cybergate | 1f9621917578d1d5ec63c5b27bafd2fdf42f9af653d01419831be96436aa789e

Analysis

max time kernel
152s
max time network
137s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trz8522.exe
Size

308KB
MD5

d255a9cc1c1fa4a08e322543673bcb7e
SHA1

b3ea990c7f730eb61ff4ed87748b150e34dbc76c
SHA256

2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926
SHA512

a84b58693e1d5fe4e9d734b058c965a0bd1b0e64894c7dc301929eff31001fd39d31e0ee8d39e31122cf4e6b45def9ea38c5a1535c691fc6a53ceec86fcf1bd7
SSDEEP

6144:ikIZp16d70R3eArX76KRoGOAGw1nYCAtIRJNTu+SnumvMS1leV6EITBsllw:ikLdgR3e2GKKGOsUI0+VS10VCal

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victima

mayi100.zapto.org:82

Mutex

3RPDD4J3LU7HW3

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
SyStem32
install_file
winzip.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
error framework '.net framework 4.0 client profile' not installed
message_box_title
Autoclick faller
password
smail
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

trz8522.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	trz8522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	trz8522.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	trz8522.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	trz8522.exe

Executes dropped EXE 4 IoCs

Processes:

trz8522.exetrz8522.exewinzip.exewinzip.exe

pid process

1756 trz8522.exe
1496 trz8522.exe
628 winzip.exe
1776 winzip.exe

pid	process
1756	trz8522.exe
1496	trz8522.exe
628	winzip.exe
1776	winzip.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

trz8522.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VWHOH1DS-MS38-148A-2UG7-O43L566477F1}	trz8522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VWHOH1DS-MS38-148A-2UG7-O43L566477F1}\StubPath = "C:\\Windows\\system32\\SyStem32\\winzip.exe Restart"	trz8522.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{VWHOH1DS-MS38-148A-2UG7-O43L566477F1}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{VWHOH1DS-MS38-148A-2UG7-O43L566477F1}\StubPath = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	explorer.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral27/memory/1756-65-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral27/memory/1756-67-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral27/memory/1756-68-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral27/memory/1756-73-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral27/memory/1756-75-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral27/memory/1756-76-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral27/memory/1756-79-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral27/memory/1756-88-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral27/memory/1684-93-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral27/memory/1684-96-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral27/memory/1756-98-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral27/memory/1756-105-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral27/memory/1496-110-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral27/memory/1756-115-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral27/memory/1496-116-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral27/memory/1496-121-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

trz8522.exetrz8522.exetrz8522.exe

pid process

896 trz8522.exe
896 trz8522.exe
1756 trz8522.exe
1756 trz8522.exe
1496 trz8522.exe
1496 trz8522.exe

pid	process
896	trz8522.exe
896	trz8522.exe
1756	trz8522.exe
1756	trz8522.exe
1496	trz8522.exe
1496	trz8522.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

trz8522.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	trz8522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	trz8522.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	trz8522.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\SyStem32\\winzip.exe"	trz8522.exe

Drops file in System32 directory 4 IoCs

Processes:

trz8522.exetrz8522.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\SyStem32\winzip.exe	trz8522.exe
File opened for modification	C:\Windows\SysWOW64\SyStem32\winzip.exe	trz8522.exe
File opened for modification	C:\Windows\SysWOW64\SyStem32\	trz8522.exe
File created	C:\Windows\SysWOW64\SyStem32\winzip.exe	trz8522.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

trz8522.exe

description pid process target process

PID 896 set thread context of 1756 896 trz8522.exe trz8522.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 896 set thread context of 1756	896	trz8522.exe	trz8522.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

trz8522.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	trz8522.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	trz8522.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	trz8522.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	trz8522.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

trz8522.exe

pid process

1756 trz8522.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

trz8522.exe

pid process

1496 trz8522.exe

pid	process
1756	trz8522.exe

pid	process
1496	trz8522.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

trz8522.exeexplorer.exetrz8522.exe

description	pid	process
Token: SeDebugPrivilege	896	trz8522.exe
Token: SeBackupPrivilege	1684	explorer.exe
Token: SeRestorePrivilege	1684	explorer.exe
Token: SeBackupPrivilege	1496	trz8522.exe
Token: SeRestorePrivilege	1496	trz8522.exe
Token: SeDebugPrivilege	1496	trz8522.exe
Token: SeDebugPrivilege	1496	trz8522.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

trz8522.exe

pid process

1756 trz8522.exe

pid	process
1756	trz8522.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

trz8522.execsc.exetrz8522.exe

description	pid	process	target process
PID 896 wrote to memory of 808	896	trz8522.exe	csc.exe
PID 896 wrote to memory of 808	896	trz8522.exe	csc.exe
PID 896 wrote to memory of 808	896	trz8522.exe	csc.exe
PID 896 wrote to memory of 808	896	trz8522.exe	csc.exe
PID 808 wrote to memory of 960	808	csc.exe	cvtres.exe
PID 808 wrote to memory of 960	808	csc.exe	cvtres.exe
PID 808 wrote to memory of 960	808	csc.exe	cvtres.exe
PID 808 wrote to memory of 960	808	csc.exe	cvtres.exe
PID 896 wrote to memory of 1756	896	trz8522.exe	trz8522.exe
PID 896 wrote to memory of 1756	896	trz8522.exe	trz8522.exe
PID 896 wrote to memory of 1756	896	trz8522.exe	trz8522.exe
PID 896 wrote to memory of 1756	896	trz8522.exe	trz8522.exe
PID 896 wrote to memory of 1756	896	trz8522.exe	trz8522.exe
PID 896 wrote to memory of 1756	896	trz8522.exe	trz8522.exe
PID 896 wrote to memory of 1756	896	trz8522.exe	trz8522.exe
PID 896 wrote to memory of 1756	896	trz8522.exe	trz8522.exe
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE
PID 1756 wrote to memory of 1360	1756	trz8522.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\trz8522.exe
"C:\Users\Admin\AppData\Local\Temp\trz8522.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\baxgejij.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE6.tmp"
4⤵
PID:960

C:\Users\Admin\AppData\Roaming\trz8522.exe
C:\Users\Admin\AppData\Roaming\trz8522.exe
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1068

C:\Users\Admin\AppData\Roaming\trz8522.exe
"C:\Users\Admin\AppData\Roaming\trz8522.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\SyStem32\winzip.exe
"C:\Windows\system32\SyStem32\winzip.exe"
5⤵
- Executes dropped EXE
PID:1776

C:\Windows\SysWOW64\SyStem32\winzip.exe
"C:\Windows\system32\SyStem32\winzip.exe"
4⤵
- Executes dropped EXE
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
184c796c75541e5e09284caea4effe12

SHA1
0e02b369f7c97e47aac9c9a578a0a02c7d443476

SHA256
f3add95a01f2064cbae807c62fd4f7cb28f9397820cd4d9e2f83e8e7d243a2d8

SHA512
f8cc68748e49414464d70743d4ee794b53e1a7cdf62af74131a7866fbebe2c9a1f729e58ae13b5283726a236f148b908f7c408a3e93299a0c2d8469479306e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE7.tmp
Filesize
1KB

MD5
90143cf3394f9e51a2dda1afb0325cc1

SHA1
630fd3d74289bf6a5219fbea524fbffd21be66bc

SHA256
74327c24d5ae2e021da1d141d95d2dc48c5191157cc81c23e7412cc188654a34

SHA512
888b7b33c37ca710805770ea0a9629e5ac99d390bb51693a00117c541d100d7b02e0fb0de901ab8f523e5f3df1c7b1dd306eb67571015ddc94a1db54ade8db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\baxgejij.dll
Filesize
5KB

MD5
c214340d8d68bd70853f605e84ea5bbd

SHA1
9fdebe3ffca5bd5745eb3f55a7ac4742590e428f

SHA256
8e81eb79c702d778622a4d56840aed6f184178513f9fc4ddc1a90dcf18687dd7

SHA512
ef75fb4d771fd69145e6b3de6a60cbb5461b670ff4f9f311dc743b9111bf07eb7f1fbec66c82812d4afc962d81049d9a15ff411aa4e7cf1d15a5c6d48783d930

Download Submit
C:\Users\Admin\AppData\Roaming\trz8522.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Users\Admin\AppData\Roaming\trz8522.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Users\Admin\AppData\Roaming\trz8522.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDE6.tmp
Filesize
652B

MD5
7d23d96a1cf56a6f442b0591216ad05d

SHA1
a895d25d9cae63e903e0cb5d5a3295d55ab4adb2

SHA256
8d583a402ae2c7c07654ecd24badf27576e7ecc11eb29fb79de70461ea5e3128

SHA512
548dff1df4b856217620a4a2086f7c07ba641096afef5c78d5a06f1ba7dbecbe7f45e7e1232d48d71cb367676098395988293d4c4586335b61eb15d38b727c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\baxgejij.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\baxgejij.cmdline
Filesize
206B

MD5
465a980b63d18538baedd15ec4832905

SHA1
31f8dabd33e72e3eaa57e488a5bbde56dcce543b

SHA256
b540ee2a287e1761952d485984cda0f94a1e6981975b0086b8b8af30c2ecf618

SHA512
4be766cc44e2ae96c9e40ac343aedbaf0254b16826430fcc2d80db5da7e77614efe36541cbfad11319a4fec663d21052de32e89f6e08a6198848871887ac1f25

Download Submit
\Users\Admin\AppData\Roaming\trz8522.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Users\Admin\AppData\Roaming\trz8522.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\SyStem32\winzip.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
memory/628-113-0x0000000000000000-mapping.dmp

Download
memory/808-55-0x0000000000000000-mapping.dmp

Download
memory/896-74-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/960-58-0x0000000000000000-mapping.dmp

Download
memory/1360-82-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1496-116-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1496-121-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1496-110-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1496-102-0x0000000000000000-mapping.dmp

Download
memory/1684-85-0x0000000000000000-mapping.dmp

Download
memory/1684-87-0x0000000074F71000-0x0000000074F73000-memory.dmp

Filesize
8KB

Download
memory/1684-93-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1684-96-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1756-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1756-115-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1756-98-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1756-88-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1756-79-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1756-76-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1756-75-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1756-105-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1756-73-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1756-69-0x0000000000455140-mapping.dmp

Download
memory/1756-64-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1756-68-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1756-67-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1776-119-0x0000000000000000-mapping.dmp

Download