Analysis
-
max time kernel
157s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 20:46
Static task
static1
Behavioral task
behavioral1
Sample
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
Resource
win10v2004-20220812-en
General
-
Target
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
-
Size
276KB
-
MD5
327a0eba2f61ff0c60633747bba87247
-
SHA1
071ad241da72cdce4d58305dc0a5f429a7ef1ff1
-
SHA256
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd
-
SHA512
9e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221
-
SSDEEP
3072:gDYoYtDr6j72xKX6+67C3xpYUUCQCCuKtVkJ/WnWUC4w0lq6A6xHXSE:ZdIBX6k3xpYSQCWW/b4BHBx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cmgsdigr.exepid process 3720 cmgsdigr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfei = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cmgsdigr\\cmgsdigr.exe\"" aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.execmgsdigr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 cmgsdigr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc cmgsdigr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 cmgsdigr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc cmgsdigr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 2 IoCs
Processes:
cmgsdigr.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" cmgsdigr.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" cmgsdigr.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.execmgsdigr.execmd.exePING.EXEpid process 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe 3720 cmgsdigr.exe 3720 cmgsdigr.exe 5004 cmd.exe 5004 cmd.exe 5004 cmd.exe 5004 cmd.exe 5004 cmd.exe 5004 cmd.exe 4844 PING.EXE 4844 PING.EXE 4844 PING.EXE 4844 PING.EXE 4844 PING.EXE 4844 PING.EXE 3720 cmgsdigr.exe 3720 cmgsdigr.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
cmgsdigr.exedescription pid process Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe Token: SeDebugPrivilege 3720 cmgsdigr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.execmd.execmgsdigr.exedescription pid process target process PID 1468 wrote to memory of 684 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe Explorer.EXE PID 1468 wrote to memory of 3720 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe cmgsdigr.exe PID 1468 wrote to memory of 3720 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe cmgsdigr.exe PID 1468 wrote to memory of 3720 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe cmgsdigr.exe PID 1468 wrote to memory of 684 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe Explorer.EXE PID 1468 wrote to memory of 5004 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe cmd.exe PID 1468 wrote to memory of 5004 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe cmd.exe PID 1468 wrote to memory of 5004 1468 aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe cmd.exe PID 5004 wrote to memory of 4844 5004 cmd.exe PING.EXE PID 5004 wrote to memory of 4844 5004 cmd.exe PING.EXE PID 5004 wrote to memory of 4844 5004 cmd.exe PING.EXE PID 3720 wrote to memory of 5004 3720 cmgsdigr.exe cmd.exe PID 3720 wrote to memory of 5004 3720 cmgsdigr.exe cmd.exe PID 3720 wrote to memory of 5004 3720 cmgsdigr.exe cmd.exe PID 3720 wrote to memory of 4844 3720 cmgsdigr.exe PING.EXE PID 3720 wrote to memory of 4844 3720 cmgsdigr.exe PING.EXE PID 3720 wrote to memory of 4844 3720 cmgsdigr.exe PING.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe"C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe"2⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Roaming\Microsoft\Cmgsdigr\cmgsdigr.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Cmgsdigr\cmgsdigr.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\cmd.execmd /c ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:4844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Cmgsdigr\cmgsdigr.exeFilesize
276KB
MD5327a0eba2f61ff0c60633747bba87247
SHA1071ad241da72cdce4d58305dc0a5f429a7ef1ff1
SHA256aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd
SHA5129e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221
-
C:\Users\Admin\AppData\Roaming\Microsoft\Cmgsdigr\cmgsdigr.exeFilesize
276KB
MD5327a0eba2f61ff0c60633747bba87247
SHA1071ad241da72cdce4d58305dc0a5f429a7ef1ff1
SHA256aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd
SHA5129e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.Admin\user.jsFilesize
325B
MD52d3be5ac1378ee1860aaeca693e5a1d1
SHA13c232144e306cf4d80ee5c01f0170c8f377fef68
SHA256106428b158de026222063464a40666dcab971c1102da6f3d40a36416f79dd502
SHA512ec0322e77b4af31de73f3dda176fc67a7e9851c953b5d8c5c7a96ed5343a852c11ac6c380659f4741e37097602cd5a3e25a41d419496235cd7e1d01db8f25049
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\user.jsFilesize
325B
MD52d3be5ac1378ee1860aaeca693e5a1d1
SHA13c232144e306cf4d80ee5c01f0170c8f377fef68
SHA256106428b158de026222063464a40666dcab971c1102da6f3d40a36416f79dd502
SHA512ec0322e77b4af31de73f3dda176fc67a7e9851c953b5d8c5c7a96ed5343a852c11ac6c380659f4741e37097602cd5a3e25a41d419496235cd7e1d01db8f25049
-
memory/1468-132-0x0000000070000000-0x0000000070044000-memory.dmpFilesize
272KB
-
memory/3720-137-0x0000000000000000-mapping.dmp
-
memory/4844-141-0x0000000000000000-mapping.dmp
-
memory/4844-151-0x0000000000F60000-0x0000000000FAB000-memory.dmpFilesize
300KB
-
memory/5004-140-0x0000000000000000-mapping.dmp
-
memory/5004-147-0x0000000000A43000-0x0000000000A46000-memory.dmpFilesize
12KB
-
memory/5004-150-0x0000000000360000-0x00000000003AB000-memory.dmpFilesize
300KB