcc63b434ca53a67316f23494fe73ec

SHA1
dc8fb511ae433ce0390c830764aafd55aae9987f

SHA256
b973e732ca0402c9fc64843fb49e68ab2a80aca6f972b3d1fdf847c8c2d26f53

SHA512
28cb8819570267382e22a4c0de20907c642231ff2b42594db7a77ad8c0d916a74a98172106b18abfa47c1200de665b02d673b8bdd83da60222eed72d683f801e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvyg862er.bat

Filesize
254B

MD5
c8d7260e1888f4a2efafc3fbaf951d31

SHA1
d77f3904e9287136b6930e1d5a374aba18205e24

SHA256
58644323aa2182eaa88717aed2f68348762815886e78b1d3bd17f997a3fb849e

SHA512
a2522ae96f48025d9c643c8f611a3d92a05999562a1381a91cc10af778958b13b30ab3332de412f7201568fcfed9a2a04ee27875b2d4c0eac60f533e80ba6ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgikfw61r.txt

Filesize
6KB

MD5
0eff23c8656781a1d1df808880f71be3

SHA1
08b3b983f41c9dbc89ca84cfe86b74959fa66b4e

SHA256
7abaa8cfb4ceea4131b765c95a296e8e4ea08855e1943f957c3aa90ba184e264

SHA512
93effdfdefe62ccc472df35c346db62099c51b64198aa12154a282184ee98ebf1c3818b8773cbc57fafb9d2b8f2ed6d3b8fc0071b42db89c3bacda5aea54a8aa

Download Submit
\Users\Admin\AppData\Local\Temp\wsgsil3uto1zfw.exe

Filesize
444KB

MD5
2795a515f1d8eb3f3ff92739d6229f60

SHA1
b29bc5cac4c7cd462a8080387a4ebc8cca205457

SHA256
77d8470f5aa800be7be4fdd2c2cf280d347a7c0f61ee2fc381c5e62cdae3a658

SHA512
5ff87068a2954e2a6c19a355a5fb7c5b2aabeba970ee5df82a08888efb8ae3fe0ac17391e76998a168b8cdd8b61555cf86e934cd278525a7035a0087e16ad798

Download Submit
memory/2976-211-0x00000000047A0000-0x0000000004BB2000-memory.dmp

Filesize
4.1MB

Download
memory/2976-212-0x0000000004EA0000-0x0000000004EAB000-memory.dmp

Filesize
44KB

Download
memory/2976-215-0x00000000052F0000-0x0000000005420000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads