cybergate | ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d

General

Target

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Size

330KB
MD5

d13c21bb46529522077309b00e37e050
SHA1

ace1a006e32d31fa6e42210b50255a18d5d3b48f
SHA256

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d
SHA512

7fc46fe9b76fd644317331114734cb748b002c318bef6fa3db06a4684b4d90d3e62d79f2e2de063ef207b63946f4fe7ae26e7fed03314f3e238fff0a15083da4
SSDEEP

6144:5esrD298Jl9kYDEtgCt/eY0eXqB9E9CbAZ7Dx5hEAEVhT9fu4GebL:wEDquk7tgCReXeIaCbAZ7DVg5mPef

Score

10^/10

cybergate öííé persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

127.0.0.1:288

hasoon999000.no-ip.info:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
windows
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windows\\windows.exe"	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windows\\windows.exe"	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

Executes dropped EXE 2 IoCs

Processes:

windows.exewindows.exe

pid process

1900 windows.exe
1484 windows.exe

pid	process
1900	windows.exe
1484	windows.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "C:\\Windows\\windows\\windows.exe Restart"	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "C:\\Windows\\windows\\windows.exe"	explorer.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/732-56-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/732-60-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/732-61-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/732-62-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/732-64-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/732-69-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/732-74-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/808-79-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/808-82-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/732-84-0x0000000000190000-0x00000000001F2000-memory.dmp	upx
behavioral1/memory/732-90-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/732-96-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/852-95-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/852-97-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1484-107-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1484-108-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1484-109-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1484-110-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/852-111-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

pid process

852 ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

pid	process
852	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\windows.exe"	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windows\\windows.exe"	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exewindows.exe

description	pid	process	target process
PID 1620 set thread context of 732	1620	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
PID 1900 set thread context of 1484	1900	windows.exe	windows.exe

Drops file in Windows directory 4 IoCs

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exead81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

description	ioc	process
File opened for modification	C:\Windows\windows\windows.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
File opened for modification	C:\Windows\windows\windows.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
File opened for modification	C:\Windows\windows\	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
File created	C:\Windows\windows\windows.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

pid	process
732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

pid process

852 ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

pid	process
852	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

description	pid	process
Token: SeDebugPrivilege	852	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
Token: SeDebugPrivilege	852	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

pid process

732 ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exead81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe

description	pid	process	target process
PID 1620 wrote to memory of 732	1620	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
PID 1620 wrote to memory of 732	1620	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
PID 1620 wrote to memory of 732	1620	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
PID 1620 wrote to memory of 732	1620	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
PID 1620 wrote to memory of 732	1620	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
PID 1620 wrote to memory of 732	1620	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE
PID 732 wrote to memory of 1272	732	ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
"C:\Users\Admin\AppData\Local\Temp\ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
C:\Users\Admin\AppData\Local\Temp\ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:808

C:\Users\Admin\AppData\Local\Temp\ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe
"C:\Users\Admin\AppData\Local\Temp\ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d.exe"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\windows\windows.exe
"C:\Windows\windows\windows.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1900

C:\Windows\windows\windows.exe
C:\Windows\windows\windows.exe
6⤵
- Executes dropped EXE
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
b83194c648a479a6a387e8e2b4a2de83

SHA1
58a548f3ab6dcd0744b20b0037bb56e88f2f1054

SHA256
dfe9e4f5292675108e1495b523b6c2f31778efa717bdbdc49ab6717c99f546a0

SHA512
35b66215c017c62c5363c46df0e286546b7b787ed0e2ab40f8bb918689a399fe52dc20079d905f885412cdc488e8bc9b45ef5eac71b69a1b20032003f4922edc

Download Submit
C:\Windows\windows\windows.exe
Filesize
330KB

MD5
d13c21bb46529522077309b00e37e050

SHA1
ace1a006e32d31fa6e42210b50255a18d5d3b48f

SHA256
ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d

SHA512
7fc46fe9b76fd644317331114734cb748b002c318bef6fa3db06a4684b4d90d3e62d79f2e2de063ef207b63946f4fe7ae26e7fed03314f3e238fff0a15083da4

Download Submit
C:\Windows\windows\windows.exe
Filesize
330KB

MD5
d13c21bb46529522077309b00e37e050

SHA1
ace1a006e32d31fa6e42210b50255a18d5d3b48f

SHA256
ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d

SHA512
7fc46fe9b76fd644317331114734cb748b002c318bef6fa3db06a4684b4d90d3e62d79f2e2de063ef207b63946f4fe7ae26e7fed03314f3e238fff0a15083da4

Download Submit
C:\Windows\windows\windows.exe
Filesize
330KB

MD5
d13c21bb46529522077309b00e37e050

SHA1
ace1a006e32d31fa6e42210b50255a18d5d3b48f

SHA256
ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d

SHA512
7fc46fe9b76fd644317331114734cb748b002c318bef6fa3db06a4684b4d90d3e62d79f2e2de063ef207b63946f4fe7ae26e7fed03314f3e238fff0a15083da4

Download Submit
\Windows\windows\windows.exe
Filesize
330KB

MD5
d13c21bb46529522077309b00e37e050

SHA1
ace1a006e32d31fa6e42210b50255a18d5d3b48f

SHA256
ad81fe719d1d44cd45a5dd752e17a84dac9b76cd0f7e85475050aaad06e5995d

SHA512
7fc46fe9b76fd644317331114734cb748b002c318bef6fa3db06a4684b4d90d3e62d79f2e2de063ef207b63946f4fe7ae26e7fed03314f3e238fff0a15083da4

Download Submit
memory/732-64-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/732-90-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/732-62-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/732-56-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/732-57-0x0000000000453600-mapping.dmp

Download
memory/732-69-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/732-96-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/732-61-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/732-74-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/732-84-0x0000000000190000-0x00000000001F2000-memory.dmp

Filesize
392KB

Download
memory/732-59-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/732-60-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/808-82-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/808-79-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/808-73-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/808-71-0x0000000000000000-mapping.dmp

Download
memory/852-88-0x0000000000000000-mapping.dmp

Download
memory/852-95-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/852-97-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/852-111-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1272-67-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1484-103-0x0000000000453600-mapping.dmp

Download
memory/1484-107-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1484-108-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1484-109-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1484-110-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1620-54-0x00000000009B0000-0x0000000000A0A000-memory.dmp

Filesize
360KB

Download
memory/1620-55-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1900-101-0x0000000001120000-0x000000000117A000-memory.dmp

Filesize
360KB

Download
memory/1900-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads