cybergate | 1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0

Analysis

max time kernel
21s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2022 09:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
Size

1.0MB
MD5

14eddfae20b5b96a0fe968664e4153a7
SHA1

d98586ac233b15b7ab79014cf283ed600a73ca24
SHA256

1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0
SHA512

0fe016993d3c44a232447338810c91f155ee1d8baa0d8490592809a6d83abc9a0c79aeb179a85015e7b87f715656e43a5a70ebf9b9481cbc287bf1bd113adc10
SSDEEP

24576:98ZS4AgrKb/+t2JjVWrobBV1eF2M+EbjotgE3yo:98vAeq/iNEbBaFfotgE

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

aymano1.no-ip.biz:80

Mutex

N7U2K68T58M6H2

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
explorer
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
29081992
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\explorer\\explorer.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\explorer\\explorer.exe"	server.exe

Executes dropped EXE 6 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeexplorer.exePRIVAT~1.EXE

pid process

1824 server.exe
2528 server.exe
2424 server.exe
2320 server.exe
4396 explorer.exe
3628 PRIVAT~1.EXE

pid	process
1824	server.exe
2528	server.exe
2424	server.exe
2320	server.exe
4396	explorer.exe
3628	PRIVAT~1.EXE

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}\StubPath = "C:\\Windows\\system32\\explorer\\explorer.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8XJ0NH5N-E746-N7L1-B761-5GXFO82OUJKX}\StubPath = "C:\\Windows\\system32\\explorer\\explorer.exe"	explorer.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2528-143-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2528-148-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1932-151-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1932-154-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2528-156-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/2528-162-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/2424-165-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/2424-168-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE	upx
behavioral2/memory/3628-178-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral2/memory/2424-180-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

server.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation server.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	server.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exeserver.exeserver.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\explorer\\explorer.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\explorer\\explorer.exe"	server.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe

Drops file in System32 directory 4 IoCs

Processes:

server.exeserver.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer\explorer.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\explorer\	server.exe
File created	C:\Windows\SysWOW64\explorer\explorer.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\explorer\explorer.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4064 4396 WerFault.exe explorer.exe

pid	pid_target	process	target process
4064	4396	WerFault.exe	explorer.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

server.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

server.exeserver.exe

pid process

2528 server.exe
2528 server.exe
2320 server.exe
2320 server.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

2424 server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	server.exe

pid	process
2528	server.exe
2528	server.exe
2320	server.exe
2320	server.exe

pid	process
2424	server.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

explorer.exeserver.exeserver.exe

description	pid	process
Token: SeBackupPrivilege	1932	explorer.exe
Token: SeRestorePrivilege	1932	explorer.exe
Token: SeBackupPrivilege	2424	server.exe
Token: SeRestorePrivilege	2424	server.exe
Token: SeDebugPrivilege	2424	server.exe
Token: SeDebugPrivilege	2424	server.exe
Token: SeShutdownPrivilege	1824	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

server.exe

pid process

2528 server.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2376 LogonUI.exe

pid	process
2528	server.exe

pid	process
2376	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exeserver.exeserver.exe

description	pid	process	target process
PID 544 wrote to memory of 1824	544	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 544 wrote to memory of 1824	544	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 544 wrote to memory of 1824	544	1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe	server.exe
PID 1824 wrote to memory of 2528	1824	server.exe	server.exe
PID 1824 wrote to memory of 2528	1824	server.exe	server.exe
PID 1824 wrote to memory of 2528	1824	server.exe	server.exe
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE
PID 2528 wrote to memory of 2692	2528	server.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe
"C:\Users\Admin\AppData\Local\Temp\1ed55da167d07274ebeaa07ee40c9b02a0b38b211df80a758d88245ef2b9e0e0.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\SysWOW64\explorer\explorer.exe
"C:\Windows\system32\explorer\explorer.exe"
6⤵
- Executes dropped EXE
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 576
7⤵
- Program crash
PID:4064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
3⤵
- Executes dropped EXE
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4396 -ip 4396
1⤵
PID:3792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d1055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
63ba459dd610a46b9aa84b83e5c5cbf5

SHA1
4bd1ee1ed890351f782f631a3ea462fa04b11d42

SHA256
3fa78ab9a34ad2a5b8354f684efc96bf521c1effd0889825b9acd544f4bde24e

SHA512
af876d79f159c777a0d015fe323e33ba3d999fa13a2aaebe88ca5687dbf3e41e8c85c2755f1764513a465e356c16eb9cb445b167b3966f07d39e020af86cd48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
Filesize
395KB

MD5
92625a93f83e119ccbedcd4dc7b00092

SHA1
5ec94dc7e8c984339a89cc9ad9bd3caa69a5a685

SHA256
7f1ea4a91d7dd677cdaad38af306bfb0496996c2cc461fb436039bd2a19a0a02

SHA512
151f236bc3942869c990b2b9d813a25d4df4570d83f480da02bcb05b53f6deafbc97846b62d58190a387b8f7d77ad396ddd35b6188c7abb0e5279119de33cd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PRIVAT~1.EXE
Filesize
395KB

MD5
92625a93f83e119ccbedcd4dc7b00092

SHA1
5ec94dc7e8c984339a89cc9ad9bd3caa69a5a685

SHA256
7f1ea4a91d7dd677cdaad38af306bfb0496996c2cc461fb436039bd2a19a0a02

SHA512
151f236bc3942869c990b2b9d813a25d4df4570d83f480da02bcb05b53f6deafbc97846b62d58190a387b8f7d77ad396ddd35b6188c7abb0e5279119de33cd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
573KB

MD5
f80f8a02e7741aad914729299b61f3e1

SHA1
3657c2dbeeee5350ce78283eff406dcdb4fc5b9a

SHA256
ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d

SHA512
8c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
573KB

MD5
f80f8a02e7741aad914729299b61f3e1

SHA1
3657c2dbeeee5350ce78283eff406dcdb4fc5b9a

SHA256
ae4a0c1dc447cc08196068a1900b8a916e79b77d8d603877a589078f46083b4d

SHA512
8c75de404800bf3ecfba5ff7e3d04adb89f3df7ff93acd44a91203e6087519466e9a92e720d713bd89e226e856ae3e720d5b9e596c86df2af62f3b5f3b092156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe-up.txt
Filesize
12KB

MD5
4532e950ddd7dbdd75ab16b545e094b9

SHA1
ca06319ca59d0ae17ebc2a5c09e7cc9d477a06eb

SHA256
fb3209f22936748a4b1809fde0aa72c99bbe6fd636ad47f26d62fce157c30cb9

SHA512
1b670e30bc8330036b646fb24276f8e8da29657ac73260825679ee08af7f9ab5e708047e9ce12dd56bba7904a330a43b26ca2add7d71cc086332031407bf7070

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\server.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Windows\SysWOW64\explorer\explorer.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
C:\Windows\SysWOW64\explorer\explorer.exe
Filesize
296KB

MD5
b2b27a7f99822dc6277b57da71c9e9de

SHA1
c696a83bc4a1bea6650305fd00583aca2b2ef529

SHA256
f8c1129ad046014a0faf1580207ccf68f0c76ad7741a961e1f93a916e1f072cf

SHA512
8a00d993518e71cf0a2838aca8401f0517dd24ae72fb30218592645bb7ddaf243aeff29f7fb8edeaaee850665655188c2920581922eee37d297c0bab05bdceed

Download Submit
memory/1824-171-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/1824-140-0x0000000000500000-0x0000000000504000-memory.dmp

Filesize
16KB

Download
memory/1824-135-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/1824-174-0x0000000000A00000-0x0000000000A39000-memory.dmp

Filesize
228KB

Download
memory/1824-173-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/1824-172-0x0000000000A00000-0x0000000000A39000-memory.dmp

Filesize
228KB

Download
memory/1824-139-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/1824-141-0x0000000000A00000-0x0000000000A39000-memory.dmp

Filesize
228KB

Download
memory/1824-132-0x0000000000000000-mapping.dmp

Download
memory/1932-147-0x0000000000000000-mapping.dmp

Download
memory/1932-154-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1932-151-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2320-166-0x0000000000000000-mapping.dmp

Download
memory/2424-180-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2424-168-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2424-165-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2424-160-0x0000000000000000-mapping.dmp

Download
memory/2528-162-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2528-143-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2528-156-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/2528-136-0x0000000000000000-mapping.dmp

Download
memory/2528-148-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3628-175-0x0000000000000000-mapping.dmp

Download
memory/3628-178-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4396-169-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads