398ebc3476435e57bdfffbd414a1f19feb68e38cbbded7130bf8c4f5c6036e13

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cmlauncher.zip
Size

5.4MB
MD5

4bafdeafd9dcfb5fdf156cd7bcf60ed8
SHA1

08a4cf8357422a02193293b5f372c6e3e1ba8810
SHA256

398ebc3476435e57bdfffbd414a1f19feb68e38cbbded7130bf8c4f5c6036e13
SHA512

44df7a2b8c1bf320691030bf1fcab8f553aff35cae93214600b0505170f766270ffea3b637733cfaa1e8e914d6fc8f61c59221b66471d893596aa2fcc2a1b059
SSDEEP

98304:PbzXenum2GtQL/zeyTo96Tc0I/UKkulf3u11xsTvIKD1voBhUiVuuxxCTH:PbyumFKzeyToMTW/3Vf3u1/SvtxoUi7O

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
persistence

Active Setup
T1547.014

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

Groove.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	Groove.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	Groove.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	Groove.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	Groove.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	Groove.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	Groove.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	Groove.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	Groove.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	Groove.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Groove.exe

pid process

2904 Groove.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2260 explorer.exe

pid	process
2904	Groove.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

explorer.exe

pid	process
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Groove.exeDW20.EXE

description	pid	process	target process
PID 2904 wrote to memory of 2808	2904	Groove.exe	DW20.EXE
PID 2904 wrote to memory of 2808	2904	Groove.exe	DW20.EXE
PID 2904 wrote to memory of 2808	2904	Groove.exe	DW20.EXE
PID 2904 wrote to memory of 2808	2904	Groove.exe	DW20.EXE
PID 2904 wrote to memory of 2808	2904	Groove.exe	DW20.EXE
PID 2904 wrote to memory of 2808	2904	Groove.exe	DW20.EXE
PID 2904 wrote to memory of 2808	2904	Groove.exe	DW20.EXE
PID 2808 wrote to memory of 2644	2808	DW20.EXE	dwwin.exe
PID 2808 wrote to memory of 2644	2808	DW20.EXE	dwwin.exe
PID 2808 wrote to memory of 2644	2808	DW20.EXE	dwwin.exe
PID 2808 wrote to memory of 2644	2808	DW20.EXE	dwwin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cmlauncher.zip
1⤵
PID:3036

C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe
"C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe" /TrayOnly /NoLogon
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904

C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1324
2⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1324
3⤵
PID:2644

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
41c2568badec1be9dc7a4098d1187287

SHA1
1c70ad948ae7fcafae9d06b62d133b6a808e03e4

SHA256
67309991c886afc03bfe1c6f42938ff12a6842857845dfe1f0f1d94b81329988

SHA512
d208b1552cfa7cd387c143a26a93733323bd44a95635de37b23b3897b29c79fc19c095011247ea42c226c994cf63d4c0b9b6c1d5d3590875f4729ff02efa1af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\259416402.cvr
Filesize
560B

MD5
c3f15ff330cc09568b3bd64d8cdaae4d

SHA1
5c279769ec9b93f3c000168f79a148d6ebd9e688

SHA256
fab69b5b807e71cab8f7988ac60330e8da22e73c0ba51bb1871507f21d6d9627

SHA512
c777a361025c98d7bd5332879163f50e9559f0092da232ce424bd6a9af80e340947d69a9f4b0917b007a9c2be870a0a098d4d5f8dc99323905246f28899b2b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0A26A4DD-3102-4540-842A-7657FB9878A7}
Filesize
128KB

MD5
14de5c789248bc93a88b982bb49c8f77

SHA1
26e4dc49fdbeb098adad074ecd9628f69952abd9

SHA256
c03f01f1ed30ab38a5dd2650ec0044c94f0dddad8ab37ddcf566c7977b10370e

SHA512
6b3aae0e7e0d886b9c065b7fb1502cb977f69c1e484bf331272e8cdd68afd4a5610f226f04b4d333ef4834fa1549caf778b6bf59ae537759c373fa9dfb182d19

Download Submit
memory/2904-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2904-1-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2904-2-0x000000007364D000-0x0000000073658000-memory.dmp

Filesize
44KB

Download
memory/2904-62-0x000000007364D000-0x0000000073658000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads