Analysis
-
max time kernel
151s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe
Resource
win7-20220812-en
General
-
Target
1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe
-
Size
385KB
-
MD5
03d814ec7f480f5e853828aa67b140a5
-
SHA1
e13ec9e24a5af82ae0b7cb567ad888955880e86c
-
SHA256
1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
-
SHA512
8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
SSDEEP
6144:kGytGByk8gPhzQOTSYRWjbMhWX+GBHhaOXkJ1BnJmgbIIeV172IdLdNZUpg:kGjBLxP/2TWJpmgkN172aN
Malware Config
Extracted
cybergate
2.6
vítima
mallboro.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
spynet
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe -
Executes dropped EXE 12 IoCs
pid Process 796 server.exe 1412 server.exe 1040 server.exe 1672 server.exe 556 server.exe 1444 server.exe 1560 server.exe 992 server.exe 952 server.exe 1676 server.exe 912 server.exe 1664 server.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\SysWOW64\\spynet\\server.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe Restart" server.exe -
resource yara_rule behavioral1/memory/1944-58-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1944-60-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1944-61-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1944-65-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1944-67-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1944-68-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1944-69-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1944-71-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1944-80-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1532-85-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1532-86-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1944-95-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1412-108-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1412-109-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1412-110-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1412-123-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/556-147-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/556-150-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1444-154-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/556-155-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/992-179-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1532-178-0x0000000003BC0000-0x0000000003C1B000-memory.dmp upx behavioral1/memory/1532-176-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/556-188-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/556-194-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1444-203-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1676-225-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1664-226-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/952-228-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/992-229-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1664-230-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/952-231-0x0000000024010000-0x0000000024072000-memory.dmp upx -
Loads dropped DLL 13 IoCs
pid Process 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 1532 explorer.exe 1532 explorer.exe 1412 server.exe 1412 server.exe 1532 explorer.exe 1532 explorer.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe 1372 WerFault.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\spynet\\server.exe" server.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\spynet\server.exe server.exe File created C:\Windows\SysWOW64\spynet\server.exe 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe server.exe File created C:\Windows\SysWOW64\spynet\server.exe server.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe server.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe server.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1112 set thread context of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 796 set thread context of 1412 796 server.exe 31 PID 1040 set thread context of 556 1040 server.exe 33 PID 1672 set thread context of 1444 1672 server.exe 35 PID 1560 set thread context of 992 1560 server.exe 37 PID 912 set thread context of 1664 912 server.exe 42 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1372 1676 WerFault.exe 38 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 952 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 952 server.exe Token: SeDebugPrivilege 952 server.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 1412 server.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 796 server.exe 1040 server.exe 1672 server.exe 1560 server.exe 912 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 1112 wrote to memory of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 1112 wrote to memory of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 1112 wrote to memory of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 1112 wrote to memory of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 1112 wrote to memory of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 1112 wrote to memory of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 1112 wrote to memory of 1944 1112 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 28 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15 PID 1944 wrote to memory of 1284 1944 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
PID:1532 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\system32\spynet\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1040 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"6⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:912 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"9⤵
- Executes dropped EXE
PID:1664
-
-
-
-
-
-
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\system32\spynet\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1560 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"6⤵
- Executes dropped EXE
PID:992
-
-
-
-
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\system32\spynet\server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:796 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:1412 -
C:\Users\Admin\AppData\Roaming\spynet\server.exe"C:\Users\Admin\AppData\Roaming\spynet\server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1672 -
C:\Users\Admin\AppData\Roaming\spynet\server.exe"C:\Users\Admin\AppData\Roaming\spynet\server.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Users\Admin\AppData\Roaming\spynet\server.exe"C:\Users\Admin\AppData\Roaming\spynet\server.exe"8⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 4249⤵
- Loads dropped DLL
- Program crash
PID:1372
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD55a3dd26b1bcb08a974bc03e65b5cd7ce
SHA1935d2b9ef80c8772c89fbc34b0ab25798e8bfd5d
SHA2564ab2e19bf07cdd6e1056d4025c9eac9791c9d639aec7e1003991e7622648bc14
SHA5126081210051d926c45ac4f4befbab0ccd2cf7448052ed97467edbbaa6edbcde5460db007172ed3ba9d7e06187cb40b790149c2f3b53d04503df875037b1f3746b
-
Filesize
229KB
MD59d69816cb0416875f1f60eaa139df185
SHA1203e6a64d9b0f8699b2c2ba332091ec7794b4c9e
SHA25693d1bc5801744902380d35cb4ff22215b88846c0ba4b1230c198fff5e65d1c09
SHA512b8eebac9ef5ca796af4a14f9c762b96961d17bdd09064e2f9898cc1ee4bb56e1493d88cbbd6865d682569a3cd39de582f6d80887db69651da3da4d064543c9cf
-
Filesize
229KB
MD59d69816cb0416875f1f60eaa139df185
SHA1203e6a64d9b0f8699b2c2ba332091ec7794b4c9e
SHA25693d1bc5801744902380d35cb4ff22215b88846c0ba4b1230c198fff5e65d1c09
SHA512b8eebac9ef5ca796af4a14f9c762b96961d17bdd09064e2f9898cc1ee4bb56e1493d88cbbd6865d682569a3cd39de582f6d80887db69651da3da4d064543c9cf
-
Filesize
229KB
MD5b1ef4948f470b5f85d608b1448862fcf
SHA196aaceb48229d055c89469156f71de5d1e8984d5
SHA25618824ffee2f95c6a6948483ccca7a011c23ab44b11f14b62a4bae7ff2aa62e6e
SHA512553c40d3ec5ac7b756e041acb4dbe52af36c0b5b74f189be552246ea019109e9329512196dd9651e86056a491221f16b8a174ce7d176a720532a42e0d1ed007e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\699c4b9cdebca7aaea5193cae8a50098_7725c12a-7257-458e-a47f-7029d9191548
Filesize50B
MD55b63d4dd8c04c88c0e30e494ec6a609a
SHA1884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA2564d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA51215ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e