cybergate | 53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

General

Target

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Size

1.3MB
MD5

c45852cd0532c5fee63221cd16c23a5b
SHA1

3efef25db176eaebfaaee452d9231418bbca9e71
SHA256

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe
SHA512

cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d
SSDEEP

24576:IHQBkkFlK7MBWaReHtJWiLDpwHZ1aM99swQlIbYf6ZOklg:IwfC4BWEqWowHZB7QSOn

Score

10^/10

cybergate system persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

system

C2

system32.ddns.net:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
local
install_file
host.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\local\\host.exe"	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\local\\host.exe"	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Executes dropped EXE 2 IoCs

Processes:

host.exehost.exe

pid process

1572 host.exe
680 host.exe

pid	process
1572	host.exe
680	host.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y576UI2X-S732-2084-C813-4NJ3B87L4H5J}	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y576UI2X-S732-2084-C813-4NJ3B87L4H5J}\StubPath = "C:\\Windows\\system32\\local\\host.exe Restart"	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y576UI2X-S732-2084-C813-4NJ3B87L4H5J}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y576UI2X-S732-2084-C813-4NJ3B87L4H5J}\StubPath = "C:\\Windows\\system32\\local\\host.exe"	explorer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1624-72-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1624-81-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/300-86-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/300-87-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1624-91-0x0000000000450000-0x00000000004B2000-memory.dmp	upx
behavioral1/memory/1624-97-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1812-103-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1812-124-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/300-128-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1812-129-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

pid	process
1812	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
1812	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Drops file in System32 directory 3 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exehost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\local\host.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
File opened for modification	C:\Windows\SysWOW64\local\host.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
File opened for modification	C:\Windows\SysWOW64\local\host.exe	host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exehost.exe

description	pid	process	target process
PID 2012 set thread context of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 1572 set thread context of 680	1572	host.exe	host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

pid	process
1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

pid process

1812 53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

description	pid	process
Token: SeDebugPrivilege	1812	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Token: SeDebugPrivilege	1812	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

pid process

1624 53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exehost.exe

pid process

2012 53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
1572 host.exe

pid	process
2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
1572	host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

description	pid	process	target process
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2012 wrote to memory of 1624	2012	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 1624 wrote to memory of 1200	1624	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
"C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
"C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:300

C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
"C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe"
4⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\local\host.exe
"C:\Windows\system32\local\host.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Windows\SysWOW64\local\host.exe
"C:\Windows\SysWOW64\local\host.exe"
6⤵
- Executes dropped EXE
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
c06b4035793566c33dee91c937058212

SHA1
e249c01b5b1b91c5b07c7339b8d5f161662e7005

SHA256
fe62af0fb7e5e53b7089e72da9d2b34bcef43ca101ad6fb57aa1e829cc967563

SHA512
7371fb3ce44385142f61fb29b8703156b0f216fece3fad1c41882a7751c1b3be1dc6cee87385846886c21c433c1ec558f96e429d72fef3ad87047ea5f897044e

Download Submit
C:\Windows\SysWOW64\local\host.exe
Filesize
1.3MB

MD5
c45852cd0532c5fee63221cd16c23a5b

SHA1
3efef25db176eaebfaaee452d9231418bbca9e71

SHA256
53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

SHA512
cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d

Download Submit
C:\Windows\SysWOW64\local\host.exe
Filesize
1.3MB

MD5
c45852cd0532c5fee63221cd16c23a5b

SHA1
3efef25db176eaebfaaee452d9231418bbca9e71

SHA256
53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

SHA512
cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d

Download Submit
C:\Windows\SysWOW64\local\host.exe
Filesize
1.3MB

MD5
c45852cd0532c5fee63221cd16c23a5b

SHA1
3efef25db176eaebfaaee452d9231418bbca9e71

SHA256
53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

SHA512
cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d

Download Submit
\Windows\SysWOW64\local\host.exe
Filesize
1.3MB

MD5
c45852cd0532c5fee63221cd16c23a5b

SHA1
3efef25db176eaebfaaee452d9231418bbca9e71

SHA256
53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

SHA512
cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d

Download Submit
\Windows\SysWOW64\local\host.exe
Filesize
1.3MB

MD5
c45852cd0532c5fee63221cd16c23a5b

SHA1
3efef25db176eaebfaaee452d9231418bbca9e71

SHA256
53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

SHA512
cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d

Download Submit
memory/300-86-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/300-78-0x0000000000000000-mapping.dmp

Download
memory/300-128-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/300-87-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/300-80-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/680-120-0x000000000040BBF4-mapping.dmp

Download
memory/680-127-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/680-126-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/680-125-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1200-75-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1572-106-0x0000000000000000-mapping.dmp

Download
memory/1624-97-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1624-102-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-62-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-91-0x0000000000450000-0x00000000004B2000-memory.dmp

Filesize
392KB

Download
memory/1624-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-70-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-66-0x000000000040BBF4-mapping.dmp

Download
memory/1624-69-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-81-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1624-60-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1624-72-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1624-68-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/1812-95-0x0000000000000000-mapping.dmp

Download
memory/1812-124-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1812-103-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1812-129-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads