cybergate | 4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

General

Target

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Size

331KB
MD5

f3cb011cd2a4034f2531cee08e63156b
SHA1

6f78b8113a42fa10109c481c599aee80ec0c0323
SHA256

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a
SHA512

32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a
SSDEEP

6144:lxHa4c7+eEwzJBZVPd27pGNl/HW9CMLJvdmRRb06rQTmGW2vXnMl3IHS7NKumUZd:jaPR/29CMlURRIUQTmmvXMl3IKwUT

Score

10^/10

cybergate panda persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

panda

C2

baglanhayada.com:106

Mutex

LFO701A1756D

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
K_yuvbhyucab.exe
install_file
K_yuvbhyucab.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Run Time Failed.!
message_box_title
Error
password
lasatsa
regkey_hkcu
K_yuvbhyucab

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

K_yuvbhyucab.exeK_yuvbhyucab.exe

pid process

1528 K_yuvbhyucab.exe
372 K_yuvbhyucab.exe

pid	process
1528	K_yuvbhyucab.exe
372	K_yuvbhyucab.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15T4IM0W-331V-QAY4-RU41-4FBEJ6XHE61O}\StubPath = "C:\\Windows\\system32\\K_yuvbhyucab.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15T4IM0W-331V-QAY4-RU41-4FBEJ6XHE61O}	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15T4IM0W-331V-QAY4-RU41-4FBEJ6XHE61O}\StubPath = "C:\\Windows\\system32\\K_yuvbhyucab.exe Restart"	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15T4IM0W-331V-QAY4-RU41-4FBEJ6XHE61O}	explorer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1392-71-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1392-80-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1736-85-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1736-86-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1392-90-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1392-97-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1248-102-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1248-117-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1736-126-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1248-127-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

pid	process
1248	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
1248	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\K_yuvbhyucab = "C:\\Windows\\system32\\K_yuvbhyucab.exe"	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Drops file in System32 directory 5 IoCs

Processes:

K_yuvbhyucab.exe4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\K_yuvbhyucab.exe	K_yuvbhyucab.exe
File created	C:\Windows\SysWOW64\K_yuvbhyucab.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
File opened for modification	C:\Windows\SysWOW64\K_yuvbhyucab.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
File opened for modification	C:\Windows\SysWOW64\K_yuvbhyucab.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
File opened for modification	C:\Windows\SysWOW64\	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exeK_yuvbhyucab.exe

description	pid	process	target process
PID 1460 set thread context of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1528 set thread context of 372	1528	K_yuvbhyucab.exe	K_yuvbhyucab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

pid process

1248 4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	pid	process
Token: SeDebugPrivilege	1248	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Token: SeDebugPrivilege	1248	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

pid process

1392 4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exeK_yuvbhyucab.exe

pid process

1460 4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
1528 K_yuvbhyucab.exe

pid	process
1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

pid	process
1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
1528	K_yuvbhyucab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	pid	process	target process
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1460 wrote to memory of 1392	1460	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 1392 wrote to memory of 1200	1392	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
"C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
"C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe"
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
"C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe"
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\K_yuvbhyucab.exe
"C:\Windows\system32\K_yuvbhyucab.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\SysWOW64\K_yuvbhyucab.exe
"C:\Windows\SysWOW64\K_yuvbhyucab.exe"
6⤵
- Executes dropped EXE
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
f55c9056f035608a27f64585082d3b05

SHA1
df5e2f4c703662a5f6e8a6ef3cb60f1866e501ca

SHA256
edc3273658d53b44dc50482bbee0a3b6a827d2e656f4cf0c43a1b13389f58926

SHA512
97da852704f82d66423b184594a5eaa34e44be5b10dcb4b5f0988fd54e23032fd8fa56de61f184cb3f000044b00c0f6c6b2c29264a71d25642dda3e4e42ab042

Download Submit
C:\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
C:\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
C:\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
memory/372-124-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/372-123-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/372-119-0x000000000040BBF4-mapping.dmp

Download
memory/372-125-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1200-74-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1248-117-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1248-102-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1248-94-0x0000000000000000-mapping.dmp

Download
memory/1248-127-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1392-65-0x000000000040BBF4-mapping.dmp

Download
memory/1392-64-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1392-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1392-71-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1392-103-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1392-80-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1392-97-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1392-66-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1392-68-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1392-67-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1392-90-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1460-62-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1460-55-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1460-57-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/1460-54-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1460-56-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1460-58-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1460-63-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/1460-60-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1460-59-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1460-61-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1528-106-0x0000000000000000-mapping.dmp

Download
memory/1528-115-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1528-114-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/1528-113-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1528-112-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1736-86-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1736-77-0x0000000000000000-mapping.dmp

Download
memory/1736-79-0x0000000074A21000-0x0000000074A23000-memory.dmp

Filesize
8KB

Download
memory/1736-126-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1736-85-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads