cybergate | 6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

General

Target

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Size

1.6MB
MD5

10fbd92e90e11d2919af152765ec7cd5
SHA1

c40e66f47e18c5b14f6b037a10aa9810a3a6fda4
SHA256

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b
SHA512

19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03
SSDEEP

49152:RJZoQrbTFZY1iaF6kRaaVwU1Z3r0wkjqiNo9:RtrbTA1okR4sZ3r0wGNw

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

thorsss.no-ip.info:3131

127.0.0.1:3131

Mutex

8M2XHIH7S36RQ5

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Missing cd.dll
message_box_title
Error!
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

4312 svchost.exe
2516 svchost.exe

pid	process
4312	svchost.exe
2516	svchost.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{TP1DH16Y-25BC-7G46-K117-U4C48630PHA7}	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{TP1DH16Y-25BC-7G46-K117-U4C48630PHA7}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{TP1DH16Y-25BC-7G46-K117-U4C48630PHA7}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{TP1DH16Y-25BC-7G46-K117-U4C48630PHA7}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2124-138-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2124-143-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/316-146-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/316-147-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2124-152-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/2124-157-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/4640-160-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/4640-162-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/4640-163-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe"	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Windows\\SysWOW64\\install\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\install\svchost.exe	autoit_exe
C:\Windows\SysWOW64\install\svchost.exe	autoit_exe
C:\Windows\SysWOW64\install\svchost.exe	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\install\	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
File created	C:\Windows\SysWOW64\install\svchost.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exesvchost.exe

description	pid	process	target process
PID 2552 set thread context of 2124	2552	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 4312 set thread context of 2516	4312	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid process

4640 6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid	process
4640	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exe6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	pid	process
Token: SeBackupPrivilege	316	explorer.exe
Token: SeRestorePrivilege	316	explorer.exe
Token: SeBackupPrivilege	4640	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Token: SeRestorePrivilege	4640	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Token: SeDebugPrivilege	4640	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
Token: SeDebugPrivilege	4640	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid process

2124 6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

pid	process
2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe

description	pid	process	target process
PID 2552 wrote to memory of 2124	2552	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 2552 wrote to memory of 2124	2552	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 2552 wrote to memory of 2124	2552	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 2552 wrote to memory of 2124	2552	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 2552 wrote to memory of 2124	2552	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE
PID 2124 wrote to memory of 2700	2124	6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
"C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe
"C:\Users\Admin\AppData\Local\Temp\6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b.exe"
4⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4312

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
6⤵
- Executes dropped EXE
PID:2516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
6cf346f21c544b1c74573a7c30260755

SHA1
346cd6a490e2de3fd17ea05530f72e035fd5c500

SHA256
342e9f2460a5c55c93cad0db43cccf23865e32bb60d087cd1576c017e951727f

SHA512
728d10262d54be5f44e573ee6e62d5f39a46467d01a9fb680d5db8bc7d8dfec9deff2a69bb1880f2d7fe136359f335894b03325e82f9f6b2d3db87009a138907

Download Submit
C:\Users\Admin\AppData\Local\Temp\camp23.dat

Filesize
296KB

MD5
8dd4bc597e0b69acfa0338ae6f0d5b2c

SHA1
a3290a9ecec5b9a2647edfb4f0829b431d2791fc

SHA256
b6aa47c77ef88ef5e0e5ed44ddbd6d50a75ebdf9709ca44ded1712ec14ee2e64

SHA512
d449fbfc6350d1b1b99a45f74f98a152d2d753eac57873f20be2f999309816039ab0116663b7d5bdca0729eef2b5167a3e24ec3e60997b494bb30bcffda80940

Download Submit
C:\Windows\SysWOW64\install\svchost.exe

Filesize
1.6MB

MD5
10fbd92e90e11d2919af152765ec7cd5

SHA1
c40e66f47e18c5b14f6b037a10aa9810a3a6fda4

SHA256
6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

SHA512
19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03

Download Submit
C:\Windows\SysWOW64\install\svchost.exe

Filesize
1.6MB

MD5
10fbd92e90e11d2919af152765ec7cd5

SHA1
c40e66f47e18c5b14f6b037a10aa9810a3a6fda4

SHA256
6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

SHA512
19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03

Download Submit
C:\Windows\SysWOW64\install\svchost.exe

Filesize
1.6MB

MD5
10fbd92e90e11d2919af152765ec7cd5

SHA1
c40e66f47e18c5b14f6b037a10aa9810a3a6fda4

SHA256
6a5663a22e09c79a44478854839ee0e5a844a17a1789ca5631e51d016961f12b

SHA512
19b8e2655162aa35287fe67926b850aef5752535a683f6dc394962081921c32813d3890a16747dec5779b84d5b9649a4812699948487ee7d84942a06e9930a03

Download Submit
memory/316-146-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/316-142-0x0000000000000000-mapping.dmp

Download
memory/316-147-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2124-143-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2124-135-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/2124-148-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/2124-138-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2124-136-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/2124-152-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/2124-133-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/2124-157-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2124-161-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/2124-134-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/2124-132-0x0000000000000000-mapping.dmp

Download
memory/2516-167-0x0000000000000000-mapping.dmp

Download
memory/2516-171-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/2516-172-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/2516-173-0x00000000000D0000-0x0000000000121000-memory.dmp

Filesize
324KB

Download
memory/4312-164-0x0000000000000000-mapping.dmp

Download
memory/4640-163-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4640-162-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4640-160-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4640-156-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads