cybergate | 1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0

Analysis

max time kernel
150s
max time network
70s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
Size

1.0MB
MD5

14eddfae20b5b96a0fe968664e4153a7
SHA1

d98586ac233b15b7ab79014cf283ed600a73ca24
SHA256

1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0
SHA512

0fe016993d3c44a232447338810c91f155ee1d8baa0d8490592809a6d83abc9a0c79aeb179a85015e7b87f715656e43a5a70ebf9b9481cbc287bf1bd113adc10
SSDEEP

24576:98ZS4AgrKb/+t2JjVWrobBV1eF2M+EbjotgE3yo:98vAeq/iNEbBaFfotgE

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

aymano1.no-ip.biz:80

Mutex

N7U2K68T58M6H2

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
explorer
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
29081992
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\explorer\\explorer.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\explorer\\explorer.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe

Executes dropped EXE 6 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeexplorer.exePRIVAT~1.EXE

pid process

892 server.exe
1964 server.exe
1768 server.exe
1932 server.exe
1828 explorer.exe
2028 PRIVAT~1.EXE

pid	process
892	server.exe
1964	server.exe
1768	server.exe
1932	server.exe
1828	explorer.exe
2028	PRIVAT~1.EXE

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}\StubPath = "C:\\Windows\\system32\\explorer\\explorer.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}\StubPath = "C:\\Windows\\system32\\explorer\\explorer.exe"	explorer.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1964-80-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1964-89-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1752-94-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1752-97-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1964-99-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1964-108-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1768-113-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1768-120-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE	upx
behavioral1/memory/2028-135-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/1768-137-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/2028-139-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

Loads dropped DLL 16 IoCs

Processes:

1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exeserver.exeserver.exeserver.exeserver.exeexplorer.exePRIVAT~1.EXE

pid	process
812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
892	server.exe
892	server.exe
892	server.exe
1964	server.exe
1964	server.exe
1768	server.exe
892	server.exe
892	server.exe
1932	server.exe
1768	server.exe
1768	server.exe
1828	explorer.exe
812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
2028	PRIVAT~1.EXE

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exeserver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\explorer\\explorer.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\explorer\\explorer.exe"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	server.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2028-135-0x0000000000400000-0x00000000004BE000-memory.dmp	autoit_exe
behavioral1/memory/2028-136-0x0000000000250000-0x000000000030E000-memory.dmp	autoit_exe
behavioral1/memory/2028-139-0x0000000000400000-0x00000000004BE000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

server.exeserver.exe

description	ioc	process
File created	C:\Windows\SysWOW64\explorer\explorer.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\explorer\explorer.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\explorer\explorer.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\explorer\	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.exeserver.exe

pid process

1964 server.exe
1932 server.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

server.exePRIVAT~1.EXE

pid process

1768 server.exe
2028 PRIVAT~1.EXE

pid	process
1768	server.exe
2028	PRIVAT~1.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exeserver.exe

description	pid	process
Token: SeBackupPrivilege	1752	explorer.exe
Token: SeRestorePrivilege	1752	explorer.exe
Token: SeBackupPrivilege	1768	server.exe
Token: SeRestorePrivilege	1768	server.exe
Token: SeDebugPrivilege	1768	server.exe
Token: SeDebugPrivilege	1768	server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

server.exePRIVAT~1.EXE

pid	process
1964	server.exe
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

PRIVAT~1.EXE

pid	process
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE
2028	PRIVAT~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exeserver.exeserver.exe

description	pid	process	target process
PID 812 wrote to memory of 892	812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 812 wrote to memory of 892	812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 812 wrote to memory of 892	812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 812 wrote to memory of 892	812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 812 wrote to memory of 892	812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 812 wrote to memory of 892	812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 812 wrote to memory of 892	812	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 892 wrote to memory of 1964	892	server.exe	server.exe
PID 892 wrote to memory of 1964	892	server.exe	server.exe
PID 892 wrote to memory of 1964	892	server.exe	server.exe
PID 892 wrote to memory of 1964	892	server.exe	server.exe
PID 892 wrote to memory of 1964	892	server.exe	server.exe
PID 892 wrote to memory of 1964	892	server.exe	server.exe
PID 892 wrote to memory of 1964	892	server.exe	server.exe
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE
PID 1964 wrote to memory of 1300	1964	server.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
"C:\Users\Admin\AppData\Local\Temp\1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\explorer\explorer.exe
"C:\Windows\system32\explorer\explorer.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
63ba459dd610a46b9aa84b83e5c5cbf5

SHA1
4bd1ee1ed890351f782f631a3ea462fa04b11d42

SHA256
3fa78ab9a34ad2a5b8354f684efc96bf521c1effd0889825b9acd544f4bde24e

SHA512
af876d79f159c777a0d015fe323e33ba3d999fa13a2aaebe88ca5687dbf3e41e8c85c2755f1764513a465e356c16eb9cb445b167b3966f07d39e020af86cd48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
Filesize
395KB

MD5
92625a93f83e119ccbedcd4dc7b00092

SHA1
5ec94dc7e8c984339a89cc9ad9bd3caa69a5a685

SHA256
7f1ea4a91d7dd677cdaad38af306bfb0496996c2cc461fb436039bd2a19a0a02

SHA512
151f236bc3942869c990b2b9d813a25d4df4570d83f480da02bcb05b53f6deafbc97846b62d58190a387b8f7d77ad396ddd35b6188c7abb0e5279119de33cd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
Filesize
395KB

MD5
92625a93f83e119ccbedcd4dc7b00092

SHA1
5ec94dc7e8c984339a89cc9ad9bd3caa69a5a685

SHA256
7f1ea4a91d7dd677cdaad38af306bfb0496996c2cc461fb436039bd2a19a0a02

SHA512
151f236bc3942869c990b2b9d813a25d4df4570d83f480da02bcb05b53f6deafbc97846b62d58190a387b8f7d77ad396ddd35b6188c7abb0e5279119de33cd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
573KB

MD5
f80f8a02e7741aad914729299b61f3e1

SHA1
3657c2dbeeee5350ce78283eff406dcdb4fc5b9a

SHA256
ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d

SHA512
8c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
573KB

MD5
f80f8a02e7741aad914729299b61f3e1

SHA1
3657c2dbeeee5350ce78283eff406dcdb4fc5b9a

SHA256
ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d

SHA512
8c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Windows\SysWOW64\explorer\explorer.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Windows\SysWOW64\explorer\explorer.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
Filesize
395KB

MD5
92625a93f83e119ccbedcd4dc7b00092

SHA1
5ec94dc7e8c984339a89cc9ad9bd3caa69a5a685

SHA256
7f1ea4a91d7dd677cdaad38af306bfb0496996c2cc461fb436039bd2a19a0a02

SHA512
151f236bc3942869c990b2b9d813a25d4df4570d83f480da02bcb05b53f6deafbc97846b62d58190a387b8f7d77ad396ddd35b6188c7abb0e5279119de33cd35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
Filesize
395KB

MD5
92625a93f83e119ccbedcd4dc7b00092

SHA1
5ec94dc7e8c984339a89cc9ad9bd3caa69a5a685

SHA256
7f1ea4a91d7dd677cdaad38af306bfb0496996c2cc461fb436039bd2a19a0a02

SHA512
151f236bc3942869c990b2b9d813a25d4df4570d83f480da02bcb05b53f6deafbc97846b62d58190a387b8f7d77ad396ddd35b6188c7abb0e5279119de33cd35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
573KB

MD5
f80f8a02e7741aad914729299b61f3e1

SHA1
3657c2dbeeee5350ce78283eff406dcdb4fc5b9a

SHA256
ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d

SHA512
8c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
573KB

MD5
f80f8a02e7741aad914729299b61f3e1

SHA1
3657c2dbeeee5350ce78283eff406dcdb4fc5b9a

SHA256
ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d

SHA512
8c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
573KB

MD5
f80f8a02e7741aad914729299b61f3e1

SHA1
3657c2dbeeee5350ce78283eff406dcdb4fc5b9a

SHA256
ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d

SHA512
8c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Windows\SysWOW64\explorer\explorer.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Windows\SysWOW64\explorer\explorer.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
\Windows\SysWOW64\explorer\explorer.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
memory/812-134-0x0000000000CA0000-0x0000000000D5E000-memory.dmp

Filesize
760KB

Download
memory/812-138-0x0000000000CA0000-0x0000000000D5E000-memory.dmp

Filesize
760KB

Download
memory/812-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/892-71-0x0000000000180000-0x0000000000184000-memory.dmp

Filesize
16KB

Download
memory/892-75-0x0000000000B10000-0x0000000000C10000-memory.dmp

Filesize
1024KB

Download
memory/892-73-0x00000000008C1000-0x00000000008C5000-memory.dmp

Filesize
16KB

Download
memory/892-57-0x0000000000000000-mapping.dmp

Download
memory/892-62-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/892-78-0x0000000000CC1000-0x0000000000CC5000-memory.dmp

Filesize
16KB

Download
memory/892-77-0x0000000000DD0000-0x0000000000ED0000-memory.dmp

Filesize
1024KB

Download
memory/892-70-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/892-76-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

Filesize
1024KB

Download
memory/892-74-0x0000000000941000-0x0000000000945000-memory.dmp

Filesize
16KB

Download
memory/892-127-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/892-72-0x00000000001A0000-0x000000000022F000-memory.dmp

Filesize
572KB

Download
memory/1300-83-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1752-86-0x0000000000000000-mapping.dmp

Download
memory/1752-97-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1752-88-0x0000000073F51000-0x0000000073F53000-memory.dmp

Filesize
8KB

Download
memory/1752-94-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1768-120-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1768-137-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1768-113-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1768-104-0x0000000000000000-mapping.dmp

Download
memory/1828-123-0x0000000000000000-mapping.dmp

Download
memory/1932-116-0x0000000000000000-mapping.dmp

Download
memory/1964-108-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1964-65-0x0000000000000000-mapping.dmp

Download
memory/1964-80-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1964-99-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1964-89-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2028-129-0x0000000000000000-mapping.dmp

Download
memory/2028-136-0x0000000000250000-0x000000000030E000-memory.dmp

Filesize
760KB

Download
memory/2028-135-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2028-139-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2028-140-0x0000000000250000-0x000000000030E000-memory.dmp

Filesize
760KB

Download