Analysis
-
max time kernel
193s -
max time network
243s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:50
Behavioral task
behavioral1
Sample
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
Resource
win7-20221111-en
General
-
Target
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
-
Size
1.0MB
-
MD5
501beaec545972571ca743ff468cae5b
-
SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
-
SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
-
SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
SSDEEP
12288:EjkArEN249AyE/rbaMct4bO2/Vf0cCoFmZv07A6IdSlloroY30wnqomLskYtI:nFE//Tct4bOsyczmydI8lycOqdcI
Malware Config
Extracted
cybergate
v1.04.8
hottrod
d16.no-ip.biz:3178
L7471Y70V2WVK3
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
m2340440
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
svzhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svzhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" svzhost.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svzhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" svzhost.exe -
Drops file in Drivers directory 4 IoCs
Processes:
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exesvzhost.exeserver.exesvzhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened for modification C:\Windows\system32\drivers\etc\hosts svzhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts server.exe File opened for modification C:\Windows\system32\drivers\etc\hosts svzhost.exe -
Executes dropped EXE 8 IoCs
Processes:
svzhost.exesvzhost.exesvzhost.exesvzhost.exeserver.exesvzhost.exesvzhost.exesvzhost.exepid process 4028 svzhost.exe 4644 svzhost.exe 2728 svzhost.exe 1212 svzhost.exe 4528 server.exe 2240 svzhost.exe 3820 svzhost.exe 3124 svzhost.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
svzhost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{38W108GQ-O055-YL24-B138-U1PNC3D7XXMR} svzhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38W108GQ-O055-YL24-B138-U1PNC3D7XXMR}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" svzhost.exe -
Processes:
resource yara_rule behavioral2/memory/4400-132-0x0000000000400000-0x00000000004E5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\svzhost.exe upx C:\Users\Admin\AppData\Roaming\svzhost.exe upx behavioral2/memory/4028-140-0x0000000000400000-0x00000000004E5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\svzhost.exe upx behavioral2/memory/4400-152-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4028-153-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4400-155-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/2728-157-0x0000000000400000-0x0000000000421000-memory.dmp upx C:\Users\Admin\AppData\Roaming\svzhost.exe upx behavioral2/memory/2728-160-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2728-161-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2728-162-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4644-164-0x0000000010410000-0x0000000010471000-memory.dmp upx C:\Users\Admin\AppData\Roaming\svzhost.exe upx behavioral2/memory/2728-170-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1212-171-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4644-172-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/1212-175-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/1212-178-0x0000000010480000-0x00000000104E1000-memory.dmp upx C:\directory\CyberGate\install\server.exe upx C:\directory\CyberGate\install\server.exe upx behavioral2/memory/4528-187-0x0000000000400000-0x00000000004E5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\svzhost.exe upx behavioral2/memory/4528-190-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/1212-191-0x0000000010480000-0x00000000104E1000-memory.dmp upx C:\Users\Admin\AppData\Roaming\svzhost.exe upx C:\Users\Admin\AppData\Roaming\svzhost.exe upx behavioral2/memory/3124-210-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svzhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation svzhost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exesvzhost.exeserver.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe" 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run svzhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe" svzhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe" server.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exesvzhost.exeserver.exesvzhost.exedescription ioc process File opened (read-only) \??\k: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\y: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\m: svzhost.exe File opened (read-only) \??\o: svzhost.exe File opened (read-only) \??\i: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\t: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\j: server.exe File opened (read-only) \??\p: server.exe File opened (read-only) \??\t: server.exe File opened (read-only) \??\u: server.exe File opened (read-only) \??\v: server.exe File opened (read-only) \??\b: svzhost.exe File opened (read-only) \??\e: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\x: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\i: svzhost.exe File opened (read-only) \??\f: server.exe File opened (read-only) \??\k: svzhost.exe File opened (read-only) \??\x: svzhost.exe File opened (read-only) \??\s: server.exe File opened (read-only) \??\g: svzhost.exe File opened (read-only) \??\u: svzhost.exe File opened (read-only) \??\g: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\m: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\s: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\u: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\r: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\a: svzhost.exe File opened (read-only) \??\q: svzhost.exe File opened (read-only) \??\e: server.exe File opened (read-only) \??\l: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\o: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\p: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\a: server.exe File opened (read-only) \??\n: server.exe File opened (read-only) \??\j: svzhost.exe File opened (read-only) \??\b: svzhost.exe File opened (read-only) \??\g: svzhost.exe File opened (read-only) \??\x: svzhost.exe File opened (read-only) \??\l: server.exe File opened (read-only) \??\r: svzhost.exe File opened (read-only) \??\y: svzhost.exe File opened (read-only) \??\i: server.exe File opened (read-only) \??\k: server.exe File opened (read-only) \??\b: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\f: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\h: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\v: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\q: server.exe File opened (read-only) \??\l: svzhost.exe File opened (read-only) \??\y: svzhost.exe File opened (read-only) \??\z: server.exe File opened (read-only) \??\e: svzhost.exe File opened (read-only) \??\w: svzhost.exe File opened (read-only) \??\n: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\k: svzhost.exe File opened (read-only) \??\v: svzhost.exe File opened (read-only) \??\m: server.exe File opened (read-only) \??\s: svzhost.exe File opened (read-only) \??\w: 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe File opened (read-only) \??\w: server.exe File opened (read-only) \??\h: svzhost.exe File opened (read-only) \??\r: svzhost.exe File opened (read-only) \??\a: svzhost.exe File opened (read-only) \??\n: svzhost.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4400-152-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4028-153-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4400-155-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4528-187-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4528-190-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
svzhost.exesvzhost.exedescription pid process target process PID 4028 set thread context of 4644 4028 svzhost.exe svzhost.exe PID 4028 set thread context of 2728 4028 svzhost.exe svzhost.exe PID 2240 set thread context of 3820 2240 svzhost.exe svzhost.exe PID 2240 set thread context of 3124 2240 svzhost.exe svzhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 8 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exepid process 1388 ipconfig.exe 4632 ipconfig.exe 2840 ipconfig.exe 116 ipconfig.exe 2660 ipconfig.exe 1144 ipconfig.exe 2540 ipconfig.exe 3212 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svzhost.exesvzhost.exepid process 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 4028 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe 2240 svzhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svzhost.exepid process 1212 svzhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svzhost.exedescription pid process Token: SeDebugPrivilege 1212 svzhost.exe Token: SeDebugPrivilege 1212 svzhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.execmd.execmd.exesvzhost.execmd.execmd.exesvzhost.exedescription pid process target process PID 4400 wrote to memory of 228 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe cmd.exe PID 4400 wrote to memory of 228 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe cmd.exe PID 4400 wrote to memory of 228 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe cmd.exe PID 228 wrote to memory of 3212 228 cmd.exe ipconfig.exe PID 228 wrote to memory of 3212 228 cmd.exe ipconfig.exe PID 228 wrote to memory of 3212 228 cmd.exe ipconfig.exe PID 4400 wrote to memory of 4984 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe cmd.exe PID 4400 wrote to memory of 4984 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe cmd.exe PID 4400 wrote to memory of 4984 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe cmd.exe PID 4984 wrote to memory of 1388 4984 cmd.exe ipconfig.exe PID 4984 wrote to memory of 1388 4984 cmd.exe ipconfig.exe PID 4984 wrote to memory of 1388 4984 cmd.exe ipconfig.exe PID 4400 wrote to memory of 4028 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe svzhost.exe PID 4400 wrote to memory of 4028 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe svzhost.exe PID 4400 wrote to memory of 4028 4400 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe svzhost.exe PID 4028 wrote to memory of 1600 4028 svzhost.exe cmd.exe PID 4028 wrote to memory of 1600 4028 svzhost.exe cmd.exe PID 4028 wrote to memory of 1600 4028 svzhost.exe cmd.exe PID 1600 wrote to memory of 4632 1600 cmd.exe ipconfig.exe PID 1600 wrote to memory of 4632 1600 cmd.exe ipconfig.exe PID 1600 wrote to memory of 4632 1600 cmd.exe ipconfig.exe PID 4028 wrote to memory of 2012 4028 svzhost.exe cmd.exe PID 4028 wrote to memory of 2012 4028 svzhost.exe cmd.exe PID 4028 wrote to memory of 2012 4028 svzhost.exe cmd.exe PID 2012 wrote to memory of 2840 2012 cmd.exe ipconfig.exe PID 2012 wrote to memory of 2840 2012 cmd.exe ipconfig.exe PID 2012 wrote to memory of 2840 2012 cmd.exe ipconfig.exe PID 4028 wrote to memory of 4644 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 4644 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 4644 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 4644 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 4644 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 2728 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 2728 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 2728 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 2728 4028 svzhost.exe svzhost.exe PID 4028 wrote to memory of 2728 4028 svzhost.exe svzhost.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe PID 4644 wrote to memory of 2212 4644 svzhost.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe"C:\Users\Admin\AppData\Local\Temp\815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:3212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:1388 -
C:\Users\Admin\AppData\Roaming\svzhost.exeC:\Users\Admin\AppData\Roaming\svzhost.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns3⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
PID:4632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns3⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
PID:2840 -
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2212
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1212 -
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
PID:4528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns6⤵PID:4412
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
PID:116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns6⤵PID:4472
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
PID:2660 -
C:\Users\Admin\AppData\Roaming\svzhost.exeC:\Users\Admin\AppData\Roaming\svzhost.exe6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns7⤵PID:4332
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns8⤵
- Gathers network information
PID:1144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns7⤵PID:2380
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns8⤵
- Gathers network information
PID:2540 -
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"7⤵
- Executes dropped EXE
PID:3820 -
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"7⤵
- Executes dropped EXE
PID:3124 -
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
222KB
MD5550521ce5ba350ce99d58374af03c63d
SHA16e7d81228d5d4cf44b75155300ddf2240062da15
SHA2566798037a33eccaffe4e8515388019ee992345238b84c78b37eda0f770d31feba
SHA51286a63c10b9673e34774bac960bd15d70e756e8fd42f98ac4b1178b151004bb96f3e222f342c3e5f316ee35357dec6f5a57d228185283235babaad480726cd0bd
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5e721109b3db532ac173f098e52448335
SHA16006f8cdc53928e8152aff0d77b4c47d43810958
SHA2564f841fcbfa30c6c485b0d1da02d6d62d458445fd7938a26fd6c44d7ce4b84acd
SHA5120351def962cb1dd32a27ab2f424eef38a69404284b2268df4388a524e89667e0dce5faf44a01be6a9c338efa7d756d5e9869c4f95446aaedad0486297169235a
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD59b71207872dbbfb3984cb57044abe52d
SHA1b512b2c02879f5d5941e17792610129f1b7472fe
SHA25627798836cb4f45f83d5f4d6d803ba85fdd37ff09df034a11145089ea5ed6ad6e
SHA5120df692714a1ed3956f7fcc62cd9aae0fb61aab0d4950bbe03b651395bc0bbf857378979372f389c7de79e6cbcc9fe8a446f986ffdc6161762580b0b43221c370
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD535f35232e5365da656c3e4051c964d0b
SHA173a61eb6e2ca6aeb01550a3bb868beda5d820776
SHA256639a36fc59d497460f47e40f161c60d8cf2f710b5ce7b1cbb1ecc5d3983d961a
SHA5125a64ecb61730a5801d8025b74244a02bc9efada624c9e8207159d95420add407b56d662fcaf474c39cf6b6f9c71671acc4a50260f99c36fb9fa5079080b231e2
-
C:\directory\CyberGate\install\server.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\directory\CyberGate\install\server.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
memory/116-183-0x0000000000000000-mapping.dmp
-
memory/228-133-0x0000000000000000-mapping.dmp
-
memory/1144-193-0x0000000000000000-mapping.dmp
-
memory/1212-178-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1212-168-0x0000000000000000-mapping.dmp
-
memory/1212-175-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1212-171-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1212-191-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1388-136-0x0000000000000000-mapping.dmp
-
memory/1600-141-0x0000000000000000-mapping.dmp
-
memory/2012-144-0x0000000000000000-mapping.dmp
-
memory/2240-188-0x0000000000000000-mapping.dmp
-
memory/2380-195-0x0000000000000000-mapping.dmp
-
memory/2540-196-0x0000000000000000-mapping.dmp
-
memory/2660-186-0x0000000000000000-mapping.dmp
-
memory/2728-156-0x0000000000000000-mapping.dmp
-
memory/2728-161-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2728-160-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2728-170-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2728-157-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2728-162-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2840-145-0x0000000000000000-mapping.dmp
-
memory/3124-204-0x0000000000000000-mapping.dmp
-
memory/3124-210-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3212-134-0x0000000000000000-mapping.dmp
-
memory/3820-203-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/3820-202-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/3820-201-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/3820-197-0x0000000000000000-mapping.dmp
-
memory/4028-153-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/4028-137-0x0000000000000000-mapping.dmp
-
memory/4028-140-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/4332-192-0x0000000000000000-mapping.dmp
-
memory/4400-155-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/4400-152-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/4400-132-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/4412-182-0x0000000000000000-mapping.dmp
-
memory/4472-185-0x0000000000000000-mapping.dmp
-
memory/4528-180-0x0000000000000000-mapping.dmp
-
memory/4528-190-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/4528-187-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/4632-142-0x0000000000000000-mapping.dmp
-
memory/4644-146-0x0000000000000000-mapping.dmp
-
memory/4644-151-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/4644-150-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/4644-147-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/4644-149-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/4644-154-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/4644-176-0x00000000000D0000-0x000000000011E000-memory.dmpFilesize
312KB
-
memory/4644-172-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/4644-164-0x0000000010410000-0x0000000010471000-memory.dmpFilesize
388KB
-
memory/4984-135-0x0000000000000000-mapping.dmp