cybergate | 6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

General

Target

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Size

1.6MB
MD5

10fbd92e90e11d2919af152765ec7cd5
SHA1

c40e66f47e18c5b14f6b037a10aa9810a3a6fda4
SHA256

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b
SHA512

19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03
SSDEEP

49152:RJZoQrbTFZY1iaF6kRaaVwU1Z3r0wkjqiNo9:RtrbTA1okR4sZ3r0wGNw

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

thorsss.no-ip.info:3131

127.0.0.1:3131

Mutex

8M2XHIH7S36RQ5

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Missing cd.dll
message_box_title
Error!
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

628 svchost.exe
688 svchost.exe

pid	process
628	svchost.exe
688	svchost.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TP1DH16Y-25BC-7G46-K117-U4C48630PHA7}	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TP1DH16Y-25BC-7G46-K117-U4C48630PHA7}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TP1DH16Y-25BC-7G46-K117-U4C48630PHA7}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TP1DH16Y-25BC-7G46-K117-U4C48630PHA7}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1032-64-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1032-73-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1944-78-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1944-81-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1032-83-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1032-89-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1624-96-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1624-102-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid process

1624 6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid	process
1624	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exesvchost.exe6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Windows\\SysWOW64\\install\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\install\svchost.exe	autoit_exe
\Windows\SysWOW64\install\svchost.exe	autoit_exe
C:\Windows\SysWOW64\install\svchost.exe	autoit_exe
C:\Windows\SysWOW64\install\svchost.exe	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\svchost.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
File opened for modification	C:\Windows\SysWOW64\install\	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exesvchost.exe

description	pid	process	target process
PID 1628 set thread context of 1032	1628	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 628 set thread context of 688	628	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid process

1624 6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid	process
1624	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exe6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	pid	process
Token: SeBackupPrivilege	1944	explorer.exe
Token: SeRestorePrivilege	1944	explorer.exe
Token: SeBackupPrivilege	1624	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Token: SeRestorePrivilege	1624	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Token: SeDebugPrivilege	1624	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Token: SeDebugPrivilege	1624	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid process

1032 6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid	process
1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	pid	process	target process
PID 1628 wrote to memory of 1032	1628	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 1628 wrote to memory of 1032	1628	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 1628 wrote to memory of 1032	1628	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 1628 wrote to memory of 1032	1628	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 1628 wrote to memory of 1032	1628	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 1628 wrote to memory of 1032	1628	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 1032 wrote to memory of 1228	1032	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
"C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
"C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe"
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:628

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
6⤵
- Executes dropped EXE
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
6cf346f21c544b1c74573a7c30260755

SHA1
346cd6a490e2de3fd17ea05530f72e035fd5c500

SHA256
342e9f2460a5c55c93cad0db43cccf23865e32bb60d087cd1576c017e951727f

SHA512
728d10262d54be5f44e573ee6e62d5f39a46467d01a9fb680d5db8bc7d8dfec9deff2a69bb1880f2d7fe136359f335894b03325e82f9f6b2d3db87009a138907

Download Submit
C:\Users\Admin\AppData\Local\Temp\camp23.dat

Filesize
296KB

MD5
8dd4bc597e0b69acfa0338ae6f0d5b2c

SHA1
a3290a9ecec5b9a2647edfb4f0829b431d2791fc

SHA256
b6aa47c77ef88ef5e0e5ed44ddbd6d50a75ebdf9709ca44ded1712ec14ee2e64

SHA512
d449fbfc6350d1b1b99a45f74f98a152d2d753eac57873f20be2f999309816039ab0116663b7d5bdca0729eef2b5167a3e24ec3e60997b494bb30bcffda80940

Download Submit
C:\Windows\SysWOW64\install\svchost.exe

Filesize
1.6MB

MD5
10fbd92e90e11d2919af152765ec7cd5

SHA1
c40e66f47e18c5b14f6b037a10aa9810a3a6fda4

SHA256
6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

SHA512
19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03

Download Submit
C:\Windows\SysWOW64\install\svchost.exe

Filesize
1.6MB

MD5
10fbd92e90e11d2919af152765ec7cd5

SHA1
c40e66f47e18c5b14f6b037a10aa9810a3a6fda4

SHA256
6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

SHA512
19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03

Download Submit
C:\Windows\SysWOW64\install\svchost.exe

Filesize
1.6MB

MD5
10fbd92e90e11d2919af152765ec7cd5

SHA1
c40e66f47e18c5b14f6b037a10aa9810a3a6fda4

SHA256
6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

SHA512
19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03

Download Submit
\Windows\SysWOW64\install\svchost.exe

Filesize
1.6MB

MD5
10fbd92e90e11d2919af152765ec7cd5

SHA1
c40e66f47e18c5b14f6b037a10aa9810a3a6fda4

SHA256
6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

SHA512
19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03

Download Submit
memory/628-98-0x0000000000000000-mapping.dmp

Download
memory/688-112-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/688-111-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/688-106-0x00000000000CE1A8-mapping.dmp

Download
memory/688-110-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/1032-58-0x00000000000CE1A8-mapping.dmp

Download
memory/1032-95-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/1032-61-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/1032-59-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/1032-64-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1032-83-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1032-55-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/1032-89-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1032-62-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/1032-57-0x00000000000C0000-0x0000000000111000-memory.dmp

Filesize
324KB

Download
memory/1032-73-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1228-67-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1624-96-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1624-102-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1624-87-0x0000000000000000-mapping.dmp

Download
memory/1628-54-0x00000000754C1000-0x00000000754C3000-memory.dmp

Filesize
8KB

Download
memory/1944-78-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1944-72-0x0000000074B71000-0x0000000074B73000-memory.dmp

Filesize
8KB

Download
memory/1944-70-0x0000000000000000-mapping.dmp

Download
memory/1944-81-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads