cybergate | 70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Size

384KB
MD5

80bbdeb6bbcb978fe1f233029ef56178
SHA1

a9893ac9a93f2e51adb4650ee8b691fd5a549beb
SHA256

70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26
SHA512

bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a
SSDEEP

6144:X4ABF94EpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXKzoeOFXfdOVpdLqaJfB5:oUKGLE0kuGnESBzwe1Z7

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

127.0.0.1:999

Mutex

QG7QHMSDDTB41D

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
828	server.exe
896	server.exe
1708	server.exe
1892	server.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{86KC7X4O-H8C8-XA87-7I8Y-8AY4XLQRU77X}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86KC7X4O-H8C8-XA87-7I8Y-8AY4XLQRU77X}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{86KC7X4O-H8C8-XA87-7I8Y-8AY4XLQRU77X}	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86KC7X4O-H8C8-XA87-7I8Y-8AY4XLQRU77X}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{86KC7X4O-H8C8-XA87-7I8Y-8AY4XLQRU77X}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86KC7X4O-H8C8-XA87-7I8Y-8AY4XLQRU77X}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{86KC7X4O-H8C8-XA87-7I8Y-8AY4XLQRU77X}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86KC7X4O-H8C8-XA87-7I8Y-8AY4XLQRU77X}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart"	server.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1224-56-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/1224-65-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1668-70-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1668-73-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1224-75-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral1/memory/1224-92-0x0000000010560000-0x00000000105C1000-memory.dmp	upx
behavioral1/memory/288-97-0x0000000010560000-0x00000000105C1000-memory.dmp	upx
behavioral1/memory/288-100-0x0000000010560000-0x00000000105C1000-memory.dmp	upx
behavioral1/memory/828-126-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1708-131-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1676-136-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1708-137-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/288-144-0x0000000010560000-0x00000000105C1000-memory.dmp	upx

Loads dropped DLL 13 IoCs

pid	Process
1668	explorer.exe
1668	explorer.exe
1668	explorer.exe
1668	explorer.exe
1676	server.exe
972	WerFault.exe
972	WerFault.exe
972	WerFault.exe
904	WerFault.exe
904	WerFault.exe
904	WerFault.exe
288	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
288	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
972	1676	WerFault.exe	35
904	1708	WerFault.exe	36

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
828	server.exe
896	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
288	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	288	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
Token: SeDebugPrivilege	288	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15
PID 1224 wrote to memory of 1256	1224	70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
  "C:\Users\Admin\AppData\Local\Temp\70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1668
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:828
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\SysWOW64\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:1708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 504
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:904
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      Modifies Installed Components in the registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\SysWOW64\install\server.exe"
        5⤵
        Loads dropped DLL
        
        PID:1676
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 496
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:972
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe
    "C:\Users\Admin\AppData\Local\Temp\70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:288
  - - C:\Users\Admin\AppData\Roaming\install\server.exe
      "C:\Users\Admin\AppData\Roaming\install\server.exe"
      4⤵
      Executes dropped EXE
      PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
181a3fa4a1e9fb8038ce50d648166f86

SHA1
64d7d0d98e4382da17cf391328c8ad5425691879

SHA256
abe687aaa76cf21269faa8be03137119a03c7e50e4d204162008d7b0f707e261

SHA512
824dd1ac4dc2de46ca60faac04dc529da01220a277e14ed96b43ee315206507d101bddd0518cdd4af9d730b819c480094e808076d71e3737d2aa513f64547f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
bcd02d43ee2d5bd5ab0f1743761e9fba

SHA1
5ac2df821e1a8bd2c42a3e4e8fd40255ed8d1866

SHA256
caea382c2a3ea4488054791ce775441872bdd18c8943a3518f812932dd34bb50

SHA512
d73399947689e9a5fa61882ddcd908b571e3e17c745769110378e3283142363b4d203867cb27d1057e5a7027dae686a532ffa73e90927bb08ad363b49be9d307

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
bcd02d43ee2d5bd5ab0f1743761e9fba

SHA1
5ac2df821e1a8bd2c42a3e4e8fd40255ed8d1866

SHA256
caea382c2a3ea4488054791ce775441872bdd18c8943a3518f812932dd34bb50

SHA512
d73399947689e9a5fa61882ddcd908b571e3e17c745769110378e3283142363b4d203867cb27d1057e5a7027dae686a532ffa73e90927bb08ad363b49be9d307

Download Submit
C:\Users\Admin\AppData\Roaming\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
C:\Users\Admin\AppData\Roaming\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Users\Admin\AppData\Roaming\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Users\Admin\AppData\Roaming\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
\Windows\SysWOW64\install\server.exe

Filesize
384KB

MD5
80bbdeb6bbcb978fe1f233029ef56178

SHA1
a9893ac9a93f2e51adb4650ee8b691fd5a549beb

SHA256
70f1097dfb7efda0bdf21f8b028ec68188dc45f914da208f8a071b956de11a26

SHA512
bfd69001214aca3bbf8e799b904c63915458dcbbfca747330cd9563b049ed7399c124150dab8c950bb9a47cf33415609edd411b795cb1bba0c8279c602a3729a

Download Submit
memory/288-97-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/288-144-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/288-100-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/828-126-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1224-92-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/1224-56-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/1224-65-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1224-75-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/1224-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1256-59-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/1668-73-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1668-70-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1668-64-0x0000000074921000-0x0000000074923000-memory.dmp

Filesize
8KB

Download
memory/1676-136-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1708-137-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1708-131-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download