b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd

General

Target

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Size

288KB
MD5

52df055864a09f85eff8d58b60c9a650
SHA1

157810f9a7d5d270e04c534ac7999e201c4fdb55
SHA256

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd
SHA512

ec5dbf7e69a6ca40d72544fb220fb1c63e7f294660de8c99f5c794d2a8f242734393127302884219ba5aa9d7020d3d56f96459d98f9144f6dbd9c79aaf9b1acb
SSDEEP

6144:kXTAUr1e9d4c+Q+lafeafT2Jt2tFQJSqCTaX/c9AC:oJ8XM9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

hwmeb.exeb416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hwmeb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

Executes dropped EXE 1 IoCs

Processes:

hwmeb.exe

pid process

1560 hwmeb.exe

pid	process
1560	hwmeb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hwmeb.exeb416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /c"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /f"	hwmeb.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /e"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /o"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /u"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /g"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /r"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /q"	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /n"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /l"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /d"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /s"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /x"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /b"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /i"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /h"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /z"	hwmeb.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /k"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /p"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /t"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /q"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /y"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /j"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /w"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /m"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /a"	hwmeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwmeb = "C:\\Users\\Admin\\hwmeb.exe /v"	hwmeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exehwmeb.exe

pid	process
3328	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
3328	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe
1560	hwmeb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exehwmeb.exe

pid process

3328 b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
1560 hwmeb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe

description	pid	process	target process
PID 3328 wrote to memory of 1560	3328	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe	hwmeb.exe
PID 3328 wrote to memory of 1560	3328	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe	hwmeb.exe
PID 3328 wrote to memory of 1560	3328	b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe	hwmeb.exe

C:\Users\Admin\AppData\Local\Temp\b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe
"C:\Users\Admin\AppData\Local\Temp\b416f056b785369f304b51c0dfa06607898f85bcdd90e9dc4de9ac9769fa2efd.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\hwmeb.exe
"C:\Users\Admin\hwmeb.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hwmeb.exe
Filesize
288KB

MD5
27122e2d7075518ebbd83febaa527525

SHA1
4df11f8ace05c3303cb65382c6afad0d7646d988

SHA256
b878adffaa3f6ea19171d02a74d6e913ef49b9581e1be3dd1f3c42791cfc3dcb

SHA512
a9d34f23f79258bac3e4285c7d58c3f773dfb4ca30a3700237c48b553d657beb5adc340ace929255af0767bd06808cd163755a3103773a1575f6bda70928ceaa

Download Submit
C:\Users\Admin\hwmeb.exe
Filesize
288KB

MD5
27122e2d7075518ebbd83febaa527525

SHA1
4df11f8ace05c3303cb65382c6afad0d7646d988

SHA256
b878adffaa3f6ea19171d02a74d6e913ef49b9581e1be3dd1f3c42791cfc3dcb

SHA512
a9d34f23f79258bac3e4285c7d58c3f773dfb4ca30a3700237c48b553d657beb5adc340ace929255af0767bd06808cd163755a3103773a1575f6bda70928ceaa

Download Submit
memory/1560-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads