Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe
Resource
win7-20220812-en
General
-
Target
1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe
-
Size
385KB
-
MD5
03d814ec7f480f5e853828aa67b140a5
-
SHA1
e13ec9e24a5af82ae0b7cb567ad888955880e86c
-
SHA256
1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
-
SHA512
8b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
SSDEEP
6144:kGytGByk8gPhzQOTSYRWjbMhWX+GBHhaOXkJ1BnJmgbIIeV172IdLdNZUpg:kGjBLxP/2TWJpmgkN172aN
Malware Config
Extracted
cybergate
2.6
vítima
mallboro.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
spynet
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\spynet\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe -
Executes dropped EXE 11 IoCs
pid Process 4952 server.exe 1752 server.exe 4652 server.exe 1900 server.exe 2808 server.exe 224 server.exe 1676 server.exe 1500 server.exe 3020 server.exe 4596 server.exe 2500 server.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\SysWOW64\\spynet\\server.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W6L38C4A-I328-6KF2-HA27-7P3R7H4NHC40} explorer.exe -
resource yara_rule behavioral2/memory/1648-136-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1648-139-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1648-140-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1648-141-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1648-143-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/1648-148-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/3660-151-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/3660-154-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/1648-155-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1900-181-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4652-182-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1676-199-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1900-200-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/1900-204-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2808-203-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/2808-207-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4652-210-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1676-220-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/3020-221-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2500-233-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2808-234-0x0000000024010000-0x0000000024072000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation server.exe -
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe" 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\spynet\server.exe server.exe File created C:\Windows\SysWOW64\spynet\server.exe server.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe server.exe File created C:\Windows\SysWOW64\spynet\server.exe server.exe File created C:\Windows\SysWOW64\spynet\server.exe 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1456 set thread context of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 4952 set thread context of 4652 4952 server.exe 84 PID 1752 set thread context of 1900 1752 server.exe 85 PID 224 set thread context of 1676 224 server.exe 88 PID 1500 set thread context of 3020 1500 server.exe 91 PID 4596 set thread context of 2500 4596 server.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2936 3020 WerFault.exe 91 2864 2500 WerFault.exe 96 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2808 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2808 server.exe Token: SeDebugPrivilege 2808 server.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 4652 server.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 4952 server.exe 1752 server.exe 224 server.exe 1500 server.exe 4596 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1456 wrote to memory of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 1456 wrote to memory of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 1456 wrote to memory of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 1456 wrote to memory of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 1456 wrote to memory of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 1456 wrote to memory of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 1456 wrote to memory of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 1456 wrote to memory of 1648 1456 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 80 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49 PID 1648 wrote to memory of 2616 1648 1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe 49
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"C:\Users\Admin\AppData\Local\Temp\1a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3660 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\system32\spynet\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4952 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"6⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:4652 -
C:\Users\Admin\AppData\Roaming\spynet\server.exe"C:\Users\Admin\AppData\Roaming\spynet\server.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1500 -
C:\Users\Admin\AppData\Roaming\spynet\server.exe"C:\Users\Admin\AppData\Roaming\spynet\server.exe"8⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 5329⤵
- Program crash
PID:2936
-
-
-
-
-
-
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\system32\spynet\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:224 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"6⤵
- Executes dropped EXE
PID:1676
-
-
-
-
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\system32\spynet\server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1752 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\SysWOW64\spynet\server.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Users\Admin\AppData\Roaming\spynet\server.exe"C:\Users\Admin\AppData\Roaming\spynet\server.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4596 -
C:\Users\Admin\AppData\Roaming\spynet\server.exe"C:\Users\Admin\AppData\Roaming\spynet\server.exe"8⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 5329⤵
- Program crash
PID:2864
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3020 -ip 30201⤵PID:3700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2500 -ip 25001⤵PID:2204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5b1ef4948f470b5f85d608b1448862fcf
SHA196aaceb48229d055c89469156f71de5d1e8984d5
SHA25618824ffee2f95c6a6948483ccca7a011c23ab44b11f14b62a4bae7ff2aa62e6e
SHA512553c40d3ec5ac7b756e041acb4dbe52af36c0b5b74f189be552246ea019109e9329512196dd9651e86056a491221f16b8a174ce7d176a720532a42e0d1ed007e
-
Filesize
229KB
MD5703a4710246706488f49b14da0853e1f
SHA1e4226dc1d0ab1edc855c4ad0589b1f1a350a52d7
SHA2569e4704b2428037f2acc4d0123a9083ffd690ce50aea74ae1b1b1e7c8050de66f
SHA5124d79edefdf98665123ed39d327116b64398c6ca538769eb319aac52ba286ee456b8fd9117c45cd7fef2d1b36163048aaaa0d90706c3d1f9892a22697f0dd596b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\699c4b9cdebca7aaea5193cae8a50098_e32e1c79-b88e-4709-94fb-81034ca3398e
Filesize50B
MD55b63d4dd8c04c88c0e30e494ec6a609a
SHA1884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA2564d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA51215ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e
-
Filesize
385KB
MD503d814ec7f480f5e853828aa67b140a5
SHA1e13ec9e24a5af82ae0b7cb567ad888955880e86c
SHA2561a1abbc308beabfbd18dde45691fbea48da3131a97f52182ebfc7ac8867ec365
SHA5128b7a63db0abc54586c6804d6458fd18d9d054db83d87183e15e457ed32ca47ddebc73424715c8efff8c9efae30342d8aa2beca46c71ff35dcf3ecb741905362e