cybergate | 4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

General

Target

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Size

331KB
MD5

f3cb011cd2a4034f2531cee08e63156b
SHA1

6f78b8113a42fa10109c481c599aee80ec0c0323
SHA256

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a
SHA512

32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a
SSDEEP

6144:lxHa4c7+eEwzJBZVPd27pGNl/HW9CMLJvdmRRb06rQTmGW2vXnMl3IHS7NKumUZd:jaPR/29CMlURRIUQTmmvXMl3IKwUT

Score

10^/10

cybergate panda persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

panda

C2

baglanhayada.com:106

Mutex

LFO701A1756D

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
K_yuvbhyucab.exe
install_file
K_yuvbhyucab.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Run Time Failed.!
message_box_title
Error
password
lasatsa
regkey_hkcu
K_yuvbhyucab

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 4 IoCs

Processes:

K_yuvbhyucab.exeK_yuvbhyucab.exeK_yuvbhyucab.exeK_yuvbhyucab.exe

pid process

3996 K_yuvbhyucab.exe
3540 K_yuvbhyucab.exe
604 K_yuvbhyucab.exe
380 K_yuvbhyucab.exe

pid	process
3996	K_yuvbhyucab.exe
3540	K_yuvbhyucab.exe
604	K_yuvbhyucab.exe
380	K_yuvbhyucab.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{15T4IM0W-331V-QAY4-RU41-4FBEJ6XHE61O}	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15T4IM0W-331V-QAY4-RU41-4FBEJ6XHE61O}\StubPath = "C:\\Windows\\system32\\K_yuvbhyucab.exe Restart"	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{15T4IM0W-331V-QAY4-RU41-4FBEJ6XHE61O}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15T4IM0W-331V-QAY4-RU41-4FBEJ6XHE61O}\StubPath = "C:\\Windows\\system32\\K_yuvbhyucab.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4856-148-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4856-153-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4800-156-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4800-159-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4856-161-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/4856-167-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1512-171-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1512-184-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1512-209-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\K_yuvbhyucab = "C:\\Windows\\system32\\K_yuvbhyucab.exe"	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Drops file in System32 directory 6 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exeK_yuvbhyucab.exeK_yuvbhyucab.exe4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\K_yuvbhyucab.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
File opened for modification	C:\Windows\SysWOW64\	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
File opened for modification	C:\Windows\SysWOW64\K_yuvbhyucab.exe	K_yuvbhyucab.exe
File opened for modification	C:\Windows\SysWOW64\K_yuvbhyucab.exe	K_yuvbhyucab.exe
File created	C:\Windows\SysWOW64\K_yuvbhyucab.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
File opened for modification	C:\Windows\SysWOW64\K_yuvbhyucab.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exeK_yuvbhyucab.exeK_yuvbhyucab.exe

description	pid	process	target process
PID 1180 set thread context of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 3996 set thread context of 3540	3996	K_yuvbhyucab.exe	K_yuvbhyucab.exe
PID 604 set thread context of 380	604	K_yuvbhyucab.exe	K_yuvbhyucab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3824 3540 WerFault.exe K_yuvbhyucab.exe
2580 380 WerFault.exe K_yuvbhyucab.exe

pid	pid_target	process	target process
3824	3540	WerFault.exe	K_yuvbhyucab.exe
2580	380	WerFault.exe	K_yuvbhyucab.exe

Modifies registry class 1 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

pid process

1512 4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

pid	process
1512	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	pid	process
Token: SeDebugPrivilege	1512	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Token: SeDebugPrivilege	1512	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

pid process

4856 4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exeK_yuvbhyucab.exeK_yuvbhyucab.exe

pid process

1180 4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
3996 K_yuvbhyucab.exe
604 K_yuvbhyucab.exe

pid	process
4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

pid	process
1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
3996	K_yuvbhyucab.exe
604	K_yuvbhyucab.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe

description	pid	process	target process
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 1180 wrote to memory of 4856	1180	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE
PID 4856 wrote to memory of 1084	4856	4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
"C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
"C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe"
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:4800

C:\Windows\SysWOW64\K_yuvbhyucab.exe
"C:\Windows\system32\K_yuvbhyucab.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\SysWOW64\K_yuvbhyucab.exe
"C:\Windows\SysWOW64\K_yuvbhyucab.exe"
6⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 564
7⤵
- Program crash
PID:3824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe
"C:\Users\Admin\AppData\Local\Temp\4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a.exe"
4⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\K_yuvbhyucab.exe
"C:\Windows\system32\K_yuvbhyucab.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\SysWOW64\K_yuvbhyucab.exe
"C:\Windows\SysWOW64\K_yuvbhyucab.exe"
6⤵
- Executes dropped EXE
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 532
7⤵
- Program crash
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3540 -ip 3540
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 380 -ip 380
1⤵
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
f55c9056f035608a27f64585082d3b05

SHA1
df5e2f4c703662a5f6e8a6ef3cb60f1866e501ca

SHA256
edc3273658d53b44dc50482bbee0a3b6a827d2e656f4cf0c43a1b13389f58926

SHA512
97da852704f82d66423b184594a5eaa34e44be5b10dcb4b5f0988fd54e23032fd8fa56de61f184cb3f000044b00c0f6c6b2c29264a71d25642dda3e4e42ab042

Download Submit
C:\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
C:\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
C:\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
C:\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
C:\Windows\SysWOW64\K_yuvbhyucab.exe
Filesize
331KB

MD5
f3cb011cd2a4034f2531cee08e63156b

SHA1
6f78b8113a42fa10109c481c599aee80ec0c0323

SHA256
4052d14c3a9c6e9850fcd8744735e4cc7acbecf7b38fadc9144c420f9f60992a

SHA512
32a5e17c05273794a9fc2661eddfeed8149101757ff76e357d70fd959a741d41b4c94c06fce48a0566fe337be5b0a0cbf22eb3b89c65bc520cfefcd66c0c002a

Download Submit
memory/380-208-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/380-203-0x0000000000000000-mapping.dmp

Download
memory/604-195-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/604-197-0x0000000002050000-0x0000000002060000-memory.dmp

Filesize
64KB

Download
memory/604-190-0x0000000000000000-mapping.dmp

Download
memory/604-193-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/604-194-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/604-201-0x0000000002090000-0x00000000020A0000-memory.dmp

Filesize
64KB

Download
memory/604-200-0x0000000002080000-0x0000000002090000-memory.dmp

Filesize
64KB

Download
memory/604-199-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/604-198-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/604-196-0x0000000002040000-0x0000000002050000-memory.dmp

Filesize
64KB

Download
memory/1180-141-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1180-137-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/1180-136-0x0000000002050000-0x0000000002060000-memory.dmp

Filesize
64KB

Download
memory/1180-135-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/1180-138-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/1180-139-0x0000000002080000-0x0000000002090000-memory.dmp

Filesize
64KB

Download
memory/1180-134-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/1180-140-0x0000000002090000-0x00000000020A0000-memory.dmp

Filesize
64KB

Download
memory/1180-133-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/1180-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-171-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1512-184-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1512-165-0x0000000000000000-mapping.dmp

Download
memory/1512-166-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-209-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3540-202-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3540-189-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3540-185-0x0000000000000000-mapping.dmp

Download
memory/3996-176-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/3996-182-0x0000000002090000-0x00000000020A0000-memory.dmp

Filesize
64KB

Download
memory/3996-183-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/3996-181-0x0000000002080000-0x0000000002090000-memory.dmp

Filesize
64KB

Download
memory/3996-180-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/3996-179-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/3996-172-0x0000000000000000-mapping.dmp

Download
memory/3996-177-0x0000000002040000-0x0000000002050000-memory.dmp

Filesize
64KB

Download
memory/3996-178-0x0000000002050000-0x0000000002060000-memory.dmp

Filesize
64KB

Download
memory/3996-175-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4800-152-0x0000000000000000-mapping.dmp

Download
memory/4800-159-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4800-156-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4856-153-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4856-161-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4856-148-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4856-146-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4856-145-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4856-167-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4856-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4856-143-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4856-142-0x0000000000000000-mapping.dmp

Download
memory/4856-170-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads