cybergate | 51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a

General

Target

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
Size

284KB
MD5

52a321a5ab3044adee12c50fe5a4f387
SHA1

d807d973f25d196884df0214e749ed351bf1e739
SHA256

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a
SHA512

2a25cc34789e98959f01dcb93179425899a838be0d6aed97871f13689155920c23b520ed7b7bef7e3ba251b44af63295de73e4b19ba9c45b36fd27d3db005228
SSDEEP

6144:Uk4qm+PsJQmROT+ICF844FoKrey4aBKkC3ZP8E0bZ6I:395kxOS1CoKeXtcbZJ

Score

10^/10

cybergate çîýçá äæ çí èí persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÇÎÝÇÁ äæ Çí Èí

C2

127.0.0.1:1990

seen7zeen.no-ip.biz:1990

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
Win_Xp.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Please try again later.
message_box_title
Error
password
asaad36810

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win_Xp.exe"	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Win_Xp.exe"	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

Executes dropped EXE 1 IoCs

Processes:

Win_Xp.exe

pid process

1676 Win_Xp.exe

pid	process
1676	Win_Xp.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "C:\\Win_Xp.exe Restart"	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}\StubPath = "C:\\Win_Xp.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{218A3Q1V-M05N-O32L-4AM8-MA0JEIMDL4ML}	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1372-55-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1372-57-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1372-66-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1064-71-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
C:\Win_Xp.exe	upx
behavioral1/memory/1064-74-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1372-76-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1372-82-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1372-87-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1708-88-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1708-135-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1064-136-0x00000000318F0000-0x00000000318FD000-memory.dmp	upx
behavioral1/memory/1708-137-0x0000000000400000-0x0000000000459000-memory.dmp	upx
C:\Win_Xp.exe	upx
behavioral1/memory/1676-147-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1676-148-0x0000000031920000-0x000000003192D000-memory.dmp	upx
behavioral1/memory/1676-149-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1676-150-0x0000000031920000-0x000000003192D000-memory.dmp	upx
behavioral1/memory/1708-153-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1064-154-0x00000000318F0000-0x00000000318FD000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

pid	process
1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

pid process

1708 51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

pid	process
1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

description	pid	process
Token: SeDebugPrivilege	1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
Token: SeDebugPrivilege	1708	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

pid process

1372 51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe

description	pid	process	target process
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE
PID 1372 wrote to memory of 1280	1372	51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe	Explorer.EXE

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1156

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
3⤵
PID:772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
3⤵
PID:1360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
3⤵
PID:604

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1244

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2012

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1952

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
"C:\Users\Admin\AppData\Local\Temp\51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Modifies Installed Components in the registry
PID:1064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe
"C:\Users\Admin\AppData\Local\Temp\51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Win_Xp.exe
"C:\Win_Xp.exe"
4⤵
- Executes dropped EXE
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
240KB

MD5
bf2028bf5daae34a70d0ba080b26994a

SHA1
f8144cf792413d4bb680a79814375c4419267182

SHA256
59d689f6e6d43a6f5ebc8174ecaeaece57727ecb65814a65cf5caad2571011f3

SHA512
f78556500371380cc86dd9e00aa5ddfcba16d8612475503a7815984683ae9950696c9abb71f24325c40446c8444ab04edfabb616f83866b21753122b0bab7d45

Download Submit
C:\Win_Xp.exe
Filesize
284KB

MD5
52a321a5ab3044adee12c50fe5a4f387

SHA1
d807d973f25d196884df0214e749ed351bf1e739

SHA256
51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a

SHA512
2a25cc34789e98959f01dcb93179425899a838be0d6aed97871f13689155920c23b520ed7b7bef7e3ba251b44af63295de73e4b19ba9c45b36fd27d3db005228

Download Submit
C:\Win_Xp.exe
Filesize
284KB

MD5
52a321a5ab3044adee12c50fe5a4f387

SHA1
d807d973f25d196884df0214e749ed351bf1e739

SHA256
51b27f25e2a7debd0da9a0660d8f33c27b4ac3b96533ef7fbcea8f6d3b99060a

SHA512
2a25cc34789e98959f01dcb93179425899a838be0d6aed97871f13689155920c23b520ed7b7bef7e3ba251b44af63295de73e4b19ba9c45b36fd27d3db005228

Download Submit
memory/260-89-0x0000000031770000-0x000000003177D000-memory.dmp

Filesize
52KB

Download
memory/1064-71-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1064-136-0x00000000318F0000-0x00000000318FD000-memory.dmp

Filesize
52KB

Download
memory/1064-65-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1064-154-0x00000000318F0000-0x00000000318FD000-memory.dmp

Filesize
52KB

Download
memory/1064-63-0x0000000000000000-mapping.dmp

Download
memory/1064-74-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1280-60-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1372-76-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1372-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1372-82-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1372-87-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1372-66-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1372-57-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1372-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1676-147-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1676-138-0x0000000000000000-mapping.dmp

Download
memory/1676-148-0x0000000031920000-0x000000003192D000-memory.dmp

Filesize
52KB

Download
memory/1676-149-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1676-150-0x0000000031920000-0x000000003192D000-memory.dmp

Filesize
52KB

Download
memory/1708-137-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1708-135-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1708-146-0x00000000059E0000-0x0000000005A39000-memory.dmp

Filesize
356KB

Download
memory/1708-88-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1708-153-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1708-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads