cybergate | 3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1

General

Target

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
Size

676KB
MD5

92f7c3b8ada8735da4ca4f9669dcff32
SHA1

8e8de3741b203119fd65ded1f84e114c7e46c3f2
SHA256

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1
SHA512

15f9a7042de080eab4ca504ed2450e73ed87f7f4283529180777d2a8e91d94b1a90efddb0dc08732459f738ff8d3abfb913447a8364942bc22a51a89106721dd

Score

10^/10

cybergate pb persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

PB

C2

kauan0802.duckdns.org:5000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
System
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Esse Software não e Compativel Com essa versão do windows
message_box_title
Windows
password
123
regkey_hkcu
Sistema Operacional 64x
regkey_hklm
Windows Defender

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System\\explorer.exe"	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System\\explorer.exe"	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Executes dropped EXE 3 IoCs

Processes:

AutoXP [PBBR] -.exeGerador de Cash 2016.exeexplorer.exe

pid process

4632 AutoXP [PBBR] -.exe
2072 Gerador de Cash 2016.exe
1224 explorer.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4632	AutoXP [PBBR] -.exe
2072	Gerador de Cash 2016.exe
1224	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3004-131-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3004-136-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1992-139-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1992-140-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3004-144-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3004-149-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4176-152-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4176-153-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Windows\\System\\explorer.exe"	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sistema Operacional 64x = "C:\\Windows\\System\\explorer.exe"	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Drops file in Windows directory 4 IoCs

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

description	ioc	process
File created	C:\Windows\System\explorer.exe	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
File opened for modification	C:\Windows\System\explorer.exe	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
File opened for modification	C:\Windows\System\explorer.exe	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
File opened for modification	C:\Windows\System\	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5108 1224 WerFault.exe explorer.exe

pid	pid_target	process	target process
5108	1224	WerFault.exe	explorer.exe

Modifies registry class 1 IoCs

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

pid	process
3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

pid process

4176 3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

pid	process
4176	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

description	pid	process
Token: SeDebugPrivilege	4176	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
Token: SeDebugPrivilege	4176	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

pid process

3004 3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe

description	pid	process	target process
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE
PID 3004 wrote to memory of 3304	3004	3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
"C:\Users\Admin\AppData\Local\Temp\3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe
"C:\Users\Admin\AppData\Local\Temp\3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1.exe"
3⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exe
"C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exe"
4⤵
- Executes dropped EXE
PID:4632

C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exe
"C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exe"
4⤵
- Executes dropped EXE
PID:2072

C:\Windows\System\explorer.exe
"C:\Windows\System\explorer.exe"
4⤵
- Executes dropped EXE
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 576
5⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1224 -ip 1224
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exe
Filesize
299KB

MD5
bf29f3a4bdbee79c0da3717aa44338ef

SHA1
ca7f07e95e428d3f46c5fddff15b3caeb03eea30

SHA256
8af5ba7c1318cf44c818238137109ef7cea0be0853853614168d2f1ce514798d

SHA512
1b8f565304c501abe5c6c71cc8ea4226b4ab445d02bda73ff8d53722ecf68cdb0307f45ffe1f857e73d2d1b5f255903cbef3b18e321ec2de5abb605fb83f4b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exe
Filesize
299KB

MD5
bf29f3a4bdbee79c0da3717aa44338ef

SHA1
ca7f07e95e428d3f46c5fddff15b3caeb03eea30

SHA256
8af5ba7c1318cf44c818238137109ef7cea0be0853853614168d2f1ce514798d

SHA512
1b8f565304c501abe5c6c71cc8ea4226b4ab445d02bda73ff8d53722ecf68cdb0307f45ffe1f857e73d2d1b5f255903cbef3b18e321ec2de5abb605fb83f4b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exe
Filesize
62KB

MD5
d4cd3008892010115bf02ce8b9f06347

SHA1
c7ddf6c6b5ffb32d62b057039e0a0e5700ca1fe6

SHA256
0500d89f67d7f34d582a8a4bdf8f0e4a31c20095cc289c40830dd60873348624

SHA512
e7c188b4989b5c3cc5bf03dd5a2eac251fbe640294672238ec2f11f228ebee0c949b62325cf44a9f77b8402de4e0bab0c9ba8b37991ac93d4386aaf05aee2635

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exe
Filesize
62KB

MD5
d4cd3008892010115bf02ce8b9f06347

SHA1
c7ddf6c6b5ffb32d62b057039e0a0e5700ca1fe6

SHA256
0500d89f67d7f34d582a8a4bdf8f0e4a31c20095cc289c40830dd60873348624

SHA512
e7c188b4989b5c3cc5bf03dd5a2eac251fbe640294672238ec2f11f228ebee0c949b62325cf44a9f77b8402de4e0bab0c9ba8b37991ac93d4386aaf05aee2635

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
591KB

MD5
29ee39f1da137929f098de7ea82fc8ba

SHA1
7475ba12e26abf1d8887987cacaee8b7147f4243

SHA256
09a7ee57e3cbd5571e7183987850d34ee31c9bb4f6cc851568b62d327b69aace

SHA512
0c8880a061d7eceea1a877661ea041d58aa03e9513ca0a127ce09a50265b5212670ab1f2871915aaa9902c952b7795f6c4b06465cdbbfe5d8bd6c0dea3b2412d

Download Submit
C:\Windows\System\explorer.exe
Filesize
676KB

MD5
92f7c3b8ada8735da4ca4f9669dcff32

SHA1
8e8de3741b203119fd65ded1f84e114c7e46c3f2

SHA256
3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1

SHA512
15f9a7042de080eab4ca504ed2450e73ed87f7f4283529180777d2a8e91d94b1a90efddb0dc08732459f738ff8d3abfb913447a8364942bc22a51a89106721dd

Download Submit
C:\Windows\System\explorer.exe
Filesize
676KB

MD5
92f7c3b8ada8735da4ca4f9669dcff32

SHA1
8e8de3741b203119fd65ded1f84e114c7e46c3f2

SHA256
3f2ba691bdc22a1debdbe20ff59d56d611f1491b08eba4bb7286a14ea3dc7ba1

SHA512
15f9a7042de080eab4ca504ed2450e73ed87f7f4283529180777d2a8e91d94b1a90efddb0dc08732459f738ff8d3abfb913447a8364942bc22a51a89106721dd

Download Submit
memory/1224-162-0x0000000000000000-mapping.dmp

Download
memory/1992-140-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1992-135-0x0000000000000000-mapping.dmp

Download
memory/1992-139-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2072-157-0x0000000000000000-mapping.dmp

Download
memory/3004-136-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3004-131-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3004-149-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3004-144-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4176-148-0x0000000000000000-mapping.dmp

Download
memory/4176-153-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4176-152-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4632-161-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/4632-154-0x0000000000000000-mapping.dmp

Download
memory/4632-160-0x0000000000EB0000-0x0000000000F04000-memory.dmp

Filesize
336KB

Download
memory/4632-164-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/4632-165-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/4632-166-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/4632-167-0x0000000005BE0000-0x0000000005C36000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads