cybergate | 7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3

General

Target

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Size

416KB
MD5

f816ce69fabd9f32071ee479c62a79fd
SHA1

a5b7ed4e94d4d992b5290e87ecd2475fa131c2db
SHA256

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3
SHA512

7dabdb3d61aacc5f97618a7c8d6f89fa521df83dec208865e92ac98f2bdb4e6a5c246155afeb8d9e2842ee3cad4a8cacfb0812ccf143ae62f1d288d521ef59f8
SSDEEP

6144:bM+7Wz9K4LDKx5NVPWe1hYuyG2SZQXLvtfpoEbqd37B1Cu9tJEjpp2Z6f:bM+7C9vLDKPDPZSvtfpoNLvJfab

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:1604

85.61.238.13:1604

192.168.1.135:1604

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

Executes dropped EXE 4 IoCs

Processes:

server.exeserver.exeserver.exeserver.exe

pid process

4228 server.exe
4376 server.exe
3964 server.exe
5040 server.exe

pid	process
4228	server.exe
4376	server.exe
3964	server.exe
5040	server.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/596-135-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/596-137-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/596-138-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/596-139-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/596-141-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/596-146-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3428-149-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3428-153-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/596-154-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/596-159-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/332-162-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/596-163-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/332-164-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/332-165-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/5040-182-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/5040-184-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3964-186-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/5040-187-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

Drops file in System32 directory 6 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exeserver.exeserver.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\server.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
File opened for modification	C:\Windows\SysWOW64\install\	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exeserver.exeserver.exe

description	pid	process	target process
PID 2096 set thread context of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 4376 set thread context of 3964	4376	server.exe	server.exe
PID 4228 set thread context of 5040	4228	server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1584 5040 WerFault.exe server.exe
1392 3964 WerFault.exe server.exe

pid	pid_target	process	target process
1584	5040	WerFault.exe	server.exe
1392	3964	WerFault.exe	server.exe

Modifies registry class 2 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

pid	process
596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

pid process

332 7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

pid	process
332	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

description	pid	process
Token: SeDebugPrivilege	332	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Token: SeDebugPrivilege	332	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

pid process

596 7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exeserver.exeserver.exe

pid process

2096 7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
4376 server.exe
4228 server.exe

pid	process
2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
4376	server.exe
4228	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe

description	pid	process	target process
PID 2096 wrote to memory of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 2096 wrote to memory of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 2096 wrote to memory of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 2096 wrote to memory of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 2096 wrote to memory of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 2096 wrote to memory of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 2096 wrote to memory of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 2096 wrote to memory of 596	2096	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE
PID 596 wrote to memory of 2032	596	7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
"C:\Users\Admin\AppData\Local\Temp\7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
"C:\Users\Admin\AppData\Local\Temp\7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3428

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\SysWOW64\install\server.exe"
6⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 564
7⤵
- Program crash
PID:1584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe
"C:\Users\Admin\AppData\Local\Temp\7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3.exe"
4⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\SysWOW64\install\server.exe"
6⤵
- Executes dropped EXE
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 564
7⤵
- Program crash
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3964 -ip 3964
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5040 -ip 5040
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
ece2a2bd07c96eadfb220a40b74a1e63

SHA1
2b058cacc00135bb18294e281be851d3af07527f

SHA256
f66437cb5baebfd78f9b6f57c444b93b8fb70629bc8e0d3492a7544cef4fb788

SHA512
a5fed460b266125f68cd9b4d06a44c4c3adaa9799f0123e6aebc042202973d96eae6fe0dedd67cd679fe140e71f580a761d5cc2e13daf1633eb12e52bf893323

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
416KB

MD5
f816ce69fabd9f32071ee479c62a79fd

SHA1
a5b7ed4e94d4d992b5290e87ecd2475fa131c2db

SHA256
7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3

SHA512
7dabdb3d61aacc5f97618a7c8d6f89fa521df83dec208865e92ac98f2bdb4e6a5c246155afeb8d9e2842ee3cad4a8cacfb0812ccf143ae62f1d288d521ef59f8

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
416KB

MD5
f816ce69fabd9f32071ee479c62a79fd

SHA1
a5b7ed4e94d4d992b5290e87ecd2475fa131c2db

SHA256
7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3

SHA512
7dabdb3d61aacc5f97618a7c8d6f89fa521df83dec208865e92ac98f2bdb4e6a5c246155afeb8d9e2842ee3cad4a8cacfb0812ccf143ae62f1d288d521ef59f8

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
416KB

MD5
f816ce69fabd9f32071ee479c62a79fd

SHA1
a5b7ed4e94d4d992b5290e87ecd2475fa131c2db

SHA256
7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3

SHA512
7dabdb3d61aacc5f97618a7c8d6f89fa521df83dec208865e92ac98f2bdb4e6a5c246155afeb8d9e2842ee3cad4a8cacfb0812ccf143ae62f1d288d521ef59f8

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
416KB

MD5
f816ce69fabd9f32071ee479c62a79fd

SHA1
a5b7ed4e94d4d992b5290e87ecd2475fa131c2db

SHA256
7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3

SHA512
7dabdb3d61aacc5f97618a7c8d6f89fa521df83dec208865e92ac98f2bdb4e6a5c246155afeb8d9e2842ee3cad4a8cacfb0812ccf143ae62f1d288d521ef59f8

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
416KB

MD5
f816ce69fabd9f32071ee479c62a79fd

SHA1
a5b7ed4e94d4d992b5290e87ecd2475fa131c2db

SHA256
7356504c4be1963a08cd55273b7e0f2f356389c962fb9e44fab7f897c105cee3

SHA512
7dabdb3d61aacc5f97618a7c8d6f89fa521df83dec208865e92ac98f2bdb4e6a5c246155afeb8d9e2842ee3cad4a8cacfb0812ccf143ae62f1d288d521ef59f8

Download Submit
memory/332-165-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/332-164-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/332-162-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/332-158-0x0000000000000000-mapping.dmp

Download
memory/596-159-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/596-135-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/596-137-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/596-154-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/596-134-0x0000000000000000-mapping.dmp

Download
memory/596-146-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/596-163-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/596-138-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/596-141-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/596-139-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3428-145-0x0000000000000000-mapping.dmp

Download
memory/3428-149-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3428-153-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3964-174-0x0000000000000000-mapping.dmp

Download
memory/3964-186-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4228-166-0x0000000000000000-mapping.dmp

Download
memory/4376-168-0x0000000000000000-mapping.dmp

Download
memory/5040-175-0x0000000000000000-mapping.dmp

Download
memory/5040-182-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5040-184-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5040-187-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads