cybergate | 53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

General

Target

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Size

1.3MB
MD5

c45852cd0532c5fee63221cd16c23a5b
SHA1

3efef25db176eaebfaaee452d9231418bbca9e71
SHA256

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe
SHA512

cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d
SSDEEP

24576:IHQBkkFlK7MBWaReHtJWiLDpwHZ1aM99swQlIbYf6ZOklg:IwfC4BWEqWowHZB7QSOn

Score

10^/10

cybergate system persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

system

C2

system32.ddns.net:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
local
install_file
host.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\local\\host.exe"	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\local\\host.exe"	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Executes dropped EXE 2 IoCs

Processes:

host.exehost.exe

pid process

4224 host.exe
2244 host.exe

pid	process
4224	host.exe
2244	host.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y576UI2X-S732-2084-C813-4NJ3B87L4H5J}\StubPath = "C:\\Windows\\system32\\local\\host.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y576UI2X-S732-2084-C813-4NJ3B87L4H5J}	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y576UI2X-S732-2084-C813-4NJ3B87L4H5J}\StubPath = "C:\\Windows\\system32\\local\\host.exe Restart"	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y576UI2X-S732-2084-C813-4NJ3B87L4H5J}	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4744-140-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4744-145-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3796-148-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3796-151-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4744-153-0x00000000004E0000-0x0000000000542000-memory.dmp	upx
behavioral2/memory/4744-158-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3648-161-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3648-167-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3648-174-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Drops file in System32 directory 3 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exehost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\local\host.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
File opened for modification	C:\Windows\SysWOW64\local\host.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
File opened for modification	C:\Windows\SysWOW64\local\host.exe	host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exehost.exe

description	pid	process	target process
PID 2320 set thread context of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 4224 set thread context of 2244	4224	host.exe	host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2400 2244 WerFault.exe host.exe

pid	pid_target	process	target process
2400	2244	WerFault.exe	host.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

pid	process
4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

pid process

3648 53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

pid	process
3648	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

description	pid	process
Token: SeDebugPrivilege	3648	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Token: SeDebugPrivilege	3648	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

pid process

4744 53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exehost.exe

pid process

2320 53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
4224 host.exe

pid	process
2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
4224	host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe

description	pid	process	target process
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 2320 wrote to memory of 4744	2320	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE
PID 4744 wrote to memory of 2940	4744	53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
"C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
"C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:3796

C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe
"C:\Users\Admin\AppData\Local\Temp\53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe.exe"
4⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\SysWOW64\local\host.exe
"C:\Windows\system32\local\host.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4224

C:\Windows\SysWOW64\local\host.exe
"C:\Windows\SysWOW64\local\host.exe"
6⤵
- Executes dropped EXE
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 572
7⤵
- Program crash
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2244 -ip 2244
1⤵
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
c06b4035793566c33dee91c937058212

SHA1
e249c01b5b1b91c5b07c7339b8d5f161662e7005

SHA256
fe62af0fb7e5e53b7089e72da9d2b34bcef43ca101ad6fb57aa1e829cc967563

SHA512
7371fb3ce44385142f61fb29b8703156b0f216fece3fad1c41882a7751c1b3be1dc6cee87385846886c21c433c1ec558f96e429d72fef3ad87047ea5f897044e

Download Submit
C:\Windows\SysWOW64\local\host.exe
Filesize
1.3MB

MD5
c45852cd0532c5fee63221cd16c23a5b

SHA1
3efef25db176eaebfaaee452d9231418bbca9e71

SHA256
53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

SHA512
cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d

Download Submit
C:\Windows\SysWOW64\local\host.exe
Filesize
1.3MB

MD5
c45852cd0532c5fee63221cd16c23a5b

SHA1
3efef25db176eaebfaaee452d9231418bbca9e71

SHA256
53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

SHA512
cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d

Download Submit
C:\Windows\SysWOW64\local\host.exe
Filesize
1.3MB

MD5
c45852cd0532c5fee63221cd16c23a5b

SHA1
3efef25db176eaebfaaee452d9231418bbca9e71

SHA256
53de2aafe5839792a0d37406af9bfb3d6aab7a2cffc012bd86825b52f882a8fe

SHA512
cc1481b9a1b6baa571ade37cc45431060484517822f8b2aae2e3c674445c795c12f31fae0ea33e6651ec41da9106e899d8c0434b01b4c59d1d8ac5016e3ec21d

Download Submit
memory/2244-173-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2244-172-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2244-168-0x0000000000000000-mapping.dmp

Download
memory/3648-157-0x0000000000000000-mapping.dmp

Download
memory/3648-174-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/3648-167-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/3648-161-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/3796-144-0x0000000000000000-mapping.dmp

Download
memory/3796-148-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3796-151-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4224-163-0x0000000000000000-mapping.dmp

Download
memory/4744-145-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4744-162-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4744-158-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4744-153-0x00000000004E0000-0x0000000000542000-memory.dmp

Filesize
392KB

Download
memory/4744-134-0x0000000000000000-mapping.dmp

Download
memory/4744-140-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4744-138-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4744-137-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4744-136-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4744-135-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads