cybergate | 9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1

General

Target

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Size

677KB
MD5

c4ce9e5f380252abd4bfa5ec2fb9175b
SHA1

01908253ac0e0c483da78ccb0c940ee77ea46d7b
SHA256

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1
SHA512

03cdfd3a157d7393e4c8e0d93defd26597cd67a65b036582eeb60911ba43db1bcc488e5980dcac061ec0712a7a940575ce6966f87fbcb0d9c605b38d503b23a9
SSDEEP

12288:rm6x6bLRwMrSgUjPEtjCuIqNK6ypnuDuZ+t0r:redwMrSPwp9PNKVuDaKc

Score

10^/10

cybergate hacker persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

hacker

C2

154.no-ip.info:8000

Mutex

YYC675271PULN4

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
.//
ftp_interval
30
ftp_password
army745volt019
ftp_port
21
ftp_server
ftp.primahostindo.info
ftp_username
admin@primahostindo.info
injected_process
explorer.exe
install_dir
drivers
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
army745volt019
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\drivers\\win32.exe"	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\drivers\\win32.exe"	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe

Drops file in Drivers directory 5 IoCs

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exeexplorer.exewin32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\win32.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\win32.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\win32.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\drivers\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\drivers\win32.exe	win32.exe

Executes dropped EXE 2 IoCs

Processes:

win32.exewin32.exe

pid process

692 win32.exe
1364 win32.exe

pid	process
692	win32.exe
1364	win32.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1IW2H4Q1-J137-UYX1-7B2E-4215GAV7X2S6}	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1IW2H4Q1-J137-UYX1-7B2E-4215GAV7X2S6}\StubPath = "C:\\Windows\\system32\\drivers\\win32.exe Restart"	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{1IW2H4Q1-J137-UYX1-7B2E-4215GAV7X2S6}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1IW2H4Q1-J137-UYX1-7B2E-4215GAV7X2S6}\StubPath = "C:\\Windows\\system32\\drivers\\win32.exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1180-72-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral1/memory/1180-82-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/1300-87-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/1300-90-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral1/memory/1180-95-0x00000000240D0000-0x000000002412F000-memory.dmp	upx
behavioral1/memory/1252-100-0x00000000240D0000-0x000000002412F000-memory.dmp	upx
behavioral1/memory/1252-101-0x00000000240D0000-0x000000002412F000-memory.dmp	upx
behavioral1/memory/1252-127-0x00000000240D0000-0x000000002412F000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

explorer.exe

pid process

1252 explorer.exe
1252 explorer.exe

pid	process
1252	explorer.exe
1252	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\drivers\\win32.exe"	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\drivers\\win32.exe"	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exewin32.exe

description	pid	process	target process
PID 952 set thread context of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 692 set thread context of 1364	692	win32.exe	win32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe

pid process

1180 9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1252 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1252 explorer.exe
Token: SeDebugPrivilege 1252 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exeexplorer.exe

pid process

1180 9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
1252 explorer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

explorer.exe

pid process

1252 explorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exewin32.exe

pid process

952 9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
692 win32.exe

pid	process
1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe

pid	process
1252	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1252	explorer.exe
Token: SeDebugPrivilege	1252	explorer.exe

pid	process
1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
1252	explorer.exe

pid	process
1252	explorer.exe

pid	process
952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
692	win32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe

description	pid	process	target process
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 952 wrote to memory of 1180	952	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE
PID 1180 wrote to memory of 1228	1180	9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
"C:\Users\Admin\AppData\Local\Temp\9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1.exe
3⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1300

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252

C:\Windows\SysWOW64\drivers\win32.exe
"C:\Windows\system32\drivers\win32.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:692

C:\Windows\SysWOW64\drivers\win32.exe
6⤵
- Executes dropped EXE
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
219KB

MD5
eb1b0c2a1b498c10707ecaaf8585023e

SHA1
8a2c697e4b7a67f0c3044bfeb1ca3a01372f1433

SHA256
0cb6997b16dc8b2c0ecdc9e48f76519e7a699b06ca00295e71aff6de70eddcba

SHA512
a48389b98bb264b069fbe88fe3d795297afd7885c3309fbcd2656d60be9107eff5807ad3d63a8289aa202445fa609a9bb5904fb0c7313a0d987f07a7f4834974

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3406023954-474543476-3319432036-1000\f9992b1ed3cdc054077ba50d8115ad69_5a633035-f6f6-46e5-abe0-a504cf633ef0
Filesize
57B

MD5
153b2a558bcc2637785c3d304feb47c3

SHA1
9a7bdb036bd48473093927400dd99a5a5308b004

SHA256
84166001071186d1fbda3e5426703630637e2ed4c56030fa3c8183db53b36066

SHA512
93ee6a70fed833314830e61eba2b91282c3a45b216211eef96aed7e7098ec4763a410e9f50ec9f58681130f8e3a4c96664b1a0d90196025294ebaa9d01adef35

Download Submit
C:\Windows\SysWOW64\drivers\win32.exe
Filesize
677KB

MD5
c4ce9e5f380252abd4bfa5ec2fb9175b

SHA1
01908253ac0e0c483da78ccb0c940ee77ea46d7b

SHA256
9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1

SHA512
03cdfd3a157d7393e4c8e0d93defd26597cd67a65b036582eeb60911ba43db1bcc488e5980dcac061ec0712a7a940575ce6966f87fbcb0d9c605b38d503b23a9

Download Submit
C:\Windows\SysWOW64\drivers\win32.exe
Filesize
677KB

MD5
c4ce9e5f380252abd4bfa5ec2fb9175b

SHA1
01908253ac0e0c483da78ccb0c940ee77ea46d7b

SHA256
9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1

SHA512
03cdfd3a157d7393e4c8e0d93defd26597cd67a65b036582eeb60911ba43db1bcc488e5980dcac061ec0712a7a940575ce6966f87fbcb0d9c605b38d503b23a9

Download Submit
C:\Windows\SysWOW64\drivers\win32.exe
Filesize
677KB

MD5
c4ce9e5f380252abd4bfa5ec2fb9175b

SHA1
01908253ac0e0c483da78ccb0c940ee77ea46d7b

SHA256
9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1

SHA512
03cdfd3a157d7393e4c8e0d93defd26597cd67a65b036582eeb60911ba43db1bcc488e5980dcac061ec0712a7a940575ce6966f87fbcb0d9c605b38d503b23a9

Download Submit
\Windows\SysWOW64\drivers\win32.exe
Filesize
677KB

MD5
c4ce9e5f380252abd4bfa5ec2fb9175b

SHA1
01908253ac0e0c483da78ccb0c940ee77ea46d7b

SHA256
9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1

SHA512
03cdfd3a157d7393e4c8e0d93defd26597cd67a65b036582eeb60911ba43db1bcc488e5980dcac061ec0712a7a940575ce6966f87fbcb0d9c605b38d503b23a9

Download Submit
\Windows\SysWOW64\drivers\win32.exe
Filesize
677KB

MD5
c4ce9e5f380252abd4bfa5ec2fb9175b

SHA1
01908253ac0e0c483da78ccb0c940ee77ea46d7b

SHA256
9ff8fa250390ae22fec69e4eba2dd62016ab252c72ff5f0ab33c31314b999bf1

SHA512
03cdfd3a157d7393e4c8e0d93defd26597cd67a65b036582eeb60911ba43db1bcc488e5980dcac061ec0712a7a940575ce6966f87fbcb0d9c605b38d503b23a9

Download Submit
memory/692-105-0x0000000000000000-mapping.dmp

Download
memory/1180-82-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1180-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-68-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/1180-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-70-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-72-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/1180-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-102-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-56-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-66-0x000000000040BCA4-mapping.dmp

Download
memory/1180-65-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1180-95-0x00000000240D0000-0x000000002412F000-memory.dmp

Filesize
380KB

Download
memory/1180-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1228-75-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/1252-92-0x0000000000000000-mapping.dmp

Download
memory/1252-101-0x00000000240D0000-0x000000002412F000-memory.dmp

Filesize
380KB

Download
memory/1252-100-0x00000000240D0000-0x000000002412F000-memory.dmp

Filesize
380KB

Download
memory/1252-127-0x00000000240D0000-0x000000002412F000-memory.dmp

Filesize
380KB

Download
memory/1300-90-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1300-87-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/1300-81-0x0000000074541000-0x0000000074543000-memory.dmp

Filesize
8KB

Download
memory/1300-79-0x0000000000000000-mapping.dmp

Download
memory/1364-120-0x000000000040BCA4-mapping.dmp

Download
memory/1364-124-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1364-125-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1364-126-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads