aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd

General

Target

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
Size

276KB
MD5

327a0eba2f61ff0c60633747bba87247
SHA1

071ad241da72cdce4d58305dc0a5f429a7ef1ff1
SHA256

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd
SHA512

9e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221
SSDEEP

3072:gDYoYtDr6j72xKX6+67C3xpYUUCQCCuKtVkJ/WnWUC4w0lq6A6xHXSE:ZdIBX6k3xpYSQCWW/b4BHBx

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

cmgsdigr.exe

pid process

3720 cmgsdigr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3720	cmgsdigr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfei = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cmgsdigr\\cmgsdigr.exe\""	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.execmgsdigr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	cmgsdigr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	cmgsdigr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	cmgsdigr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	cmgsdigr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe

Modifies Internet Explorer Protected Mode 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

cmgsdigr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	cmgsdigr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	cmgsdigr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4844 PING.EXE

pid	process
4844	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.execmgsdigr.execmd.exePING.EXE

pid	process
1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
3720	cmgsdigr.exe
3720	cmgsdigr.exe
5004	cmd.exe
5004	cmd.exe
5004	cmd.exe
5004	cmd.exe
5004	cmd.exe
5004	cmd.exe
4844	PING.EXE
4844	PING.EXE
4844	PING.EXE
4844	PING.EXE
4844	PING.EXE
4844	PING.EXE
3720	cmgsdigr.exe
3720	cmgsdigr.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

cmgsdigr.exe

description	pid	process
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe
Token: SeDebugPrivilege	3720	cmgsdigr.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.execmd.execmgsdigr.exe

description	pid	process	target process
PID 1468 wrote to memory of 684	1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	Explorer.EXE
PID 1468 wrote to memory of 3720	1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmgsdigr.exe
PID 1468 wrote to memory of 3720	1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmgsdigr.exe
PID 1468 wrote to memory of 3720	1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmgsdigr.exe
PID 1468 wrote to memory of 684	1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	Explorer.EXE
PID 1468 wrote to memory of 5004	1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmd.exe
PID 1468 wrote to memory of 5004	1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmd.exe
PID 1468 wrote to memory of 5004	1468	aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe	cmd.exe
PID 5004 wrote to memory of 4844	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 4844	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 4844	5004	cmd.exe	PING.EXE
PID 3720 wrote to memory of 5004	3720	cmgsdigr.exe	cmd.exe
PID 3720 wrote to memory of 5004	3720	cmgsdigr.exe	cmd.exe
PID 3720 wrote to memory of 5004	3720	cmgsdigr.exe	cmd.exe
PID 3720 wrote to memory of 4844	3720	cmgsdigr.exe	PING.EXE
PID 3720 wrote to memory of 4844	3720	cmgsdigr.exe	PING.EXE
PID 3720 wrote to memory of 4844	3720	cmgsdigr.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe
"C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe"
2⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Roaming\Microsoft\Cmgsdigr\cmgsdigr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Cmgsdigr\cmgsdigr.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Modifies Internet Explorer Protected Mode
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\cmd.exe
cmd /c ping -n 10 localhost && del "C:\Users\Admin\AppData\Local\Temp\aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
PID:4844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Cmgsdigr\cmgsdigr.exe
Filesize
276KB

MD5
327a0eba2f61ff0c60633747bba87247

SHA1
071ad241da72cdce4d58305dc0a5f429a7ef1ff1

SHA256
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd

SHA512
9e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Cmgsdigr\cmgsdigr.exe
Filesize
276KB

MD5
327a0eba2f61ff0c60633747bba87247

SHA1
071ad241da72cdce4d58305dc0a5f429a7ef1ff1

SHA256
aeb541ec3f4a4ba1098ab2b6fa882a65caab07d0c63f46c27c043b84aa0dcebd

SHA512
9e227a9c8033814aaa7ed374bf0e2b22ee176b4de07de94a0c9df6d39a41999fb067b7e78e8d0b7c2661fbc6309bc3b9dad723e63caba448765a4670dd08c221

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.Admin\user.js
Filesize
325B

MD5
2d3be5ac1378ee1860aaeca693e5a1d1

SHA1
3c232144e306cf4d80ee5c01f0170c8f377fef68

SHA256
106428b158de026222063464a40666dcab971c1102da6f3d40a36416f79dd502

SHA512
ec0322e77b4af31de73f3dda176fc67a7e9851c953b5d8c5c7a96ed5343a852c11ac6c380659f4741e37097602cd5a3e25a41d419496235cd7e1d01db8f25049

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\user.js
Filesize
325B

MD5
2d3be5ac1378ee1860aaeca693e5a1d1

SHA1
3c232144e306cf4d80ee5c01f0170c8f377fef68

SHA256
106428b158de026222063464a40666dcab971c1102da6f3d40a36416f79dd502

SHA512
ec0322e77b4af31de73f3dda176fc67a7e9851c953b5d8c5c7a96ed5343a852c11ac6c380659f4741e37097602cd5a3e25a41d419496235cd7e1d01db8f25049

Download Submit
memory/1468-132-0x0000000070000000-0x0000000070044000-memory.dmp

Filesize
272KB

Download
memory/3720-137-0x0000000000000000-mapping.dmp

Download
memory/4844-141-0x0000000000000000-mapping.dmp

Download
memory/4844-151-0x0000000000F60000-0x0000000000FAB000-memory.dmp

Filesize
300KB

Download
memory/5004-140-0x0000000000000000-mapping.dmp

Download
memory/5004-147-0x0000000000A43000-0x0000000000A46000-memory.dmp

Filesize
12KB

Download
memory/5004-150-0x0000000000360000-0x00000000003AB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads