cybergate | 4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7

General

Target

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Size

281KB
MD5

5b36b3995a5069b87122954451d6d160
SHA1

a8d27a0cb5b31e3a0421e5d0bcf34ebdae3baa15
SHA256

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7
SHA512

b1f7fa2ce292465199b8d7cd0e403a13c33b6416f7694e79c97918bcdb47de70f2805151775e5e324653b5260512ad2874479a8aa817b5ca93ee56c0dfa55ad9
SSDEEP

6144:gScrLM4mp8D6WGc/YSlIipBReubLzeh7Yy0DMIdeXijL:xczy78QSVnNyhsFMCeSjL

Score

10^/10

cybergate hacker persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

Hacker

C2

ttttt.no-ip.org:999

Mutex

8O16A0RR43WCEC

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
dwm.exe
install_dir
dwm
install_file
dwm.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
999
regkey_hkcu
New
regkey_hklm
dwm

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Help = "C:\\Windows\\system32\\dwm\\dwm.exe"	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Help = "C:\\Windows\\system32\\dwm\\dwm.exe"	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5RKUF3IW-P6PG-2KBL-W7HS-55HD6Y1IVJAT}	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5RKUF3IW-P6PG-2KBL-W7HS-55HD6Y1IVJAT}\StubPath = "C:\\Windows\\system32\\dwm\\dwm.exe Restart"	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5RKUF3IW-P6PG-2KBL-W7HS-55HD6Y1IVJAT}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5RKUF3IW-P6PG-2KBL-W7HS-55HD6Y1IVJAT}\StubPath = "C:\\Windows\\system32\\dwm\\dwm.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1344-133-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral2/memory/1344-138-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/1684-141-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/1684-144-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/1344-146-0x00000000005D0000-0x0000000000642000-memory.dmp	upx
behavioral2/memory/1344-151-0x0000000010510000-0x0000000010582000-memory.dmp	upx
behavioral2/memory/1772-154-0x0000000010510000-0x0000000010582000-memory.dmp	upx
behavioral2/memory/1772-155-0x0000000010510000-0x0000000010582000-memory.dmp	upx
behavioral2/memory/1772-156-0x0000000010510000-0x0000000010582000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Windows\\system32\\dwm\\dwm.exe"	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New = "C:\\Windows\\system32\\dwm\\dwm.exe"	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

Drops file in System32 directory 4 IoCs

Processes:

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dwm\dwm.exe	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
File opened for modification	C:\Windows\SysWOW64\dwm\dwm.exe	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
File opened for modification	C:\Windows\SysWOW64\dwm\dwm.exe	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
File opened for modification	C:\Windows\SysWOW64\dwm\	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

pid	process
1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

pid process

1772 4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

pid	process
1772	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exe4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

description	pid	process
Token: SeBackupPrivilege	1684	explorer.exe
Token: SeRestorePrivilege	1684	explorer.exe
Token: SeBackupPrivilege	1772	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Token: SeRestorePrivilege	1772	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Token: SeDebugPrivilege	1772	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
Token: SeDebugPrivilege	1772	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

pid process

1344 4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

description	pid	process	target process
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE
PID 1344 wrote to memory of 2948	1344	4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
"C:\Users\Admin\AppData\Local\Temp\4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Local\Temp\4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
"C:\Users\Admin\AppData\Local\Temp\4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
236KB

MD5
6c81de7c02975ae990533a142c582dcd

SHA1
cc875aa6426d3359a48a520643f542c760b6308a

SHA256
d82a7a38e298f9bc3f73d0d73c9b38b4428b373f567afb11206aa5a82c232a1a

SHA512
6bae5797d69ec554c690a603e7b9632541b81abd71f745cf7e436dcd2ccfbab930952d81ebfacdfad0c609a3f6ebb9c4b79c3864178a42d40e379bbc7d5d8679

Download Submit
C:\Windows\SysWOW64\dwm\dwm.exe
Filesize
281KB

MD5
5b36b3995a5069b87122954451d6d160

SHA1
a8d27a0cb5b31e3a0421e5d0bcf34ebdae3baa15

SHA256
4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7

SHA512
b1f7fa2ce292465199b8d7cd0e403a13c33b6416f7694e79c97918bcdb47de70f2805151775e5e324653b5260512ad2874479a8aa817b5ca93ee56c0dfa55ad9

Download Submit
memory/1344-146-0x00000000005D0000-0x0000000000642000-memory.dmp

Filesize
456KB

Download
memory/1344-151-0x0000000010510000-0x0000000010582000-memory.dmp

Filesize
456KB

Download
memory/1344-138-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1344-133-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/1684-141-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1684-144-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1684-137-0x0000000000000000-mapping.dmp

Download
memory/1772-150-0x0000000000000000-mapping.dmp

Download
memory/1772-154-0x0000000010510000-0x0000000010582000-memory.dmp

Filesize
456KB

Download
memory/1772-155-0x0000000010510000-0x0000000010582000-memory.dmp

Filesize
456KB

Download
memory/1772-156-0x0000000010510000-0x0000000010582000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads