cybergate | 918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59

Analysis

max time kernel
174s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
Size

1.3MB
MD5

5b4676c83b81c115e4213863027a8cd8
SHA1

c6ce3d2675c4fb5e160976ed0c1ee0ac7fdfda15
SHA256

918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59
SHA512

5799829fe0fc921fa91f93573d5ddfb155ab04541260a3b864e9cc68dc6512c1fe348f844cac6db09e5666efcb540efb1a3f65d93677aedbade888196d87261d
SSDEEP

24576:PHwF8vrx52t07FQaWZ1xuVVjfFoynPaVBUR8f+kN10EBCvzR:PQF8vrYaKamQDgok30/bR

Score

10^/10

cybergate darkcomet guest16 remote evasion persistence rat stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

big_hacker.no-ip.biz:76

Mutex

DC_MUTEX-6MQJ6G6

Attributes

InstallPath
SYS32\sys32.exe
gencode
V9HSzMovyRBL
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

miecrosoft.servehttp.com:81

bighacker.no-ip.biz:99

Mutex

BD8K6YUOG4TT2Q

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
nividia
install_file
nividia
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

fierfox.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\SYS32\\sys32.exe"	fierfox.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

sys32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	sys32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	sys32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	sys32.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

sys32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" sys32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	sys32.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sys32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sys32.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

sys32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sys32.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 5 IoCs

Processes:

vbscrypter.exeWindowsAppl.exefierfox.exechrome.exesys32.exe

pid process

4220 vbscrypter.exe
3756 WindowsAppl.exe
4884 fierfox.exe
1280 chrome.exe
4268 sys32.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1420 attrib.exe
3444 attrib.exe

pid	process
4220	vbscrypter.exe
3756	WindowsAppl.exe
4884	fierfox.exe
1280	chrome.exe
4268	sys32.exe

pid	process
1420	attrib.exe
3444	attrib.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1280-162-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/1280-168-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/2092-171-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/2092-174-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/1280-177-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/4336-180-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/4336-181-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/4336-182-0x00000000104F0000-0x0000000010560000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fierfox.exe918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exeWindowsAppl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	fierfox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WindowsAppl.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sys32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sys32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fierfox.exesys32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\SYS32\\sys32.exe"	fierfox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\SYS32\\sys32.exe"	sys32.exe

Drops file in System32 directory 3 IoCs

Processes:

fierfox.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SYS32\	fierfox.exe
File created	C:\Windows\SysWOW64\SYS32\sys32.exe	fierfox.exe
File opened for modification	C:\Windows\SysWOW64\SYS32\sys32.exe	fierfox.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\nividia\nividia	explorer.exe
File opened for modification	C:\Windows\nividia\	explorer.exe
File created	C:\Windows\nividia\nividia	chrome.exe
File opened for modification	C:\Windows\nividia\nividia	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

OpenWith.exefierfox.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fierfox.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1280 chrome.exe
1280 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sys32.exe

pid process

4268 sys32.exe

pid	process
1280	chrome.exe
1280	chrome.exe

pid	process
4268	sys32.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

fierfox.exesys32.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4884	fierfox.exe
Token: SeSecurityPrivilege	4884	fierfox.exe
Token: SeTakeOwnershipPrivilege	4884	fierfox.exe
Token: SeLoadDriverPrivilege	4884	fierfox.exe
Token: SeSystemProfilePrivilege	4884	fierfox.exe
Token: SeSystemtimePrivilege	4884	fierfox.exe
Token: SeProfSingleProcessPrivilege	4884	fierfox.exe
Token: SeIncBasePriorityPrivilege	4884	fierfox.exe
Token: SeCreatePagefilePrivilege	4884	fierfox.exe
Token: SeBackupPrivilege	4884	fierfox.exe
Token: SeRestorePrivilege	4884	fierfox.exe
Token: SeShutdownPrivilege	4884	fierfox.exe
Token: SeDebugPrivilege	4884	fierfox.exe
Token: SeSystemEnvironmentPrivilege	4884	fierfox.exe
Token: SeChangeNotifyPrivilege	4884	fierfox.exe
Token: SeRemoteShutdownPrivilege	4884	fierfox.exe
Token: SeUndockPrivilege	4884	fierfox.exe
Token: SeManageVolumePrivilege	4884	fierfox.exe
Token: SeImpersonatePrivilege	4884	fierfox.exe
Token: SeCreateGlobalPrivilege	4884	fierfox.exe
Token: 33	4884	fierfox.exe
Token: 34	4884	fierfox.exe
Token: 35	4884	fierfox.exe
Token: 36	4884	fierfox.exe
Token: SeIncreaseQuotaPrivilege	4268	sys32.exe
Token: SeSecurityPrivilege	4268	sys32.exe
Token: SeTakeOwnershipPrivilege	4268	sys32.exe
Token: SeLoadDriverPrivilege	4268	sys32.exe
Token: SeSystemProfilePrivilege	4268	sys32.exe
Token: SeSystemtimePrivilege	4268	sys32.exe
Token: SeProfSingleProcessPrivilege	4268	sys32.exe
Token: SeIncBasePriorityPrivilege	4268	sys32.exe
Token: SeCreatePagefilePrivilege	4268	sys32.exe
Token: SeBackupPrivilege	4268	sys32.exe
Token: SeRestorePrivilege	4268	sys32.exe
Token: SeShutdownPrivilege	4268	sys32.exe
Token: SeDebugPrivilege	4268	sys32.exe
Token: SeSystemEnvironmentPrivilege	4268	sys32.exe
Token: SeChangeNotifyPrivilege	4268	sys32.exe
Token: SeRemoteShutdownPrivilege	4268	sys32.exe
Token: SeUndockPrivilege	4268	sys32.exe
Token: SeManageVolumePrivilege	4268	sys32.exe
Token: SeImpersonatePrivilege	4268	sys32.exe
Token: SeCreateGlobalPrivilege	4268	sys32.exe
Token: 33	4268	sys32.exe
Token: 34	4268	sys32.exe
Token: 35	4268	sys32.exe
Token: 36	4268	sys32.exe
Token: SeDebugPrivilege	4336	explorer.exe
Token: SeDebugPrivilege	4336	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

chrome.exe

pid process

1280 chrome.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

vbscrypter.exesys32.exeOpenWith.exe

pid process

4220 vbscrypter.exe
4268 sys32.exe
3000 OpenWith.exe

pid	process
1280	chrome.exe

pid	process
4220	vbscrypter.exe
4268	sys32.exe
3000	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exeWindowsAppl.exefierfox.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 2076 wrote to memory of 4220	2076	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	vbscrypter.exe
PID 2076 wrote to memory of 4220	2076	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	vbscrypter.exe
PID 2076 wrote to memory of 4220	2076	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	vbscrypter.exe
PID 2076 wrote to memory of 3756	2076	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	WindowsAppl.exe
PID 2076 wrote to memory of 3756	2076	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	WindowsAppl.exe
PID 2076 wrote to memory of 3756	2076	918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe	WindowsAppl.exe
PID 3756 wrote to memory of 4884	3756	WindowsAppl.exe	fierfox.exe
PID 3756 wrote to memory of 4884	3756	WindowsAppl.exe	fierfox.exe
PID 3756 wrote to memory of 4884	3756	WindowsAppl.exe	fierfox.exe
PID 3756 wrote to memory of 1280	3756	WindowsAppl.exe	chrome.exe
PID 3756 wrote to memory of 1280	3756	WindowsAppl.exe	chrome.exe
PID 3756 wrote to memory of 1280	3756	WindowsAppl.exe	chrome.exe
PID 4884 wrote to memory of 4656	4884	fierfox.exe	cmd.exe
PID 4884 wrote to memory of 4656	4884	fierfox.exe	cmd.exe
PID 4884 wrote to memory of 4656	4884	fierfox.exe	cmd.exe
PID 4884 wrote to memory of 2136	4884	fierfox.exe	cmd.exe
PID 4884 wrote to memory of 2136	4884	fierfox.exe	cmd.exe
PID 4884 wrote to memory of 2136	4884	fierfox.exe	cmd.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4884 wrote to memory of 360	4884	fierfox.exe	notepad.exe
PID 4656 wrote to memory of 1420	4656	cmd.exe	attrib.exe
PID 4656 wrote to memory of 1420	4656	cmd.exe	attrib.exe
PID 4656 wrote to memory of 1420	4656	cmd.exe	attrib.exe
PID 2136 wrote to memory of 3444	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 3444	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 3444	2136	cmd.exe	attrib.exe
PID 4884 wrote to memory of 4268	4884	fierfox.exe	sys32.exe
PID 4884 wrote to memory of 4268	4884	fierfox.exe	sys32.exe
PID 4884 wrote to memory of 4268	4884	fierfox.exe	sys32.exe
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE
PID 1280 wrote to memory of 2080	1280	chrome.exe	Explorer.EXE

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

sys32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	sys32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	sys32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	sys32.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1420 attrib.exe
3444 attrib.exe

pid	process
1420	attrib.exe
3444	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
"C:\Users\Admin\AppData\Local\Temp\918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\vbscrypter.exe
"C:\Users\Admin\AppData\Local\Temp\vbscrypter.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Users\Admin\AppData\Local\Temp\WindowsAppl.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsAppl.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\fierfox.exe
"C:\Users\Admin\AppData\Local\Temp\fierfox.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\fierfox.exe" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\fierfox.exe" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3444

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:360

C:\Windows\SysWOW64\SYS32\sys32.exe
"C:\Windows\system32\SYS32\sys32.exe"
5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4268

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
PID:2092

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
385KB

MD5
03d55ecd6eb57a1de0d261ab7ee41460

SHA1
eeb888ef8ef6800415cbb302256c99610e56300d

SHA256
5aa449ee4c92b0312d3bd089972221eac72494a3e3573f70b979ef8cae1709fc

SHA512
0d8bae16676154d53064154bc9d8328f87c8681cd68fe9944bb240675ad32a079b8d061860a22f497a4c0536e5a7baaec68de299e013397d7da6e49ae945a52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsAppl.exe

Filesize
1.2MB

MD5
ec2436cd141afa1fb1a976b12d98a17c

SHA1
eeda63b952abf0ff06199d56f6ca36c240672eaf

SHA256
d4253b5d58810e94776eb97a578fd08f93e3460bd46e0f2989cc547a7a2fa438

SHA512
8b500deb12ed76ca69725de19dccb822a2456ab18f5e6b5b50ea2f0a0a32ec5429b3345845a81bdb7b88e2e6c66cf8826c8d521139173900eb4234228fda0991

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsAppl.exe

Filesize
1.2MB

MD5
ec2436cd141afa1fb1a976b12d98a17c

SHA1
eeda63b952abf0ff06199d56f6ca36c240672eaf

SHA256
d4253b5d58810e94776eb97a578fd08f93e3460bd46e0f2989cc547a7a2fa438

SHA512
8b500deb12ed76ca69725de19dccb822a2456ab18f5e6b5b50ea2f0a0a32ec5429b3345845a81bdb7b88e2e6c66cf8826c8d521139173900eb4234228fda0991

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
428KB

MD5
eebc420cdfa5e8a6b663d7032adbe569

SHA1
64e9b38db2eaed74df3f7d975e550594df7b1da6

SHA256
bb7dc63ad0715b29d4bf954cc5109481fbe8a70215d6b823c45a93db715eafa1

SHA512
07ecd024c7f30a986bff8ae873cb56034df4c387494acce991db7455e184440aa721e388331a4577a8b6a91e17fa4a8d95467b26bee9af6fc1a27e30b16edcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
428KB

MD5
eebc420cdfa5e8a6b663d7032adbe569

SHA1
64e9b38db2eaed74df3f7d975e550594df7b1da6

SHA256
bb7dc63ad0715b29d4bf954cc5109481fbe8a70215d6b823c45a93db715eafa1

SHA512
07ecd024c7f30a986bff8ae873cb56034df4c387494acce991db7455e184440aa721e388331a4577a8b6a91e17fa4a8d95467b26bee9af6fc1a27e30b16edcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\fierfox.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
C:\Users\Admin\AppData\Local\Temp\fierfox.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbscrypter.exe

Filesize
76KB

MD5
0618322a26c6c68013ea3f725c0f7a9e

SHA1
fbe56f43c0038b5471a41a082342326bd7858e8b

SHA256
2ae474ec4240e9b148ba065a9fa8c35183091753607d14de357c11f445c3f7cb

SHA512
117040e3c16d2ea60b75c843480c79e5821f3933a63ae2de518b5d6e302c6f71d0420167c7be902dab8e24b3e9d541d53ff6d5728f6af93066f005ab09ebdc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbscrypter.exe

Filesize
76KB

MD5
0618322a26c6c68013ea3f725c0f7a9e

SHA1
fbe56f43c0038b5471a41a082342326bd7858e8b

SHA256
2ae474ec4240e9b148ba065a9fa8c35183091753607d14de357c11f445c3f7cb

SHA512
117040e3c16d2ea60b75c843480c79e5821f3933a63ae2de518b5d6e302c6f71d0420167c7be902dab8e24b3e9d541d53ff6d5728f6af93066f005ab09ebdc5b

Download Submit
C:\Windows\SysWOW64\SYS32\sys32.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
C:\Windows\SysWOW64\SYS32\sys32.exe

Filesize
756KB

MD5
11a4ea02e9db2d59618022a89e7d4863

SHA1
b9bdc077d33f7b445c6b5c94913be96943fd0471

SHA256
f139f9a6b690c47787a94aea90464ddb14a97c92a99a4e280aa9236e3356a438

SHA512
98e9ef6a6b311784c3cd8f45b2b05920821324fa6df99f959627f6a03a8648b69ad7e5cc99619008ab51aa54e0f62a8fec4410657abce2d5ee9ca58e0a62a948

Download Submit
C:\Windows\nividia\nividia

Filesize
428KB

MD5
eebc420cdfa5e8a6b663d7032adbe569

SHA1
64e9b38db2eaed74df3f7d975e550594df7b1da6

SHA256
bb7dc63ad0715b29d4bf954cc5109481fbe8a70215d6b823c45a93db715eafa1

SHA512
07ecd024c7f30a986bff8ae873cb56034df4c387494acce991db7455e184440aa721e388331a4577a8b6a91e17fa4a8d95467b26bee9af6fc1a27e30b16edcce

Download Submit
memory/360-155-0x0000000000000000-mapping.dmp

Download
memory/1280-168-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1280-150-0x0000000000000000-mapping.dmp

Download
memory/1280-177-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/1280-162-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1420-156-0x0000000000000000-mapping.dmp

Download
memory/2076-134-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/2076-136-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/2076-133-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/2076-137-0x00000000059E0000-0x0000000005A36000-memory.dmp

Filesize
344KB

Download
memory/2076-132-0x0000000000D80000-0x0000000000ED2000-memory.dmp

Filesize
1.3MB

Download
memory/2076-135-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/2092-174-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/2092-167-0x0000000000000000-mapping.dmp

Download
memory/2092-171-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/2136-154-0x0000000000000000-mapping.dmp

Download
memory/3336-165-0x0000000000000000-mapping.dmp

Download
memory/3444-157-0x0000000000000000-mapping.dmp

Download
memory/3756-142-0x0000000000000000-mapping.dmp

Download
memory/3756-146-0x0000000000580000-0x00000000006B6000-memory.dmp

Filesize
1.2MB

Download
memory/4220-138-0x0000000000000000-mapping.dmp

Download
memory/4268-158-0x0000000000000000-mapping.dmp

Download
memory/4336-176-0x0000000000000000-mapping.dmp

Download
memory/4336-180-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/4336-181-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/4336-182-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/4656-153-0x0000000000000000-mapping.dmp

Download
memory/4884-147-0x0000000000000000-mapping.dmp

Download