cybergate | f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

General

Target

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Size

482KB
MD5

2d677ed795661959e60196d2892256b0
SHA1

684d7f89ffc1822a10c8824d8c8da7079eca292a
SHA256

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196
SHA512

eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9
SSDEEP

12288:9t2qQ7T6HFn3oRI2h11WoUXuTiN8FhNlJo2:OvyHFn4PBSYRFhny2

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

C2

kbchorizo.no-ip.org:81

infeccioneszc.no-ip.org:81

Mutex

infeccion

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Win32
install_file
winloader.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Your windows is not compatibility! error 503
message_box_title
título da mensagem
password
zc
regkey_hkcu
Placa mother
regkey_hklm
Tarjeta de video

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win32\\winloader.exe"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win32\\winloader.exe"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

Executes dropped EXE 2 IoCs

Processes:

winloader.exewinloader.exe

pid process

4404 winloader.exe
228 winloader.exe

pid	process
4404	winloader.exe
228	winloader.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}\StubPath = "C:\\Win32\\winloader.exe Restart"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B65C2GT8-032Y-6N2J-CGKK-HOR37F31M65N}\StubPath = "C:\\Win32\\winloader.exe"	explorer.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2920-133-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2920-135-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2920-136-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2920-137-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2920-138-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/2920-140-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/2920-145-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/5060-148-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/5060-149-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2920-152-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3188-155-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/2920-156-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/3188-157-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/228-166-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/228-167-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/228-168-0x0000000000400000-0x00000000004DD000-memory.dmp	upx
behavioral2/memory/5060-169-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3188-170-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/228-171-0x0000000000400000-0x00000000004DD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Tarjeta de video = "C:\\Win32\\winloader.exe"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Placa mother = "C:\\Win32\\winloader.exe"	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exewinloader.exe

description	pid	process	target process
PID 4988 set thread context of 2920	4988	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4404 set thread context of 228	4404	winloader.exe	winloader.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4040 228 WerFault.exe winloader.exe
Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe

pid	pid_target	process	target process
4040	228	WerFault.exe	winloader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

pid	process
2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

5060 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 5060 explorer.exe
Token: SeDebugPrivilege 5060 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

pid process

2920 f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

pid	process
5060	explorer.exe

description	pid	process
Token: SeDebugPrivilege	5060	explorer.exe
Token: SeDebugPrivilege	5060	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exef8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe

description	pid	process	target process
PID 4988 wrote to memory of 2920	4988	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4988 wrote to memory of 2920	4988	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4988 wrote to memory of 2920	4988	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4988 wrote to memory of 2920	4988	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 4988 wrote to memory of 2920	4988	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE
PID 2920 wrote to memory of 2720	2920	f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
"C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
C:\Users\Admin\AppData\Local\Temp\f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Win32\winloader.exe
"C:\Win32\winloader.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4404

C:\Win32\winloader.exe
C:\Win32\winloader.exe
6⤵
- Executes dropped EXE
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 536
7⤵
- Program crash
PID:4040

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 228 -ip 228
1⤵
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
0d636aa26187398d0858250cc1c4c4fa

SHA1
b2ccf76344d2d9ad769898e66fa45616466f6527

SHA256
b087ceee417c34a825f52c98bba9b3a5eaa828ed5f5074e3750f6b7e76ab106d

SHA512
237cc3d0514b75e79b894ccbd24cdfa170850203b9dfe8cb79fc194c797c5fc2db138380e65e44a5a026f849137ec612832b208e8c3ba4db63807d5daa6a6010

Download Submit
C:\Win32\winloader.exe
Filesize
482KB

MD5
2d677ed795661959e60196d2892256b0

SHA1
684d7f89ffc1822a10c8824d8c8da7079eca292a

SHA256
f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

SHA512
eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

Download Submit
C:\Win32\winloader.exe
Filesize
482KB

MD5
2d677ed795661959e60196d2892256b0

SHA1
684d7f89ffc1822a10c8824d8c8da7079eca292a

SHA256
f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

SHA512
eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

Download Submit
C:\Win32\winloader.exe
Filesize
482KB

MD5
2d677ed795661959e60196d2892256b0

SHA1
684d7f89ffc1822a10c8824d8c8da7079eca292a

SHA256
f8829e7ec8b6dafa283f5ee01ea265f009f650d1cee1210aef7517408b491196

SHA512
eb11aa99ec8c1e658941b57a843be6ab8af6ffbee2d613d92d52cc01713505531255e55f5ef2e4d226ded8464c2cc892767b96358b41a545d3dd78bb8068c6f9

Download Submit
memory/228-171-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/228-168-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/228-167-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/228-166-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/228-162-0x0000000000000000-mapping.dmp

Download
memory/2920-156-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2920-137-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2920-133-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2920-152-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/2920-135-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2920-132-0x0000000000000000-mapping.dmp

Download
memory/2920-136-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2920-138-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2920-145-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2920-140-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3188-157-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/3188-155-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/3188-170-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/3188-151-0x0000000000000000-mapping.dmp

Download
memory/4404-160-0x0000000000000000-mapping.dmp

Download
memory/5060-144-0x0000000000000000-mapping.dmp

Download
memory/5060-148-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/5060-149-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/5060-169-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads