eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c

General

Target

eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
Size

298KB
MD5

dc2eb0878b887ef356e2f277d756883e
SHA1

5c71bb6c5c3766581cc0efdcb0deb1168469a984
SHA256

eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c
SHA512

462692a0723b1c45d2f5934130141b13a6115ab18a89b09229bccbff1b85f3a9c3dfd45e625e98fe1fbb3ab99524a6a187c04d93607d9f506b30f21682c287c0
SSDEEP

6144:z0+N1vtAwzqEybL8e+QTiqLnFHLua12BM6SZMIEJYqh/ya:QS3AXJ8e+QlLAo6MCJYqh/f

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

abem.exe

pid process

1020 abem.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1092 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe

pid process

1944 eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe

pid	process
1092	cmd.exe

pid	process
1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

abem.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	abem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Mueji\\abem.exe"	abem.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe

description	pid	process	target process
PID 1944 set thread context of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

abem.exe

pid	process
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe
1020	abem.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exeabem.exe

pid process

1944 eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
1020 abem.exe

pid	process
1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
1020	abem.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exeabem.exe

description	pid	process	target process
PID 1944 wrote to memory of 1020	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	abem.exe
PID 1944 wrote to memory of 1020	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	abem.exe
PID 1944 wrote to memory of 1020	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	abem.exe
PID 1944 wrote to memory of 1020	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	abem.exe
PID 1020 wrote to memory of 1244	1020	abem.exe	taskhost.exe
PID 1020 wrote to memory of 1244	1020	abem.exe	taskhost.exe
PID 1020 wrote to memory of 1244	1020	abem.exe	taskhost.exe
PID 1020 wrote to memory of 1244	1020	abem.exe	taskhost.exe
PID 1020 wrote to memory of 1244	1020	abem.exe	taskhost.exe
PID 1020 wrote to memory of 1348	1020	abem.exe	Dwm.exe
PID 1020 wrote to memory of 1348	1020	abem.exe	Dwm.exe
PID 1020 wrote to memory of 1348	1020	abem.exe	Dwm.exe
PID 1020 wrote to memory of 1348	1020	abem.exe	Dwm.exe
PID 1020 wrote to memory of 1348	1020	abem.exe	Dwm.exe
PID 1020 wrote to memory of 1412	1020	abem.exe	Explorer.EXE
PID 1020 wrote to memory of 1412	1020	abem.exe	Explorer.EXE
PID 1020 wrote to memory of 1412	1020	abem.exe	Explorer.EXE
PID 1020 wrote to memory of 1412	1020	abem.exe	Explorer.EXE
PID 1020 wrote to memory of 1412	1020	abem.exe	Explorer.EXE
PID 1020 wrote to memory of 1944	1020	abem.exe	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
PID 1020 wrote to memory of 1944	1020	abem.exe	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
PID 1020 wrote to memory of 1944	1020	abem.exe	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
PID 1020 wrote to memory of 1944	1020	abem.exe	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
PID 1020 wrote to memory of 1944	1020	abem.exe	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe
PID 1944 wrote to memory of 1092	1944	eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe
"C:\Users\Admin\AppData\Local\Temp\eaf91b130ecc190fb646cfdd8bc19bbf6ddcfc0eaca8c0d91861885afd33633c.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Roaming\Mueji\abem.exe
"C:\Users\Admin\AppData\Roaming\Mueji\abem.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp46325ce0.bat"
3⤵
- Deletes itself
PID:1092

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1348

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp46325ce0.bat
Filesize
307B

MD5
072699cb239cbac7af21501cd145956f

SHA1
d060358d82189b1ce0dce08c977dea408a7982bf

SHA256
4a6f634c5310ce59adc232921fbf70f255f25b8cb73bbf75b2bce79d01692524

SHA512
d6b2c8dcf4ceda754afabd24a8cdfb0f3c588d293a16a5b521b0b29d6c47d3ca3521af567cf11a4e4071b000b7865f8a4ee4d432c9243d3ea7d64ab6740ece13

Download Submit
C:\Users\Admin\AppData\Roaming\Mueji\abem.exe
Filesize
298KB

MD5
f0c168f73a093695b913d0d6dbff5b05

SHA1
f90faf60aeed8fdf2a24a2b60cf40bbe070d59b7

SHA256
b9d8939e96a0f4e7c011800ca55c518f13c01216d60f43aaa698c76b43acc682

SHA512
c399d1c6efac963b33cb8120115eb4f4cd1016a5598a8cfe1bd6385e0864b522a01314017ae08e99293c775973e1d95d2f5b474c4da5dda3b35f9fec23346a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mueji\abem.exe
Filesize
298KB

MD5
f0c168f73a093695b913d0d6dbff5b05

SHA1
f90faf60aeed8fdf2a24a2b60cf40bbe070d59b7

SHA256
b9d8939e96a0f4e7c011800ca55c518f13c01216d60f43aaa698c76b43acc682

SHA512
c399d1c6efac963b33cb8120115eb4f4cd1016a5598a8cfe1bd6385e0864b522a01314017ae08e99293c775973e1d95d2f5b474c4da5dda3b35f9fec23346a6f

Download Submit
\Users\Admin\AppData\Roaming\Mueji\abem.exe
Filesize
298KB

MD5
f0c168f73a093695b913d0d6dbff5b05

SHA1
f90faf60aeed8fdf2a24a2b60cf40bbe070d59b7

SHA256
b9d8939e96a0f4e7c011800ca55c518f13c01216d60f43aaa698c76b43acc682

SHA512
c399d1c6efac963b33cb8120115eb4f4cd1016a5598a8cfe1bd6385e0864b522a01314017ae08e99293c775973e1d95d2f5b474c4da5dda3b35f9fec23346a6f

Download Submit
memory/1020-83-0x00000000002D0000-0x000000000031C000-memory.dmp

Filesize
304KB

Download
memory/1020-80-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1020-58-0x0000000000000000-mapping.dmp

Download
memory/1020-84-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1092-97-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1092-99-0x00000000000678DA-mapping.dmp

Download
memory/1092-96-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1092-104-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1092-94-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1092-98-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1244-64-0x0000000000570000-0x00000000005B2000-memory.dmp

Filesize
264KB

Download
memory/1244-65-0x0000000000570000-0x00000000005B2000-memory.dmp

Filesize
264KB

Download
memory/1244-62-0x0000000000570000-0x00000000005B2000-memory.dmp

Filesize
264KB

Download
memory/1244-67-0x0000000000570000-0x00000000005B2000-memory.dmp

Filesize
264KB

Download
memory/1244-66-0x0000000000570000-0x00000000005B2000-memory.dmp

Filesize
264KB

Download
memory/1348-73-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1348-72-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1348-71-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1348-70-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1412-79-0x0000000002730000-0x0000000002772000-memory.dmp

Filesize
264KB

Download
memory/1412-81-0x0000000002730000-0x0000000002772000-memory.dmp

Filesize
264KB

Download
memory/1412-85-0x0000000002730000-0x0000000002772000-memory.dmp

Filesize
264KB

Download
memory/1412-82-0x0000000002730000-0x0000000002772000-memory.dmp

Filesize
264KB

Download
memory/1944-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1944-90-0x00000000022E0000-0x0000000002322000-memory.dmp

Filesize
264KB

Download
memory/1944-91-0x00000000022E0000-0x0000000002322000-memory.dmp

Filesize
264KB

Download
memory/1944-89-0x00000000022E0000-0x0000000002322000-memory.dmp

Filesize
264KB

Download
memory/1944-88-0x00000000022E0000-0x0000000002322000-memory.dmp

Filesize
264KB

Download
memory/1944-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1944-76-0x00000000002D0000-0x000000000031C000-memory.dmp

Filesize
304KB

Download
memory/1944-74-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1944-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1944-101-0x00000000022E0000-0x0000000002322000-memory.dmp

Filesize
264KB

Download
memory/1944-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1944-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads