cybergate | ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6

Analysis

max time kernel
168s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe
Size

426KB
MD5

438667f73e7f085f52180a45edaaf3ba
SHA1

94b2c6f21f7623f78f05ca66d75a9219622c1e49
SHA256

ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6
SHA512

bcd7efba57ac29fd006316dfcf446e656bb898727f004c975fbd3e89e8cfd50681a42d3dddebf85fd69beeb5e326b1d96ac4e3dd5bd54ca24bd60c6d7ef02522
SSDEEP

6144:R/0uoEpLqaaYOfRB1I1EgXjR5P65E4ih6vWRdb0ILthhKAyeev7ydDINvLNCtKGR:RJlQfoz9kEPgO3/evOCNAJ55O7lcfkj+

Score

10^/10

cybergate sality vítima backdoor evasion persistence stealer trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

127.0.0.1:81

chabchoub.no-ip.info:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

server.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	server.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	server.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	server.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

server.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	server.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	server.exe

Executes dropped EXE 3 IoCs

Processes:

server.exeserver.exeserver.exe

pid process

4180 server.exe
4696 server.exe
956 server.exe

pid	process
4180	server.exe
4696	server.exe
956	server.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S7J54P5A-N7HR-W041-R4Y1-720VMVOBTP21}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S7J54P5A-N7HR-W041-R4Y1-720VMVOBTP21}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	server.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe	upx
behavioral2/memory/4180-135-0x0000000002370000-0x000000000342A000-memory.dmp	upx
behavioral2/memory/4180-136-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4180-137-0x0000000002370000-0x000000000342A000-memory.dmp	upx
behavioral2/memory/4180-139-0x0000000024010000-0x0000000024072000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe	upx
behavioral2/memory/4180-145-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4696-148-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4180-149-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4180-150-0x0000000002370000-0x000000000342A000-memory.dmp	upx
behavioral2/memory/4696-152-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4696-153-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
C:\Windows\SysWOW64\install\server.exe	upx
C:\Windows\SysWOW64\install\server.exe	upx
behavioral2/memory/956-158-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/956-157-0x0000000002350000-0x000000000340A000-memory.dmp	upx
behavioral2/memory/4696-159-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

server.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation server.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	server.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	server.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

server.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server.exe

Drops file in System32 directory 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe

Drops file in Windows directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\e56cac7 server.exe
File opened for modification C:\Windows\SYSTEM.INI server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

server.exe

pid process

4180 server.exe
4180 server.exe
4180 server.exe
4180 server.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

4696 server.exe

description	ioc	process
File created	C:\Windows\e56cac7	server.exe
File opened for modification	C:\Windows\SYSTEM.INI	server.exe

pid	process
4180	server.exe
4180	server.exe
4180	server.exe
4180	server.exe

pid	process
4696	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe
Token: SeDebugPrivilege	4180	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exeserver.exe

description	pid	process	target process
PID 4776 wrote to memory of 4180	4776	ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe	server.exe
PID 4776 wrote to memory of 4180	4776	ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe	server.exe
PID 4776 wrote to memory of 4180	4776	ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe	server.exe
PID 4180 wrote to memory of 780	4180	server.exe	fontdrvhost.exe
PID 4180 wrote to memory of 788	4180	server.exe	fontdrvhost.exe
PID 4180 wrote to memory of 1020	4180	server.exe	dwm.exe
PID 4180 wrote to memory of 2340	4180	server.exe	sihost.exe
PID 4180 wrote to memory of 2368	4180	server.exe	svchost.exe
PID 4180 wrote to memory of 2464	4180	server.exe	taskhostw.exe
PID 4180 wrote to memory of 2456	4180	server.exe	Explorer.EXE
PID 4180 wrote to memory of 2736	4180	server.exe	svchost.exe
PID 4180 wrote to memory of 3260	4180	server.exe	DllHost.exe
PID 4180 wrote to memory of 3368	4180	server.exe	StartMenuExperienceHost.exe
PID 4180 wrote to memory of 3432	4180	server.exe	RuntimeBroker.exe
PID 4180 wrote to memory of 3520	4180	server.exe	SearchApp.exe
PID 4180 wrote to memory of 3708	4180	server.exe	RuntimeBroker.exe
PID 4180 wrote to memory of 4612	4180	server.exe	RuntimeBroker.exe
PID 4180 wrote to memory of 4776	4180	server.exe	ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe
PID 4180 wrote to memory of 4776	4180	server.exe	ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe
PID 4180 wrote to memory of 4788	4180	server.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

server.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3432

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2736

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe
"C:\Users\Admin\AppData\Local\Temp\ce35e95486dde2d4a87963f40aa887c3885ce5ec73d8f9ea73e6aef7fa3a15c6.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
PID:4696

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
348KB

MD5
d0cecee8329227e6ffd2a687c7d8c477

SHA1
5dda19f636506a724a88e9bf02def9ddb3c49d21

SHA256
48c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2

SHA512
24919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
348KB

MD5
d0cecee8329227e6ffd2a687c7d8c477

SHA1
5dda19f636506a724a88e9bf02def9ddb3c49d21

SHA256
48c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2

SHA512
24919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
Filesize
348KB

MD5
d0cecee8329227e6ffd2a687c7d8c477

SHA1
5dda19f636506a724a88e9bf02def9ddb3c49d21

SHA256
48c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2

SHA512
24919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
dd727b5df4fce4a9c469beea11596f0c

SHA1
e99bf001feb053cd76134bd7269aab79c6e86de8

SHA256
5f43500216544a82508409aa50af5e6ac00e31fb59277c5b7b1706dd37c0179e

SHA512
18e10d8a86135db3f556cb39461be65e8ade876098ae754532ed273ba6c011939fb9d8fef1b618db1ec4e390be9386f84a6b5c6deed60dc6fb138bb5e2ac657a

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
348KB

MD5
d0cecee8329227e6ffd2a687c7d8c477

SHA1
5dda19f636506a724a88e9bf02def9ddb3c49d21

SHA256
48c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2

SHA512
24919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
348KB

MD5
d0cecee8329227e6ffd2a687c7d8c477

SHA1
5dda19f636506a724a88e9bf02def9ddb3c49d21

SHA256
48c9db522fe6ed967f3e714568d5337b9ceaa42c1714ffb772310f353ac4f6e2

SHA512
24919b0542e1454824f3012d21adadbbcfbd8997e7db6ed97d97820fb1d5c42463d6a7bb33553ac2c44836a380ff2d2fa2fe582bd30e312fa540fa0a7fd57167

Download Submit
memory/956-155-0x0000000000000000-mapping.dmp

Download
memory/956-158-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/956-157-0x0000000002350000-0x000000000340A000-memory.dmp

Filesize
16.7MB

Download
memory/4180-136-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4180-132-0x0000000000000000-mapping.dmp

Download
memory/4180-149-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4180-150-0x0000000002370000-0x000000000342A000-memory.dmp

Filesize
16.7MB

Download
memory/4180-145-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4180-139-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4180-137-0x0000000002370000-0x000000000342A000-memory.dmp

Filesize
16.7MB

Download
memory/4180-135-0x0000000002370000-0x000000000342A000-memory.dmp

Filesize
16.7MB

Download
memory/4696-148-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4696-153-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4696-152-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4696-143-0x0000000000000000-mapping.dmp

Download
memory/4696-159-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download