Analysis Overview
SHA256
9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
Threat Level: Known bad
The file 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-21 07:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-21 07:10
Reported
2022-10-21 16:07
Platform
win7-20220901-en
Max time kernel
166s
Max time network
182s
Command Line
Signatures
CyberGate, Rebhip
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\server.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1684 set thread context of 336 | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | C:\Users\Admin\AppData\Roaming\FolderName\server.exe |
| PID 1700 set thread context of 1532 | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | C:\Users\Admin\AppData\Roaming\FolderName\server.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe
"C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7109605.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "server" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\server.exe" /f
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
Network
| Country | Destination | Domain | Proto |
| TR | 95.6.97.198:2121 | tcp | |
| TR | 176.240.164.204:2121 | tcp | |
| TR | 95.6.97.198:2121 | tcp | |
| TR | 176.240.164.204:2121 | tcp |
Files
memory/1928-54-0x00000000759F1000-0x00000000759F3000-memory.dmp
memory/1928-57-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1928-58-0x0000000000A60000-0x0000000000BA7000-memory.dmp
memory/1760-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7109605.bat
| MD5 | 30427ea9b824990e669b8a383ad42b73 |
| SHA1 | 9550aa03263d08a15cb8789c80043686712ac68b |
| SHA256 | c7addd0e470d90071c05c5e80ed6ca7bf8a968636b3b732bb735d90ceffdd2f4 |
| SHA512 | 475eb9b535fcc5eb26c1483a4ed0784af509bb195feaf9ceffab3ba6e7ba853590ebd25bd419c7e9846aeba9135f11d3996fef2b2db3e50a5a4f72070acd0d52 |
memory/620-62-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1684-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1928-75-0x0000000000400000-0x0000000000547000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1684-78-0x0000000000940000-0x0000000000A87000-memory.dmp
memory/1684-79-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1684-80-0x0000000000940000-0x0000000000A87000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/336-82-0x0000000000400000-0x0000000000455000-memory.dmp
memory/336-83-0x0000000000400000-0x0000000000455000-memory.dmp
memory/336-85-0x0000000000400000-0x0000000000455000-memory.dmp
memory/336-86-0x0000000000400000-0x0000000000455000-memory.dmp
memory/336-87-0x0000000000453810-mapping.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1684-90-0x0000000000400000-0x0000000000547000-memory.dmp
memory/336-92-0x0000000000400000-0x0000000000455000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/336-97-0x0000000000400000-0x0000000000455000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/336-98-0x0000000000400000-0x0000000000455000-memory.dmp
memory/336-99-0x0000000000460000-0x00000000005A7000-memory.dmp
memory/336-100-0x0000000000460000-0x00000000005A7000-memory.dmp
memory/336-101-0x0000000000460000-0x00000000005A7000-memory.dmp
memory/336-102-0x0000000000400000-0x0000000000455000-memory.dmp
memory/336-104-0x0000000024010000-0x0000000024070000-memory.dmp
memory/1400-107-0x0000000024010000-0x0000000024070000-memory.dmp
memory/1292-110-0x0000000000000000-mapping.dmp
memory/1292-112-0x0000000074A31000-0x0000000074A33000-memory.dmp
memory/336-113-0x0000000024070000-0x00000000240D0000-memory.dmp
memory/1292-118-0x0000000024070000-0x00000000240D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 78ec5e9296040c4cecc14210cb2bcd13 |
| SHA1 | 8183bcfab475fb5f35f9be4e8d7335ed57da7f6e |
| SHA256 | 8daf3aefd73885fe84d746a7f672e3032bf8f6fb01e5951d9c7c16e2251feddf |
| SHA512 | 3fd22d2745b7583c42b9abbae5e86d037b9161ff5410b7e78a655dfede7dc8ab9a617085ee4ddb06253fec77a41bd6d1e19cea6c29c3b3f05e7c1a13e5ec212e |
memory/1292-120-0x0000000024070000-0x00000000240D0000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1312-123-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/336-129-0x00000000240D0000-0x0000000024130000-memory.dmp
memory/336-135-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1312-134-0x00000000240D0000-0x0000000024130000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1700-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1312-143-0x0000000005150000-0x0000000005297000-memory.dmp
memory/1700-144-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1700-145-0x0000000000AB0000-0x0000000000BF7000-memory.dmp
memory/1312-147-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1312-149-0x00000000240D0000-0x0000000024130000-memory.dmp
memory/1700-150-0x0000000000AB0000-0x0000000000BF7000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4063495947-34355257-727531523-1000\699c4b9cdebca7aaea5193cae8a50098_8e28fefd-2db0-4dd4-85d7-665f2cf2c74b
| MD5 | 5b63d4dd8c04c88c0e30e494ec6a609a |
| SHA1 | 884d5a8bdc25fe794dc22ef9518009dcf0069d09 |
| SHA256 | 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd |
| SHA512 | 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb |
memory/1532-158-0x0000000000453810-mapping.dmp
memory/1700-161-0x0000000000400000-0x0000000000547000-memory.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1532-163-0x0000000000400000-0x0000000000455000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1532-168-0x0000000000400000-0x0000000000455000-memory.dmp
\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/1532-169-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1532-170-0x0000000000460000-0x00000000005A7000-memory.dmp
memory/1532-171-0x0000000000460000-0x00000000005A7000-memory.dmp
memory/1532-172-0x0000000000460000-0x00000000005A7000-memory.dmp
memory/1532-173-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1312-174-0x0000000005150000-0x0000000005297000-memory.dmp
memory/1312-175-0x00000000240D0000-0x0000000024130000-memory.dmp
memory/1532-176-0x0000000000400000-0x0000000000455000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-21 07:10
Reported
2022-10-21 16:07
Platform
win10v2004-20220812-en
Max time kernel
165s
Max time network
184s
Command Line
Signatures
CyberGate, Rebhip
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\server.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 644 set thread context of 4972 | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | C:\Users\Admin\AppData\Roaming\FolderName\server.exe |
| PID 4276 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | C:\Users\Admin\AppData\Roaming\FolderName\server.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FolderName\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe
"C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240599187.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "server" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\server.exe" /f
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.45:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| IE | 13.69.239.73:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| TR | 95.6.97.198:2121 | tcp | |
| TR | 176.240.164.204:2121 | tcp | |
| TR | 95.6.97.198:2121 | tcp | |
| TR | 176.240.164.204:2121 | tcp | |
| TR | 95.6.97.198:2121 | tcp |
Files
memory/4916-132-0x0000000000400000-0x0000000000547000-memory.dmp
memory/4916-135-0x0000000000400000-0x0000000000547000-memory.dmp
memory/3276-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\240599187.bat
| MD5 | 30427ea9b824990e669b8a383ad42b73 |
| SHA1 | 9550aa03263d08a15cb8789c80043686712ac68b |
| SHA256 | c7addd0e470d90071c05c5e80ed6ca7bf8a968636b3b732bb735d90ceffdd2f4 |
| SHA512 | 475eb9b535fcc5eb26c1483a4ed0784af509bb195feaf9ceffab3ba6e7ba853590ebd25bd419c7e9846aeba9135f11d3996fef2b2db3e50a5a4f72070acd0d52 |
memory/2004-138-0x0000000000000000-mapping.dmp
memory/644-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/644-142-0x0000000000400000-0x0000000000547000-memory.dmp
memory/4916-143-0x0000000000400000-0x0000000000547000-memory.dmp
memory/4972-146-0x0000000000000000-mapping.dmp
memory/4972-147-0x0000000000400000-0x0000000000455000-memory.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/4972-150-0x0000000000400000-0x0000000000455000-memory.dmp
memory/4972-152-0x0000000000400000-0x0000000000455000-memory.dmp
memory/644-151-0x0000000000400000-0x0000000000547000-memory.dmp
memory/4972-153-0x0000000000400000-0x0000000000455000-memory.dmp
memory/4972-155-0x0000000024010000-0x0000000024070000-memory.dmp
memory/3892-159-0x0000000000000000-mapping.dmp
memory/4972-160-0x0000000024070000-0x00000000240D0000-memory.dmp
memory/3892-163-0x0000000024070000-0x00000000240D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 78ec5e9296040c4cecc14210cb2bcd13 |
| SHA1 | 8183bcfab475fb5f35f9be4e8d7335ed57da7f6e |
| SHA256 | 8daf3aefd73885fe84d746a7f672e3032bf8f6fb01e5951d9c7c16e2251feddf |
| SHA512 | 3fd22d2745b7583c42b9abbae5e86d037b9161ff5410b7e78a655dfede7dc8ab9a617085ee4ddb06253fec77a41bd6d1e19cea6c29c3b3f05e7c1a13e5ec212e |
memory/3892-165-0x0000000024070000-0x00000000240D0000-memory.dmp
memory/1944-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/4972-169-0x00000000240D0000-0x0000000024130000-memory.dmp
memory/1944-172-0x00000000240D0000-0x0000000024130000-memory.dmp
memory/4972-173-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1944-174-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1944-175-0x00000000240D0000-0x0000000024130000-memory.dmp
memory/4276-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/4276-180-0x0000000000400000-0x0000000000547000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\699c4b9cdebca7aaea5193cae8a50098_9be0bf4d-f8db-4af4-be85-dc38433c9501
| MD5 | 5b63d4dd8c04c88c0e30e494ec6a609a |
| SHA1 | 884d5a8bdc25fe794dc22ef9518009dcf0069d09 |
| SHA256 | 4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd |
| SHA512 | 15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb |
memory/2220-182-0x0000000000000000-mapping.dmp
memory/2220-186-0x0000000000400000-0x0000000000455000-memory.dmp
memory/4276-187-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2220-188-0x0000000000400000-0x0000000000455000-memory.dmp
C:\Users\Admin\AppData\Roaming\FolderName\server.exe
| MD5 | 531590abb6298342e1ea7f7cf582f560 |
| SHA1 | 3211be2f4e1103860dd85d5eaf8f1886be1214f2 |
| SHA256 | 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300 |
| SHA512 | 57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151 |
memory/2220-189-0x0000000000400000-0x0000000000455000-memory.dmp
memory/1944-190-0x00000000240D0000-0x0000000024130000-memory.dmp
memory/2220-191-0x0000000000400000-0x0000000000455000-memory.dmp