cybergate | db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb

General

Target

db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
Size

2.0MB
MD5

552a63532e9219e4c6e63592e269af2c
SHA1

3338888bb45829133d08efa70bd61d56c061e5b4
SHA256

db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb
SHA512

3efbcf1a10c70206a87725b9d178ae091f757862a21e0f08361486a7c9121a7bf4a7c1b7846fa353c2929c86eb677125248845cbd6f6e42cd2de1abd5d76dc87
SSDEEP

49152:kPb9TjglRe9+mCUymxeLeAURYihuKCY4h:kPbNjK7mC+klRsRO

Score

10^/10

cybergate z2 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

Z2

C2

217.23.11.113:81

217.23.11.113:4123

217.23.11.113:6745

217.23.11.113:7534

217.23.11.113:7653

217.23.11.113:7875

217.23.11.113:8545

217.23.11.113:8642

217.23.11.113:8742

217.23.11.113:8954

217.23.11.113:9647

217.23.11.113:9743

217.23.11.113:9866

217.23.11.113:10535

217.23.11.113:10877

217.23.11.113:53575

217.23.11.113:58656

217.23.11.113:59534

217.23.11.113:59642

Mutex

8FCJL4R3W48D3A

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Chotomsy
install_file
chtomust.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
JPG file is error!
password
a123123123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FB_F3FB.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Chromsu = "C:\\Windows\\system32\\Chotomsy\\chtomust.exe"	FB_F3FB.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	FB_F3FB.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Chromsu = "C:\\Windows\\system32\\Chotomsy\\chtomust.exe"	FB_F3FB.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	FB_F3FB.tmp.exe

Executes dropped EXE 4 IoCs

Processes:

FB_F3FB.tmp.exeFB_F3FB.tmp.exechtomust.exechtomust.exe

pid process

1176 FB_F3FB.tmp.exe
544 FB_F3FB.tmp.exe
2444 chtomust.exe
5012 chtomust.exe

pid	process
1176	FB_F3FB.tmp.exe
544	FB_F3FB.tmp.exe
2444	chtomust.exe
5012	chtomust.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FB_F3FB.tmp.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{661428U0-6H4Q-MRBG-WI4B-761L1XYM4IG6}	FB_F3FB.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{661428U0-6H4Q-MRBG-WI4B-761L1XYM4IG6}\StubPath = "C:\\Windows\\system32\\Chotomsy\\chtomust.exe Restart"	FB_F3FB.tmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{661428U0-6H4Q-MRBG-WI4B-761L1XYM4IG6}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{661428U0-6H4Q-MRBG-WI4B-761L1XYM4IG6}\StubPath = "C:\\Windows\\system32\\Chotomsy\\chtomust.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/544-155-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/544-160-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/3404-163-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/3404-166-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/544-168-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/544-173-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/3208-176-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/3208-177-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/3208-191-0x0000000010560000-0x00000000105D0000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exeFB_F3FB.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	FB_F3FB.tmp.exe

Drops startup file 3 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chtomust.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chtomust.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FB_F3FB.tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	FB_F3FB.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Chotomsy\\chtomust.exe"	FB_F3FB.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	FB_F3FB.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Chotomsy\\chtomust.exe"	FB_F3FB.tmp.exe

Drops file in System32 directory 5 IoCs

Processes:

chtomust.exeFB_F3FB.tmp.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Chotomsy\chtomust.exe	chtomust.exe
File created	C:\Windows\SysWOW64\Chotomsy\chtomust.exe	FB_F3FB.tmp.exe
File opened for modification	C:\Windows\SysWOW64\Chotomsy\chtomust.exe	FB_F3FB.tmp.exe
File opened for modification	C:\Windows\SysWOW64\Chotomsy\chtomust.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Chotomsy\	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exeFB_F3FB.tmp.exechtomust.exe

description	pid	process	target process
PID 4372 set thread context of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 1176 set thread context of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 2444 set thread context of 5012	2444	chtomust.exe	chtomust.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exeFB_F3FB.tmp.exechtomust.exe

pid	process
4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
1176	FB_F3FB.tmp.exe
1176	FB_F3FB.tmp.exe
1176	FB_F3FB.tmp.exe
1176	FB_F3FB.tmp.exe
2444	chtomust.exe
2444	chtomust.exe
2444	chtomust.exe
2444	chtomust.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 3208 explorer.exe
Token: SeDebugPrivilege 3208 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

FB_F3FB.tmp.exe

pid process

544 FB_F3FB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3208	explorer.exe
Token: SeDebugPrivilege	3208	explorer.exe

pid	process
544	FB_F3FB.tmp.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exeFB_F3FB.tmp.exechtomust.exe

pid	process
4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
1176	FB_F3FB.tmp.exe
1176	FB_F3FB.tmp.exe
1176	FB_F3FB.tmp.exe
1176	FB_F3FB.tmp.exe
2444	chtomust.exe
2444	chtomust.exe
2444	chtomust.exe
2444	chtomust.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.execmd.exenet.exedb634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exeFB_F3FB.tmp.execmd.exenet.exeFB_F3FB.tmp.exe

description	pid	process	target process
PID 4372 wrote to memory of 3100	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	cmd.exe
PID 4372 wrote to memory of 3100	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	cmd.exe
PID 4372 wrote to memory of 3100	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	cmd.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 4372 wrote to memory of 2784	4372	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
PID 3100 wrote to memory of 5044	3100	cmd.exe	net.exe
PID 3100 wrote to memory of 5044	3100	cmd.exe	net.exe
PID 3100 wrote to memory of 5044	3100	cmd.exe	net.exe
PID 5044 wrote to memory of 3232	5044	net.exe	net1.exe
PID 5044 wrote to memory of 3232	5044	net.exe	net1.exe
PID 5044 wrote to memory of 3232	5044	net.exe	net1.exe
PID 2784 wrote to memory of 1176	2784	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	FB_F3FB.tmp.exe
PID 2784 wrote to memory of 1176	2784	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	FB_F3FB.tmp.exe
PID 2784 wrote to memory of 1176	2784	db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 1452	1176	FB_F3FB.tmp.exe	cmd.exe
PID 1176 wrote to memory of 1452	1176	FB_F3FB.tmp.exe	cmd.exe
PID 1176 wrote to memory of 1452	1176	FB_F3FB.tmp.exe	cmd.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1176 wrote to memory of 544	1176	FB_F3FB.tmp.exe	FB_F3FB.tmp.exe
PID 1452 wrote to memory of 2420	1452	cmd.exe	net.exe
PID 1452 wrote to memory of 2420	1452	cmd.exe	net.exe
PID 1452 wrote to memory of 2420	1452	cmd.exe	net.exe
PID 2420 wrote to memory of 2284	2420	net.exe	net1.exe
PID 2420 wrote to memory of 2284	2420	net.exe	net1.exe
PID 2420 wrote to memory of 2284	2420	net.exe	net1.exe
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE
PID 544 wrote to memory of 3048	544	FB_F3FB.tmp.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
"C:\Users\Admin\AppData\Local\Temp\db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
C:\Users\Admin\AppData\Local\Temp\db634ee9374d951b38fa8f38b8aea075142313eb7c58db9c808a99948142ffcb.exe
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\FB_F3FB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_F3FB.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
5⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
6⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
7⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\FB_F3FB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\FB_F3FB.tmp.exe
5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Modifies Installed Components in the registry
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
6⤵
PID:4228

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\Chotomsy\chtomust.exe
"C:\Windows\system32\Chotomsy\chtomust.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
7⤵
PID:3216

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
8⤵
PID:2316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
9⤵
PID:3372

C:\Windows\SysWOW64\Chotomsy\chtomust.exe
C:\Windows\SysWOW64\Chotomsy\chtomust.exe
7⤵
- Executes dropped EXE
PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
385KB

MD5
1e82b8c4cf44836c46410d28b55cb59f

SHA1
73fc2015d93cee9a76cbaa7a9ec58b313839ebe8

SHA256
2e6b21c179044428cb27e4cfd228c1f95fecba0a4b440dd19deb93617b95c2a7

SHA512
7810f4e343fea5e14b7b84868ad3352d7dcc025af9c615e87d1e1f48ef4caaa9a2aa260594c3a292188d2d154a51b3623b445d4c33268bf073a13aebbc61d8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_F3FB.tmp.exe

Filesize
1.0MB

MD5
c19e74e4f67b89c8dd079752870b94af

SHA1
68998913a9d5e3096a581a75f6c171def47f9f90

SHA256
f7e79a74a9d143edac35398d976d68a1c5310bab01579d5ca53c0fe8e9fa43cc

SHA512
8dc215fd3a04a7a55592335582528af71321dbd527c1db6fdd80b386c8a8eb3535c10d7dd9936e954501de7be51af63e09c4ccc2ba2256dd8193bbc4baa35f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_F3FB.tmp.exe

Filesize
1.0MB

MD5
c19e74e4f67b89c8dd079752870b94af

SHA1
68998913a9d5e3096a581a75f6c171def47f9f90

SHA256
f7e79a74a9d143edac35398d976d68a1c5310bab01579d5ca53c0fe8e9fa43cc

SHA512
8dc215fd3a04a7a55592335582528af71321dbd527c1db6fdd80b386c8a8eb3535c10d7dd9936e954501de7be51af63e09c4ccc2ba2256dd8193bbc4baa35f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_F3FB.tmp.exe

Filesize
1.0MB

MD5
c19e74e4f67b89c8dd079752870b94af

SHA1
68998913a9d5e3096a581a75f6c171def47f9f90

SHA256
f7e79a74a9d143edac35398d976d68a1c5310bab01579d5ca53c0fe8e9fa43cc

SHA512
8dc215fd3a04a7a55592335582528af71321dbd527c1db6fdd80b386c8a8eb3535c10d7dd9936e954501de7be51af63e09c4ccc2ba2256dd8193bbc4baa35f68

Download Submit
C:\Windows\SysWOW64\Chotomsy\chtomust.exe

Filesize
1.0MB

MD5
c19e74e4f67b89c8dd079752870b94af

SHA1
68998913a9d5e3096a581a75f6c171def47f9f90

SHA256
f7e79a74a9d143edac35398d976d68a1c5310bab01579d5ca53c0fe8e9fa43cc

SHA512
8dc215fd3a04a7a55592335582528af71321dbd527c1db6fdd80b386c8a8eb3535c10d7dd9936e954501de7be51af63e09c4ccc2ba2256dd8193bbc4baa35f68

Download Submit
C:\Windows\SysWOW64\Chotomsy\chtomust.exe

Filesize
1.0MB

MD5
c19e74e4f67b89c8dd079752870b94af

SHA1
68998913a9d5e3096a581a75f6c171def47f9f90

SHA256
f7e79a74a9d143edac35398d976d68a1c5310bab01579d5ca53c0fe8e9fa43cc

SHA512
8dc215fd3a04a7a55592335582528af71321dbd527c1db6fdd80b386c8a8eb3535c10d7dd9936e954501de7be51af63e09c4ccc2ba2256dd8193bbc4baa35f68

Download Submit
C:\Windows\SysWOW64\Chotomsy\chtomust.exe

Filesize
1.0MB

MD5
c19e74e4f67b89c8dd079752870b94af

SHA1
68998913a9d5e3096a581a75f6c171def47f9f90

SHA256
f7e79a74a9d143edac35398d976d68a1c5310bab01579d5ca53c0fe8e9fa43cc

SHA512
8dc215fd3a04a7a55592335582528af71321dbd527c1db6fdd80b386c8a8eb3535c10d7dd9936e954501de7be51af63e09c4ccc2ba2256dd8193bbc4baa35f68

Download Submit
memory/544-173-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/544-180-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/544-168-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/544-160-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/544-155-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/544-153-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/544-146-0x0000000000000000-mapping.dmp

Download
memory/544-149-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/544-150-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/544-147-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1176-141-0x0000000000000000-mapping.dmp

Download
memory/1176-144-0x0000000002230000-0x0000000002234000-memory.dmp

Filesize
16KB

Download
memory/1452-145-0x0000000000000000-mapping.dmp

Download
memory/2284-152-0x0000000000000000-mapping.dmp

Download
memory/2316-187-0x0000000000000000-mapping.dmp

Download
memory/2420-151-0x0000000000000000-mapping.dmp

Download
memory/2444-178-0x0000000000000000-mapping.dmp

Download
memory/2784-133-0x0000000000000000-mapping.dmp

Download
memory/2784-136-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/2784-140-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/2784-134-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3100-132-0x0000000000000000-mapping.dmp

Download
memory/3208-176-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/3208-177-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/3208-172-0x0000000000000000-mapping.dmp

Download
memory/3208-191-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/3216-181-0x0000000000000000-mapping.dmp

Download
memory/3232-139-0x0000000000000000-mapping.dmp

Download
memory/3372-188-0x0000000000000000-mapping.dmp

Download
memory/3404-159-0x0000000000000000-mapping.dmp

Download
memory/3404-166-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/3404-163-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/4372-137-0x0000000002270000-0x0000000002274000-memory.dmp

Filesize
16KB

Download
memory/5012-189-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5012-182-0x0000000000000000-mapping.dmp

Download
memory/5012-190-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5044-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads