Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 09:07
Static task
static1
Behavioral task
behavioral1
Sample
4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Resource
win10v2004-20220901-en
General
-
Target
4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
-
Size
461KB
-
MD5
063ff71b72736da808960ea600dd1480
-
SHA1
7c431d0d97df53217645964234d38e8e5b210f16
-
SHA256
4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
-
SHA512
ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
SSDEEP
12288:flEJ2XPju8f2DS1/4ZhUkPWpyF8ZAl5h3mMRxo:NEg7unhUHE8mhw
Malware Config
Extracted
cybergate
v1.03.0
dunderburken.no-ip.biz:82
17U1X2F2WT4L02
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
csrss.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
q16469822
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Executes dropped EXE 4 IoCs
pid Process 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 1592 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 2052 server.exe 2260 server.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31} 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31}\StubPath = "C:\\Windows\\system32\\install\\server.exe" explorer.exe -
resource yara_rule behavioral1/memory/1932-77-0x0000000024010000-0x0000000024071000-memory.dmp upx behavioral1/memory/1932-86-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral1/memory/1652-91-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral1/memory/1652-94-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral1/memory/1932-96-0x00000000240F0000-0x0000000024151000-memory.dmp upx behavioral1/memory/1932-104-0x0000000024160000-0x00000000241C1000-memory.dmp upx behavioral1/memory/1592-109-0x0000000024160000-0x00000000241C1000-memory.dmp upx behavioral1/memory/1592-121-0x0000000024160000-0x00000000241C1000-memory.dmp upx behavioral1/memory/1592-139-0x0000000024160000-0x00000000241C1000-memory.dmp upx -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif server.exe -
Loads dropped DLL 3 IoCs
pid Process 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 1592 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\install\server.exe 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Windows\SysWOW64\install\server.exe 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Windows\SysWOW64\install\server.exe 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Windows\SysWOW64\install\ 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Windows\SysWOW64\install\server.exe server.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1712 set thread context of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 set thread context of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 2052 set thread context of 2100 2052 server.exe 42 PID 2052 set thread context of 2260 2052 server.exe 45 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374496229" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79B1F5A1-5DBF-11ED-979A-4A7553B9BC92} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 2052 server.exe 2260 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1592 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1592 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Token: SeDebugPrivilege 1592 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1640 iexplore.exe 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 1640 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1640 iexplore.exe 1640 iexplore.exe 1548 IEXPLORE.EXE 1548 IEXPLORE.EXE 1548 IEXPLORE.EXE 1548 IEXPLORE.EXE 1640 iexplore.exe 1640 iexplore.exe 2164 IEXPLORE.EXE 2164 IEXPLORE.EXE 2164 IEXPLORE.EXE 2164 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1284 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 27 PID 1712 wrote to memory of 1284 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 27 PID 1712 wrote to memory of 1284 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 27 PID 1712 wrote to memory of 1284 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 27 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1712 wrote to memory of 1640 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 29 PID 1284 wrote to memory of 544 1284 cmd.exe 30 PID 1284 wrote to memory of 544 1284 cmd.exe 30 PID 1284 wrote to memory of 544 1284 cmd.exe 30 PID 1284 wrote to memory of 544 1284 cmd.exe 30 PID 544 wrote to memory of 1148 544 net.exe 31 PID 544 wrote to memory of 1148 544 net.exe 31 PID 544 wrote to memory of 1148 544 net.exe 31 PID 544 wrote to memory of 1148 544 net.exe 31 PID 1640 wrote to memory of 1548 1640 iexplore.exe 33 PID 1640 wrote to memory of 1548 1640 iexplore.exe 33 PID 1640 wrote to memory of 1548 1640 iexplore.exe 33 PID 1640 wrote to memory of 1548 1640 iexplore.exe 33 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1712 wrote to memory of 1932 1712 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 34 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9 PID 1932 wrote to memory of 1224 1932 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 9
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:1148
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275466 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exeC:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:1652
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc6⤵PID:2088
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc7⤵PID:2124
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc8⤵PID:2144
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2100
-
-
C:\Windows\SysWOW64\install\server.exeC:\Windows\SysWOW64\install\server.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2260
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Filesize461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Filesize461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
221KB
MD5eb38fe298ebff2c3350762d8d31ea2f1
SHA1137f3689e670c8f6321cb0019f667873bd3a4989
SHA256eb306b1374ec1e239104d8a638c18d76111e9b2f570d35d4c15fb028909fef8c
SHA512f556cc5d9f4dc265dfc0a5640a725fa2b4c7e73a8a18df45d4ccd04c07040d2f51e0cae65d010d884421523fa86589afa2d7d63253a404a334c83f7cb0fa87f1
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
600B
MD5854b80ed7ffc6853844258a8498a96a8
SHA1bd2230cca7f6296c504ae12e87bdb79782892143
SHA256aa4671eaf5dd830247ab0da141d39995d5092744570ae32ff1f6cd30f3541749
SHA512a9db7f1baa292c7deb34b245c688e91ffe1dbb7cd02295b9aeb46f52031199af27b79338da01a5866e2cd442cb2574262b6e52a98aba4ad0afbfe1ff0967210e
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Filesize461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Filesize461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c