cybergate | d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4

General

Target

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Size

1.1MB
MD5

32c50913f5bad6c1bf3e0472dc6835a7
SHA1

f0f78ff7461068e336c421e59134bfb9cd866b2a
SHA256

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4
SHA512

29733e8f1e3b8ad6a0ea662668c88f626ca7aae4138ed4c2e33786ef1d1dc8bb3b69e5f666a4f09a76f8c629a7d55f853f788b3f6b6d8d1993ff63961e1fd085
SSDEEP

24576:9x94aSqD+WRvWjGZXUYPu2tDrbbtJ5M/A2CJ:9xSxgB6oEYmMdXM/AfJ

Score

10^/10

cybergate 1st evasion persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

1st

C2

58.138.194.52:80

Mutex

KA3TAD87D550W7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64H7VW0E-S1L1-K243-MR54-GP5LW2W71L70}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{64H7VW0E-S1L1-K243-MR54-GP5LW2W71L70}	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/556-78-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/556-88-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1644-93-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1644-96-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/1644-98-0x0000000010480000-0x00000000104F0000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Wine	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Drops file in System32 directory 4 IoCs

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
File opened for modification	C:\Windows\SysWOW64\install\	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	explorer.exe
File created	C:\Windows\SysWOW64\install\server.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

pid process

2028 d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description	pid	process	target process
PID 2028 set thread context of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exed996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

pid	process
2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1644 explorer.exe
Token: SeDebugPrivilege 1644 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

pid process

556 d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

pid process

2028 d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description	pid	process
Token: SeDebugPrivilege	1644	explorer.exe
Token: SeDebugPrivilege	1644	explorer.exe

pid	process
556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.execmd.exenet.exed996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe

description	pid	process	target process
PID 2028 wrote to memory of 2032	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	cmd.exe
PID 2028 wrote to memory of 2032	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	cmd.exe
PID 2028 wrote to memory of 2032	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	cmd.exe
PID 2028 wrote to memory of 2032	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	cmd.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2028 wrote to memory of 556	2028	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
PID 2032 wrote to memory of 1532	2032	cmd.exe	net.exe
PID 2032 wrote to memory of 1532	2032	cmd.exe	net.exe
PID 2032 wrote to memory of 1532	2032	cmd.exe	net.exe
PID 2032 wrote to memory of 1532	2032	cmd.exe	net.exe
PID 1532 wrote to memory of 276	1532	net.exe	net1.exe
PID 1532 wrote to memory of 276	1532	net.exe	net1.exe
PID 1532 wrote to memory of 276	1532	net.exe	net1.exe
PID 1532 wrote to memory of 276	1532	net.exe	net1.exe
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE
PID 556 wrote to memory of 1284	556	d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
"C:\Users\Admin\AppData\Local\Temp\d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
PID:276

C:\Users\Admin\AppData\Local\Temp\d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
C:\Users\Admin\AppData\Local\Temp\d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
234KB

MD5
05fa080b61a4b7f3e71d0a88fdbe8324

SHA1
e8d1ed275674d8e4213237e063ccc137ed637062

SHA256
9055919330f096ad9db6497d8a4088bfe8acf00c639f401f3d72b6d109c75af7

SHA512
f06f9ef888fde67150d7323c11c2d5bc6cf28ca54b447dc84d9dcf6555e2f967d8143f0a564c5df0df880623b580b5b534b1d348a8ea048110bfda9a3db5f441

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
1.1MB

MD5
32c50913f5bad6c1bf3e0472dc6835a7

SHA1
f0f78ff7461068e336c421e59134bfb9cd866b2a

SHA256
d996440977f4174edfc6f670330ecbb4101863c2c4135a6c69e4d2dc55c58fb4

SHA512
29733e8f1e3b8ad6a0ea662668c88f626ca7aae4138ed4c2e33786ef1d1dc8bb3b69e5f666a4f09a76f8c629a7d55f853f788b3f6b6d8d1993ff63961e1fd085

Download Submit
memory/276-74-0x0000000000000000-mapping.dmp

Download
memory/556-87-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-97-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-67-0x0000000000409860-mapping.dmp

Download
memory/556-68-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-88-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/556-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/556-78-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1284-81-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1532-71-0x0000000000000000-mapping.dmp

Download
memory/1644-93-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1644-84-0x0000000000000000-mapping.dmp

Download
memory/1644-86-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download
memory/1644-96-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1644-98-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/2028-72-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/2028-54-0x0000000000400000-0x00000000005C7000-memory.dmp

Filesize
1.8MB

Download
memory/2028-55-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/2028-73-0x0000000077C40000-0x0000000077DC0000-memory.dmp

Filesize
1.5MB

Download
memory/2028-75-0x00000000003F0000-0x00000000003F4000-memory.dmp

Filesize
16KB

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads