Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 09:07
Static task
static1
Behavioral task
behavioral1
Sample
4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Resource
win10v2004-20220901-en
General
-
Target
4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
-
Size
461KB
-
MD5
063ff71b72736da808960ea600dd1480
-
SHA1
7c431d0d97df53217645964234d38e8e5b210f16
-
SHA256
4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
-
SHA512
ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
SSDEEP
12288:flEJ2XPju8f2DS1/4ZhUkPWpyF8ZAl5h3mMRxo:NEg7unhUHE8mhw
Malware Config
Extracted
cybergate
v1.03.0
dunderburken.no-ip.biz:82
17U1X2F2WT4L02
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
csrss.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
q16469822
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Executes dropped EXE 4 IoCs
pid Process 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 2288 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 4700 server.exe 1112 server.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31}\StubPath = "C:\\Windows\\system32\\install\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31} 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{I14005H2-K3FL-FLBP-8W0D-I82YVGQN2V31}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
resource yara_rule behavioral2/memory/2196-143-0x0000000024010000-0x0000000024071000-memory.dmp upx behavioral2/memory/2196-148-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral2/memory/2924-151-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral2/memory/2924-152-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral2/memory/2196-156-0x00000000240F0000-0x0000000024151000-memory.dmp upx behavioral2/memory/2196-162-0x0000000024160000-0x00000000241C1000-memory.dmp upx behavioral2/memory/2288-165-0x0000000024160000-0x00000000241C1000-memory.dmp upx behavioral2/memory/2288-167-0x0000000024160000-0x00000000241C1000-memory.dmp upx behavioral2/memory/2924-183-0x0000000024080000-0x00000000240E1000-memory.dmp upx behavioral2/memory/2288-184-0x0000000024160000-0x00000000241C1000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif server.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\install\ 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Windows\SysWOW64\install\server.exe server.exe File created C:\Windows\SysWOW64\install\server.exe 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Windows\SysWOW64\install\server.exe 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe File opened for modification C:\Windows\SysWOW64\install\server.exe 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4800 set thread context of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 set thread context of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4700 set thread context of 4248 4700 server.exe 92 PID 4700 set thread context of 1112 4700 server.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374496229" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1367698156" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7D0B2CE8-5DBF-11ED-A0EE-7ADCB3813C8F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994892" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1374885152" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1430823202" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994892" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1367698156" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30994892" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994892" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 4700 server.exe 4700 server.exe 1112 server.exe 1112 server.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2288 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 3464 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2288 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe Token: SeDebugPrivilege 2288 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3464 iexplore.exe 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 3464 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3464 iexplore.exe 3464 iexplore.exe 1104 IEXPLORE.EXE 1104 IEXPLORE.EXE 3464 iexplore.exe 3464 iexplore.exe 1664 IEXPLORE.EXE 1664 IEXPLORE.EXE 1664 IEXPLORE.EXE 1664 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4800 wrote to memory of 4580 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 80 PID 4800 wrote to memory of 4580 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 80 PID 4800 wrote to memory of 4580 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 80 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4800 wrote to memory of 3464 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 81 PID 4580 wrote to memory of 4980 4580 cmd.exe 83 PID 4580 wrote to memory of 4980 4580 cmd.exe 83 PID 4580 wrote to memory of 4980 4580 cmd.exe 83 PID 4980 wrote to memory of 4900 4980 net.exe 84 PID 4980 wrote to memory of 4900 4980 net.exe 84 PID 4980 wrote to memory of 4900 4980 net.exe 84 PID 3464 wrote to memory of 1104 3464 iexplore.exe 85 PID 3464 wrote to memory of 1104 3464 iexplore.exe 85 PID 3464 wrote to memory of 1104 3464 iexplore.exe 85 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 4800 wrote to memory of 2196 4800 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 86 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56 PID 2196 wrote to memory of 2736 2196 4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:4900
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1104
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3464 CREDAT:17414 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1664
-
-
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exeC:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:2924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:4180
-
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4700 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc6⤵PID:4588
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc7⤵PID:4724
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc8⤵PID:3604
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
PID:4248
-
-
C:\Windows\SysWOW64\install\server.exeC:\Windows\SysWOW64\install\server.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1112
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD52d2178c4ba2e01df79b6e787caecd70e
SHA132feba9571993a2bdccc68d6de1bdd68f82cfbf8
SHA256ba9dee61d1e95e7b33bdf223da96a8348a890459853c5437cd7981520d43849d
SHA51223d8a224158a47ed813aa0ffec86f915fe28eaed3612f0e93be64bef5bfe08044730a550a3b7546e131fc3810c39defd6602ef30ed2f058336b8e7c5b5cd238c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5a3856e64a40b8abd16376b0207dccb3a
SHA1826d958b19f7ffabec3f191ac46aa9dbe1e46af5
SHA256aac5cff7c8300b756c1716ee6932671eaa38fbf9a60034342c16039225d40f01
SHA5128841ba0aac78b4fa36bbb875683bd1d8cf52beb306ff67c1840c727452f139326b0f9c90b43524fd9d336d7e2eccb2e5316e3dad91dbc9fb6cd7917d3b160b2e
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Filesize461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
C:\Users\Admin\AppData\Local\Temp\4185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833.exe
Filesize461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
221KB
MD5eb38fe298ebff2c3350762d8d31ea2f1
SHA1137f3689e670c8f6321cb0019f667873bd3a4989
SHA256eb306b1374ec1e239104d8a638c18d76111e9b2f570d35d4c15fb028909fef8c
SHA512f556cc5d9f4dc265dfc0a5640a725fa2b4c7e73a8a18df45d4ccd04c07040d2f51e0cae65d010d884421523fa86589afa2d7d63253a404a334c83f7cb0fa87f1
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c
-
Filesize
461KB
MD5063ff71b72736da808960ea600dd1480
SHA17c431d0d97df53217645964234d38e8e5b210f16
SHA2564185a8ba8d66c11aa83da5d388f033e82f3aeed64dbf5e63b363a38394a01833
SHA512ba08d2c3c5756c7b623eb64e834587ebd63d8ea6669e82474401a20c0f4e5bfc95f4d28b590274bd6e517b07b283b1e49f06a0dff59761e86d3c9a727abba32c