cybergate | 38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

General

Target

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe
Size

328KB
MD5

de3c1b8ca015d37518796e5df25900b0
SHA1

33f77379ce18355332806ba63137201c38794e3e
SHA256

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8
SHA512

c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a
SSDEEP

6144:5kh54k8aN4wAtZ6FMT5sbpKTtetxHEJzvjnJecyqlGXtWrqO5L1t:m5BlNbigM+bpWE3HWLJfynWpBD

Score

10^/10

cybergate coder persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Coder

C2

assistitvonline24.ddns.net:1338

Mutex

5408e94e23211dd

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Steaml
install_file
juschedlll..exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Upgrade your windows
message_box_title
Upgrade system
password
123
regkey_hkcu
HRV
regkey_hklm
HCR

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Polices = "C:\\Windows\\system32\\Steaml\\juschedlll..exe"	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Polices = "C:\\Windows\\system32\\Steaml\\juschedlll..exe"	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE

Executes dropped EXE 2 IoCs

Processes:

juschedlll..exejuschedlll..EXE

pid process

1528 juschedlll..exe
1228 juschedlll..EXE

pid	process
1528	juschedlll..exe
1228	juschedlll..EXE

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXEexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7LCUN87G-Y58C-P0B5-U7Y1-A703T21D5883}	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7LCUN87G-Y58C-P0B5-U7Y1-A703T21D5883}\StubPath = "C:\\Windows\\system32\\Steaml\\juschedlll..exe Restart"	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7LCUN87G-Y58C-P0B5-U7Y1-A703T21D5883}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7LCUN87G-Y58C-P0B5-U7Y1-A703T21D5883}\StubPath = "C:\\Windows\\system32\\Steaml\\juschedlll..exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1348-72-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1348-82-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/580-87-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/580-90-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1348-95-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1124-101-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1124-102-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1124-103-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

explorer.exe

pid process

1124 explorer.exe
1124 explorer.exe

pid	process
1124	explorer.exe
1124	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HCR = "C:\\Windows\\system32\\Steaml\\juschedlll..exe"	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRV = "C:\\Windows\\system32\\Steaml\\juschedlll..exe"	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 5 IoCs

Processes:

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXEexplorer.exejuschedlll..exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Steaml\juschedlll..exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
File opened for modification	C:\Windows\SysWOW64\Steaml\juschedlll..exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Steaml\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Steaml\juschedlll..EXE	juschedlll..exe
File created	C:\Windows\SysWOW64\Steaml\juschedlll..exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exejuschedlll..exe

description	pid	process	target process
PID 1232 set thread context of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1528 set thread context of 1228	1528	juschedlll..exe	juschedlll..EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1124 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1124 explorer.exe
Token: SeDebugPrivilege 1124 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXEexplorer.exe

pid process

1348 38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
1124 explorer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

explorer.exe

pid process

1124 explorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exejuschedlll..exe

pid process

1232 38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe
1528 juschedlll..exe

pid	process
1124	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1124	explorer.exe
Token: SeDebugPrivilege	1124	explorer.exe

pid	process
1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
1124	explorer.exe

pid	process
1124	explorer.exe

pid	process
1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe
1528	juschedlll..exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE

description	pid	process	target process
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1232 wrote to memory of 1348	1232	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE
PID 1348 wrote to memory of 1336	1348	38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe
"C:\Users\Admin\AppData\Local\Temp\38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
"C:\Users\Admin\AppData\Local\Temp\38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Modifies Installed Components in the registry
PID:580

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1124

C:\Windows\SysWOW64\Steaml\juschedlll..exe
"C:\Windows\system32\Steaml\juschedlll..exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\SysWOW64\Steaml\juschedlll..EXE
"C:\Windows\SysWOW64\Steaml\juschedlll..EXE"
5⤵
- Executes dropped EXE
PID:1228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
2349dee9318e1f911fcf329e455f33d0

SHA1
288dd6b27d19b45fba9dcc41284986aed55405f6

SHA256
835b291d3d62b0c9f3861010c3cad166ac4d2544620e159afa3e6bb2b2a39c77

SHA512
1a56e7cfbf87336035e983798ae649be04a7c02e08e7e7bd7e7a2819c311304511b579315d1033fb180d296915da6b575fee5c08a484b9e2d163344667603fff

Download Submit
C:\Windows\SysWOW64\Steaml\juschedlll..exe
Filesize
328KB

MD5
de3c1b8ca015d37518796e5df25900b0

SHA1
33f77379ce18355332806ba63137201c38794e3e

SHA256
38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

SHA512
c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

Download Submit
C:\Windows\SysWOW64\Steaml\juschedlll..exe
Filesize
328KB

MD5
de3c1b8ca015d37518796e5df25900b0

SHA1
33f77379ce18355332806ba63137201c38794e3e

SHA256
38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

SHA512
c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

Download Submit
C:\Windows\SysWOW64\Steaml\juschedlll..exe
Filesize
328KB

MD5
de3c1b8ca015d37518796e5df25900b0

SHA1
33f77379ce18355332806ba63137201c38794e3e

SHA256
38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

SHA512
c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

Download Submit
\Windows\SysWOW64\Steaml\juschedlll..exe
Filesize
328KB

MD5
de3c1b8ca015d37518796e5df25900b0

SHA1
33f77379ce18355332806ba63137201c38794e3e

SHA256
38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

SHA512
c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

Download Submit
\Windows\SysWOW64\Steaml\juschedlll..exe
Filesize
328KB

MD5
de3c1b8ca015d37518796e5df25900b0

SHA1
33f77379ce18355332806ba63137201c38794e3e

SHA256
38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

SHA512
c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

Download Submit
memory/580-87-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/580-81-0x0000000074FC1000-0x0000000074FC3000-memory.dmp

Filesize
8KB

Download
memory/580-79-0x0000000000000000-mapping.dmp

Download
memory/580-90-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1124-92-0x0000000000000000-mapping.dmp

Download
memory/1124-101-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1124-102-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1124-103-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1228-120-0x000000000040BBF4-mapping.dmp

Download
memory/1228-124-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1228-125-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1228-126-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1336-75-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1348-67-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-56-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-72-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1348-70-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-95-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1348-100-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-68-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1348-82-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1348-66-0x000000000040BBF4-mapping.dmp

Download
memory/1348-65-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-57-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-63-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-59-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1348-60-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1528-106-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads