cybergate | 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643

Analysis

max time kernel
150s
max time network
99s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
Size

926KB
MD5

79ada15c4f8a7fbd9d272672712e5373
SHA1

4cb9fe1d91d6777b2a3b1bdc0ec7ff801e175dc2
SHA256

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643
SHA512

f76457132767904b1070f152ec8e7d97ef8db9de7eac5291c344d89faee75f0eaffcee9eb587dec640067690c0391ffc2182ec4693e8fab0af5807b6ac92e884
SSDEEP

24576:PoV6rg3tqKfO3bmhXysm8a+XYw0OCo/tAMQoKNWfQ:PoMrIHCbsmeowsMM0Q

Score

10^/10

cybergate testew evasion persistence stealer themida trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

testew

viperboy.no-ip.info:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\server.exe\""	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exeserver.exeserver.exeserver.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe

Executes dropped EXE 6 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exe

pid process

1212 server.exe
1220 server.exe
1816 server.exe
1676 server.exe
1696 server.exe
1664 server.exe

pid	process
1212	server.exe
1220	server.exe
1816	server.exe
1676	server.exe
1696	server.exe
1664	server.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exeserver.exeserver.exeserver.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\SysWOW64\\install\\server.exe Restart"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	server.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1212-63-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1212-69-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1212-75-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1212-84-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1220-89-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1220-92-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1816-120-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/340-125-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/340-138-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1604-139-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/340-140-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe

Loads dropped DLL 7 IoCs

Processes:

server.exeexplorer.exe

pid process

1220 server.exe
1220 server.exe
1220 server.exe
1220 server.exe
1220 server.exe
1220 server.exe
340 explorer.exe

pid	process
1220	server.exe
1220	server.exe
1220	server.exe
1220	server.exe
1220	server.exe
1220	server.exe
340	explorer.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/916-55-0x0000000000400000-0x00000000005B6000-memory.dmp	themida
behavioral1/memory/916-103-0x0000000000400000-0x00000000005B6000-memory.dmp	themida

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exeserver.exeserver.exeserver.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\install\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\install\\server.exe"	server.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 8 IoCs

Processes:

server.exeserver.exeexplorer.exeserver.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\install\	explorer.exe
File created	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe

pid process

916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
Drops file in Windows directory 1 IoCs

Processes:

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe

description ioc process

File created C:\Windows\server.exe 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe

description	ioc	process
File created	C:\Windows\server.exe	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1700	916	WerFault.exe	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
864	1604	WerFault.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exeserver.exeserver.exeserver.exeserver.exe

pid process

916 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
1212 server.exe
1816 server.exe
1676 server.exe
1696 server.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

340 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 340 explorer.exe
Token: SeDebugPrivilege 340 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

server.exeexplorer.exe

pid process

1212 server.exe
340 explorer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

explorer.exe

pid process

340 explorer.exe

pid	process
916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
1212	server.exe
1816	server.exe
1676	server.exe
1696	server.exe

pid	process
340	explorer.exe

description	pid	process
Token: SeDebugPrivilege	340	explorer.exe
Token: SeDebugPrivilege	340	explorer.exe

pid	process
1212	server.exe
340	explorer.exe

pid	process
340	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exeserver.exe

description	pid	process	target process
PID 916 wrote to memory of 1212	916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe	server.exe
PID 916 wrote to memory of 1212	916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe	server.exe
PID 916 wrote to memory of 1212	916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe	server.exe
PID 916 wrote to memory of 1212	916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe	server.exe
PID 916 wrote to memory of 1700	916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe	WerFault.exe
PID 916 wrote to memory of 1700	916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe	WerFault.exe
PID 916 wrote to memory of 1700	916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe	WerFault.exe
PID 916 wrote to memory of 1700	916	0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe	WerFault.exe
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE
PID 1212 wrote to memory of 1396	1212	server.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe
"C:\Users\Admin\AppData\Local\Temp\0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643.exe"
2⤵
- Modifies WinLogon for persistence
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\server.exe
"C:\Windows\server.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:876

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:1284

C:\Windows\server.exe
"C:\Windows\server.exe"
4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
PID:1220

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:340

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\SysWOW64\install\server.exe"
7⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 524
7⤵
- Program crash
PID:864

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 476
3⤵
- Program crash
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
573fc8040765ff469e14a074db9cbece

SHA1
944bcc4e95c093dc2236f6f494595b0d7421c400

SHA256
b669d151a9045d630dfee87281a031929e1f91eb38dccf8ea5eb00db46affa53

SHA512
699e47546f403c6e871b710282eadf64cb2afa27cb4b4e239dacb93a377ebc50ee0d6d9f2e6672b896bd530418e82cadb42776440711b26642e5a6925c36117d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
573fc8040765ff469e14a074db9cbece

SHA1
944bcc4e95c093dc2236f6f494595b0d7421c400

SHA256
b669d151a9045d630dfee87281a031929e1f91eb38dccf8ea5eb00db46affa53

SHA512
699e47546f403c6e871b710282eadf64cb2afa27cb4b4e239dacb93a377ebc50ee0d6d9f2e6672b896bd530418e82cadb42776440711b26642e5a6925c36117d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
4f590291e3a402495a024a5e8645f14a

SHA1
80cef1204734d24684688979f047a046265e07cb

SHA256
cd8468bbfe621e148aebdbaf44baf733bef06be4da934b8e73f45c95ac0c7836

SHA512
6d150a06547bdc4294c6fa3dc2410358af40c3b8d0d0c815fc27a3b2cadebe9e5d5d875d882b8bf74350780e70a073034e111d61aa7a2fc9589807627a43f690

Download Submit
C:\Users\Admin\AppData\Roaming\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
C:\Windows\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
C:\Windows\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
C:\Windows\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
290KB

MD5
382204a8c0cb746514b2f6d3d818a392

SHA1
14478b7045ee8acc0c3252f3192b5ea260512c1b

SHA256
bebb5120f512d48461fe673bccd6343bae805c9774f4ceda0ac413cd9e34d2d8

SHA512
c337ae46a685a6c600962372c888f64bd474d9b6df9f70cae89c7742fc2d8d488f61af583a782b860e54a044c5901b36bf3a35edb8a5af3b08f66b842fd3d69e

Download Submit
memory/340-106-0x0000000000000000-mapping.dmp

Download
memory/340-140-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/340-138-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/340-125-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/340-110-0x0000000074771000-0x0000000074773000-memory.dmp

Filesize
8KB

Download
memory/864-133-0x0000000000000000-mapping.dmp

Download
memory/916-103-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/916-104-0x0000000004270000-0x0000000004280000-memory.dmp

Filesize
64KB

Download
memory/916-56-0x0000000004270000-0x0000000004280000-memory.dmp

Filesize
64KB

Download
memory/916-55-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/916-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1212-63-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1212-75-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1212-69-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1212-57-0x0000000000000000-mapping.dmp

Download
memory/1212-84-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1220-81-0x0000000000000000-mapping.dmp

Download
memory/1220-92-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1220-89-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1396-66-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1604-115-0x0000000000000000-mapping.dmp

Download
memory/1604-139-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1664-135-0x0000000000000000-mapping.dmp

Download
memory/1676-100-0x0000000000000000-mapping.dmp

Download
memory/1696-113-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x0000000000000000-mapping.dmp

Download
memory/1816-120-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1816-95-0x0000000000000000-mapping.dmp

Download