cybergate | 64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Size

404KB
MD5

064d1630dfcc620f0632856805d86bec
SHA1

52313bed2302a45d985099eb6752e8b10e10e88e
SHA256

64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd
SHA512

160cd6ee3dbf055ec26f5844cda9f6c8dc163295a890f39519f0330139381849f19ee7cb0f12dba47b013a1f97c6aa5592e0f658b54199c86ceda50c7379de86
SSDEEP

6144:P87+LaxrSm3P4NXouMF2VC4K4dwfZtIb6UKTblN5zMCycMq5jgFrayF9vqJ2eM9A:pWxrSmGMd4KKAZt+4HH/MYKrbFehgm35

Score

10^/10

cybergate 260113+persistence stealer trojan upx vmprotect

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

260113+

88.167.71.61:82

Mutex

6V338DBOKL417J

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
224444

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	server.exe
2832	server.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{36DVU76V-C2YX-AOKB-3WPO-0DC61U152O00}	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36DVU76V-C2YX-AOKB-3WPO-0DC61U152O00}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{36DVU76V-C2YX-AOKB-3WPO-0DC61U152O00}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36DVU76V-C2YX-AOKB-3WPO-0DC61U152O00}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4964-143-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4964-148-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2352-151-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2352-154-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4964-157-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/4776-160-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/4776-163-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/4776-177-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4400-132-0x0000000000400000-0x000000000046A000-memory.dmp	vmprotect
behavioral2/files/0x00030000000006ff-153.dat	vmprotect
behavioral2/memory/4776-162-0x0000000000400000-0x000000000046A000-memory.dmp	vmprotect
behavioral2/files/0x00030000000006ff-165.dat	vmprotect
behavioral2/memory/1952-166-0x0000000000400000-0x000000000046A000-memory.dmp	vmprotect
behavioral2/files/0x00030000000006ff-172.dat	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4400 set thread context of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 set thread context of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 1952 set thread context of 4644	1952	server.exe	91
PID 1952 set thread context of 2832	1952	server.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995078"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47162E6A-5E79-11ED-B696-EE6CABA3804C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995078"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374576025"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995078"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995078"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "514949180"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "466043475"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "466043475"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "473543056"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4776	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
984	iexplore.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2352	explorer.exe
Token: SeRestorePrivilege	2352	explorer.exe
Token: SeBackupPrivilege	4776	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Token: SeRestorePrivilege	4776	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Token: SeDebugPrivilege	4776	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
Token: SeDebugPrivilege	4776	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
984	iexplore.exe
4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
984	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
984	iexplore.exe
984	iexplore.exe
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
984	iexplore.exe
984	iexplore.exe
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 1184	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	81
PID 4400 wrote to memory of 1184	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	81
PID 4400 wrote to memory of 1184	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	81
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 4400 wrote to memory of 984	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	82
PID 1184 wrote to memory of 4860	1184	cmd.exe	84
PID 1184 wrote to memory of 4860	1184	cmd.exe	84
PID 1184 wrote to memory of 4860	1184	cmd.exe	84
PID 4860 wrote to memory of 4900	4860	net.exe	85
PID 4860 wrote to memory of 4900	4860	net.exe	85
PID 4860 wrote to memory of 4900	4860	net.exe	85
PID 984 wrote to memory of 2264	984	iexplore.exe	86
PID 984 wrote to memory of 2264	984	iexplore.exe	86
PID 984 wrote to memory of 2264	984	iexplore.exe	86
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4400 wrote to memory of 4964	4400	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	87
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26
PID 4964 wrote to memory of 1084	4964	64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe	26

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1084
- C:\Users\Admin\AppData\Local\Temp\64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
  "C:\Users\Admin\AppData\Local\Temp\64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    /c net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:4900
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2264
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:82948 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1612
- - C:\Users\Admin\AppData\Local\Temp\64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
    C:\Users\Admin\AppData\Local\Temp\64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe
      "C:\Users\Admin\AppData\Local\Temp\64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4776
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        
        PID:4644
      - C:\Windows\SysWOW64\cmd.exe
        
        /c net stop MpsSvc
        6⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\net.exe
        
        net stop MpsSvc
        7⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        8⤵
        
        PID:1836
      - C:\Windows\SysWOW64\install\server.exe
        
        C:\Windows\SysWOW64\install\server.exe
        6⤵
        Executes dropped EXE
        
        PID:2832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0ef90204485649be625ea2be1b9018fb

SHA1
28fbc0852140ec51d0c097a4962a160afa4d754b

SHA256
c8028acd9a8c8c795b87cf835fc3182d003264608f161baa0ca020711b22bca0

SHA512
b8bbba0dcc6cb6f87efb47a605953c93fcf93c5a65520b822ebfee25754632d6bb66c2a946f457e1e40a92556683ddb9d14f2703782833e12d7e37bb3b7fcec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
9c241390f7e5e60a145f42e0aa5af9c7

SHA1
f67443e29c6604f3bf41e40282550ca50fc7c236

SHA256
0a7d008465ba0e125d46276caa5e0d9fb8fa5a17b1aedd211eaded2fc242fab7

SHA512
5075402e1ba60f3ddda9f0b03b59433b401e3fab75faf55618f1d9ad393830447510088e9e67b6c71e122937ac862291c0842df85deabf2d8ae6219d443b6d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
5b7b1416ef840e2ce41a88ec3f88b81d

SHA1
91e2be9d89f6bbc5216d95d56c7d4d5a541adc0a

SHA256
a055f3922ece11ff07df3110db4edadb07dec5340b111b7af1f79dfc0fce6eae

SHA512
55c438056642224a34a3f6657fdb388233ed6d0af9f58edc41f24caf852dd93bca3dfc0a00e6e14130f2037956fa8629f51300c3cb493494bc91c5ee95ba8fe9

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
404KB

MD5
064d1630dfcc620f0632856805d86bec

SHA1
52313bed2302a45d985099eb6752e8b10e10e88e

SHA256
64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd

SHA512
160cd6ee3dbf055ec26f5844cda9f6c8dc163295a890f39519f0330139381849f19ee7cb0f12dba47b013a1f97c6aa5592e0f658b54199c86ceda50c7379de86

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
404KB

MD5
064d1630dfcc620f0632856805d86bec

SHA1
52313bed2302a45d985099eb6752e8b10e10e88e

SHA256
64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd

SHA512
160cd6ee3dbf055ec26f5844cda9f6c8dc163295a890f39519f0330139381849f19ee7cb0f12dba47b013a1f97c6aa5592e0f658b54199c86ceda50c7379de86

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
404KB

MD5
064d1630dfcc620f0632856805d86bec

SHA1
52313bed2302a45d985099eb6752e8b10e10e88e

SHA256
64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd

SHA512
160cd6ee3dbf055ec26f5844cda9f6c8dc163295a890f39519f0330139381849f19ee7cb0f12dba47b013a1f97c6aa5592e0f658b54199c86ceda50c7379de86

Download Submit
memory/1952-166-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2352-154-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2352-151-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2832-176-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2832-174-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2832-175-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4400-132-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4400-136-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4776-177-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4776-163-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4776-162-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4776-160-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4964-141-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4964-161-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4964-157-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4964-148-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4964-143-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4964-140-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4964-139-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4964-138-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads