cybergate | 815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

Analysis

max time kernel
193s
max time network
243s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
Size

1.0MB
MD5

501beaec545972571ca743ff468cae5b
SHA1

4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256

815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA512

2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
SSDEEP

12288:EjkArEN249AyE/rbaMct4bO2/Vf0cCoFmZv07A6IdSlloroY30wnqomLskYtI:nFE//Tct4bOsyczmydI8lycOqdcI

Score

10^/10

cybergate hottrod persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

hottrod

d16.no-ip.biz:3178

Mutex

L7471Y70V2WVK3

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
m2340440

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svzhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svzhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	svzhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svzhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	svzhost.exe

Drops file in Drivers directory 4 IoCs

Processes:

815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exesvzhost.exeserver.exesvzhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svzhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	server.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svzhost.exe

Executes dropped EXE 8 IoCs

Processes:

svzhost.exesvzhost.exesvzhost.exesvzhost.exeserver.exesvzhost.exesvzhost.exesvzhost.exe

pid process

4028 svzhost.exe
4644 svzhost.exe
2728 svzhost.exe
1212 svzhost.exe
4528 server.exe
2240 svzhost.exe
3820 svzhost.exe
3124 svzhost.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svzhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{38W108GQ-O055-YL24-B138-U1PNC3D7XXMR}	svzhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38W108GQ-O055-YL24-B138-U1PNC3D7XXMR}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	svzhost.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4400-132-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\svzhost.exe	upx
C:\Users\Admin\AppData\Roaming\svzhost.exe	upx
behavioral2/memory/4028-140-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\svzhost.exe	upx
behavioral2/memory/4400-152-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral2/memory/4028-153-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral2/memory/4400-155-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral2/memory/2728-157-0x0000000000400000-0x0000000000421000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\svzhost.exe	upx
behavioral2/memory/2728-160-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2728-161-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/2728-162-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4644-164-0x0000000010410000-0x0000000010471000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\svzhost.exe	upx
behavioral2/memory/2728-170-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1212-171-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral2/memory/4644-172-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/1212-175-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/1212-178-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
C:\directory\CyberGate\install\server.exe	upx
C:\directory\CyberGate\install\server.exe	upx
behavioral2/memory/4528-187-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\svzhost.exe	upx
behavioral2/memory/4528-190-0x0000000000400000-0x00000000004E5000-memory.dmp	upx
behavioral2/memory/1212-191-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\svzhost.exe	upx
C:\Users\Admin\AppData\Roaming\svzhost.exe	upx
behavioral2/memory/3124-210-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svzhost.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation svzhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	svzhost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exesvzhost.exeserver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe"	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	svzhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe"	svzhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe"	server.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exesvzhost.exeserver.exesvzhost.exe

description	ioc	process
File opened (read-only)	\??\k:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\y:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\m:	svzhost.exe
File opened (read-only)	\??\o:	svzhost.exe
File opened (read-only)	\??\i:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\t:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\j:	server.exe
File opened (read-only)	\??\p:	server.exe
File opened (read-only)	\??\t:	server.exe
File opened (read-only)	\??\u:	server.exe
File opened (read-only)	\??\v:	server.exe
File opened (read-only)	\??\b:	svzhost.exe
File opened (read-only)	\??\e:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\x:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\i:	svzhost.exe
File opened (read-only)	\??\f:	server.exe
File opened (read-only)	\??\k:	svzhost.exe
File opened (read-only)	\??\x:	svzhost.exe
File opened (read-only)	\??\s:	server.exe
File opened (read-only)	\??\g:	svzhost.exe
File opened (read-only)	\??\u:	svzhost.exe
File opened (read-only)	\??\g:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\m:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\s:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\u:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\r:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\a:	svzhost.exe
File opened (read-only)	\??\q:	svzhost.exe
File opened (read-only)	\??\e:	server.exe
File opened (read-only)	\??\l:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\o:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\p:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\a:	server.exe
File opened (read-only)	\??\n:	server.exe
File opened (read-only)	\??\j:	svzhost.exe
File opened (read-only)	\??\b:	svzhost.exe
File opened (read-only)	\??\g:	svzhost.exe
File opened (read-only)	\??\x:	svzhost.exe
File opened (read-only)	\??\l:	server.exe
File opened (read-only)	\??\r:	svzhost.exe
File opened (read-only)	\??\y:	svzhost.exe
File opened (read-only)	\??\i:	server.exe
File opened (read-only)	\??\k:	server.exe
File opened (read-only)	\??\b:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\f:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\h:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\v:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\q:	server.exe
File opened (read-only)	\??\l:	svzhost.exe
File opened (read-only)	\??\y:	svzhost.exe
File opened (read-only)	\??\z:	server.exe
File opened (read-only)	\??\e:	svzhost.exe
File opened (read-only)	\??\w:	svzhost.exe
File opened (read-only)	\??\n:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\k:	svzhost.exe
File opened (read-only)	\??\v:	svzhost.exe
File opened (read-only)	\??\m:	server.exe
File opened (read-only)	\??\s:	svzhost.exe
File opened (read-only)	\??\w:	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
File opened (read-only)	\??\w:	server.exe
File opened (read-only)	\??\h:	svzhost.exe
File opened (read-only)	\??\r:	svzhost.exe
File opened (read-only)	\??\a:	svzhost.exe
File opened (read-only)	\??\n:	svzhost.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4400-152-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral2/memory/4028-153-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral2/memory/4400-155-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral2/memory/4528-187-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe
behavioral2/memory/4528-190-0x0000000000400000-0x00000000004E5000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

svzhost.exesvzhost.exe

description	pid	process	target process
PID 4028 set thread context of 4644	4028	svzhost.exe	svzhost.exe
PID 4028 set thread context of 2728	4028	svzhost.exe	svzhost.exe
PID 2240 set thread context of 3820	2240	svzhost.exe	svzhost.exe
PID 2240 set thread context of 3124	2240	svzhost.exe	svzhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 8 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

1388 ipconfig.exe
4632 ipconfig.exe
2840 ipconfig.exe
116 ipconfig.exe
2660 ipconfig.exe
1144 ipconfig.exe
2540 ipconfig.exe
3212 ipconfig.exe

pid	process
1388	ipconfig.exe
4632	ipconfig.exe
2840	ipconfig.exe
116	ipconfig.exe
2660	ipconfig.exe
1144	ipconfig.exe
2540	ipconfig.exe
3212	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svzhost.exesvzhost.exe

pid	process
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
4028	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe
2240	svzhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svzhost.exe

pid process

1212 svzhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svzhost.exe

description pid process

Token: SeDebugPrivilege 1212 svzhost.exe
Token: SeDebugPrivilege 1212 svzhost.exe

pid	process
1212	svzhost.exe

description	pid	process
Token: SeDebugPrivilege	1212	svzhost.exe
Token: SeDebugPrivilege	1212	svzhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.execmd.execmd.exesvzhost.execmd.execmd.exesvzhost.exe

description	pid	process	target process
PID 4400 wrote to memory of 228	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	cmd.exe
PID 4400 wrote to memory of 228	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	cmd.exe
PID 4400 wrote to memory of 228	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	cmd.exe
PID 228 wrote to memory of 3212	228	cmd.exe	ipconfig.exe
PID 228 wrote to memory of 3212	228	cmd.exe	ipconfig.exe
PID 228 wrote to memory of 3212	228	cmd.exe	ipconfig.exe
PID 4400 wrote to memory of 4984	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	cmd.exe
PID 4400 wrote to memory of 4984	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	cmd.exe
PID 4400 wrote to memory of 4984	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	cmd.exe
PID 4984 wrote to memory of 1388	4984	cmd.exe	ipconfig.exe
PID 4984 wrote to memory of 1388	4984	cmd.exe	ipconfig.exe
PID 4984 wrote to memory of 1388	4984	cmd.exe	ipconfig.exe
PID 4400 wrote to memory of 4028	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	svzhost.exe
PID 4400 wrote to memory of 4028	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	svzhost.exe
PID 4400 wrote to memory of 4028	4400	815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe	svzhost.exe
PID 4028 wrote to memory of 1600	4028	svzhost.exe	cmd.exe
PID 4028 wrote to memory of 1600	4028	svzhost.exe	cmd.exe
PID 4028 wrote to memory of 1600	4028	svzhost.exe	cmd.exe
PID 1600 wrote to memory of 4632	1600	cmd.exe	ipconfig.exe
PID 1600 wrote to memory of 4632	1600	cmd.exe	ipconfig.exe
PID 1600 wrote to memory of 4632	1600	cmd.exe	ipconfig.exe
PID 4028 wrote to memory of 2012	4028	svzhost.exe	cmd.exe
PID 4028 wrote to memory of 2012	4028	svzhost.exe	cmd.exe
PID 4028 wrote to memory of 2012	4028	svzhost.exe	cmd.exe
PID 2012 wrote to memory of 2840	2012	cmd.exe	ipconfig.exe
PID 2012 wrote to memory of 2840	2012	cmd.exe	ipconfig.exe
PID 2012 wrote to memory of 2840	2012	cmd.exe	ipconfig.exe
PID 4028 wrote to memory of 4644	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 4644	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 4644	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 4644	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 4644	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 2728	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 2728	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 2728	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 2728	4028	svzhost.exe	svzhost.exe
PID 4028 wrote to memory of 2728	4028	svzhost.exe	svzhost.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe
PID 4644 wrote to memory of 2212	4644	svzhost.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
"C:\Users\Admin\AppData\Local\Temp\815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1388

C:\Users\Admin\AppData\Roaming\svzhost.exe
C:\Users\Admin\AppData\Roaming\svzhost.exe
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C ipconfig /flushdns
3⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
4⤵
- Gathers network information
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C ipconfig /flushdns
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
4⤵
- Gathers network information
PID:2840

C:\Users\Admin\AppData\Roaming\svzhost.exe
"C:\Users\Admin\AppData\Roaming\svzhost.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious use of WriteProcessMemory
PID:4644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2212

C:\Users\Admin\AppData\Roaming\svzhost.exe
"C:\Users\Admin\AppData\Roaming\svzhost.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C ipconfig /flushdns
6⤵
PID:4412

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
7⤵
- Gathers network information
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C ipconfig /flushdns
6⤵
PID:4472

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
7⤵
- Gathers network information
PID:2660

C:\Users\Admin\AppData\Roaming\svzhost.exe
C:\Users\Admin\AppData\Roaming\svzhost.exe
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C ipconfig /flushdns
7⤵
PID:4332

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
8⤵
- Gathers network information
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C ipconfig /flushdns
7⤵
PID:2380

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
8⤵
- Gathers network information
PID:2540

C:\Users\Admin\AppData\Roaming\svzhost.exe
"C:\Users\Admin\AppData\Roaming\svzhost.exe"
7⤵
- Executes dropped EXE
PID:3820

C:\Users\Admin\AppData\Roaming\svzhost.exe
"C:\Users\Admin\AppData\Roaming\svzhost.exe"
7⤵
- Executes dropped EXE
PID:3124

C:\Users\Admin\AppData\Roaming\svzhost.exe
"C:\Users\Admin\AppData\Roaming\svzhost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
222KB

MD5
550521ce5ba350ce99d58374af03c63d

SHA1
6e7d81228d5d4cf44b75155300ddf2240062da15

SHA256
6798037a33eccaffe4e8515388019ee992345238b84c78b37eda0f770d31feba

SHA512
86a63c10b9673e34774bac960bd15d70e756e8fd42f98ac4b1178b151004bb96f3e222f342c3e5f316ee35357dec6f5a57d228185283235babaad480726cd0bd

Download Submit
C:\Users\Admin\AppData\Roaming\svzhost.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\Users\Admin\AppData\Roaming\svzhost.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\Users\Admin\AppData\Roaming\svzhost.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\Users\Admin\AppData\Roaming\svzhost.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\Users\Admin\AppData\Roaming\svzhost.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\Users\Admin\AppData\Roaming\svzhost.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\Users\Admin\AppData\Roaming\svzhost.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\Users\Admin\AppData\Roaming\svzhost.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
e721109b3db532ac173f098e52448335

SHA1
6006f8cdc53928e8152aff0d77b4c47d43810958

SHA256
4f841fcbfa30c6c485b0d1da02d6d62d458445fd7938a26fd6c44d7ce4b84acd

SHA512
0351def962cb1dd32a27ab2f424eef38a69404284b2268df4388a524e89667e0dce5faf44a01be6a9c338efa7d756d5e9869c4f95446aaedad0486297169235a

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
9b71207872dbbfb3984cb57044abe52d

SHA1
b512b2c02879f5d5941e17792610129f1b7472fe

SHA256
27798836cb4f45f83d5f4d6d803ba85fdd37ff09df034a11145089ea5ed6ad6e

SHA512
0df692714a1ed3956f7fcc62cd9aae0fb61aab0d4950bbe03b651395bc0bbf857378979372f389c7de79e6cbcc9fe8a446f986ffdc6161762580b0b43221c370

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
35f35232e5365da656c3e4051c964d0b

SHA1
73a61eb6e2ca6aeb01550a3bb868beda5d820776

SHA256
639a36fc59d497460f47e40f161c60d8cf2f710b5ce7b1cbb1ecc5d3983d961a

SHA512
5a64ecb61730a5801d8025b74244a02bc9efada624c9e8207159d95420add407b56d662fcaf474c39cf6b6f9c71671acc4a50260f99c36fb9fa5079080b231e2

Download Submit
C:\directory\CyberGate\install\server.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
C:\directory\CyberGate\install\server.exe
Filesize
1.0MB

MD5
501beaec545972571ca743ff468cae5b

SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c

SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6

SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a

Download Submit
memory/116-183-0x0000000000000000-mapping.dmp

Download
memory/228-133-0x0000000000000000-mapping.dmp

Download
memory/1144-193-0x0000000000000000-mapping.dmp

Download
memory/1212-178-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1212-168-0x0000000000000000-mapping.dmp

Download
memory/1212-175-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1212-171-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1212-191-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1388-136-0x0000000000000000-mapping.dmp

Download
memory/1600-141-0x0000000000000000-mapping.dmp

Download
memory/2012-144-0x0000000000000000-mapping.dmp

Download
memory/2240-188-0x0000000000000000-mapping.dmp

Download
memory/2380-195-0x0000000000000000-mapping.dmp

Download
memory/2540-196-0x0000000000000000-mapping.dmp

Download
memory/2660-186-0x0000000000000000-mapping.dmp

Download
memory/2728-156-0x0000000000000000-mapping.dmp

Download
memory/2728-161-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2728-160-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2728-170-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2728-157-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2728-162-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2840-145-0x0000000000000000-mapping.dmp

Download
memory/3124-204-0x0000000000000000-mapping.dmp

Download
memory/3124-210-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3212-134-0x0000000000000000-mapping.dmp

Download
memory/3820-203-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/3820-202-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/3820-201-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/3820-197-0x0000000000000000-mapping.dmp

Download
memory/4028-153-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4028-137-0x0000000000000000-mapping.dmp

Download
memory/4028-140-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4332-192-0x0000000000000000-mapping.dmp

Download
memory/4400-155-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4400-152-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4400-132-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4412-182-0x0000000000000000-mapping.dmp

Download
memory/4472-185-0x0000000000000000-mapping.dmp

Download
memory/4528-180-0x0000000000000000-mapping.dmp

Download
memory/4528-190-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4528-187-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4632-142-0x0000000000000000-mapping.dmp

Download
memory/4644-146-0x0000000000000000-mapping.dmp

Download
memory/4644-151-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/4644-150-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/4644-147-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/4644-149-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/4644-154-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/4644-176-0x00000000000D0000-0x000000000011E000-memory.dmp

Filesize
312KB

Download
memory/4644-172-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/4644-164-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/4984-135-0x0000000000000000-mapping.dmp

Download