cybergate | 17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632

Analysis

max time kernel
158s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
Size

644KB
MD5

42d92860641858293168711b52ca8a22
SHA1

340c35f46bb6eaba3136cd4dd5cb93984cd16e43
SHA256

17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632
SHA512

7d1b015e549bd3d4cba7943bcd8622d708d7cf11512e436d16bf1bc3d93525db058a54271f2f25215b046c12222c1e32117dcb2678bcf262d3673922d56c8ada
SSDEEP

12288:Fu+I2ndBj2zipL4sF7ck6ePNqvkOd+C9jBsm3rAQeZDglJLobyQqVtQhU7:rBnmzjm4k6cNqsOdKm7deNMNYyQqV5

Score

10^/10

cybergate l2ru agilenet persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

l2ru

brosto.strangled.net:81

brosto.strangled.net:4123

brosto.strangled.net:6745

brosto.strangled.net:7534

brosto.strangled.net:7653

sasaze.chickenkiller.com:7875

sasaze.chickenkiller.com:8545

sasaze.chickenkiller.com:8642

sasaze.chickenkiller.com:8742

sasaze.chickenkiller.com:8954

brostod.jumpingcrab.com:9647

brostod.jumpingcrab.com:9743

brostod.jumpingcrab.com:9866

brostod.jumpingcrab.com:10535

brostod.jumpingcrab.com:10877

1844205166:53575

1844205166:58656

1844205166:59534

1844205166:59642

Mutex

R7S56282M47S01

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
interface
install_file
csrsc.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
a123123123
regkey_hkcu
exploruse
regkey_hklm
exploruse

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

IpOverUsbSvrc.exeatiesrx.exe

pid process

3732 IpOverUsbSvrc.exe
3404 atiesrx.exe

pid	process
3732	IpOverUsbSvrc.exe
3404	atiesrx.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5088-143-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/5088-147-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/5088-153-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/456-156-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/456-158-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/456-178-0x00000000104F0000-0x0000000010560000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exeIpOverUsbSvrc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	IpOverUsbSvrc.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 20 IoCs

Processes:

17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exeatiesrx.exe

description	pid	process	target process
PID 3064 set thread context of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 3760	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 4696	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 2736	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 1440	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 1596	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 3484	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 2336	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 3692	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 set thread context of 2212	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3404 set thread context of 4276	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 3244	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 3412	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 3648	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 3528	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 3992	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 2208	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 1564	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 344	3404	atiesrx.exe	AppLaunch.exe
PID 3404 set thread context of 3424	3404	atiesrx.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exeAppLaunch.exeAppLaunch.exe

pid	process
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
5088	AppLaunch.exe
5088	AppLaunch.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3760	AppLaunch.exe
3760	AppLaunch.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exeexplorer.exeIpOverUsbSvrc.exeatiesrx.exe

description	pid	process
Token: SeDebugPrivilege	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
Token: SeDebugPrivilege	456	explorer.exe
Token: SeDebugPrivilege	456	explorer.exe
Token: SeDebugPrivilege	3732	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	3404	atiesrx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AppLaunch.exe

pid process

5088 AppLaunch.exe

pid	process
5088	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exeAppLaunch.exe

description	pid	process	target process
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 5088	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	AppLaunch.exe
PID 3064 wrote to memory of 3732	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	IpOverUsbSvrc.exe
PID 3064 wrote to memory of 3732	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	IpOverUsbSvrc.exe
PID 3064 wrote to memory of 3732	3064	17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe	IpOverUsbSvrc.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe
PID 5088 wrote to memory of 364	5088	AppLaunch.exe	msedge.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe
"C:\Users\Admin\AppData\Local\Temp\17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:364

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:4276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:3244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:3412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
5⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
234KB

MD5
c0bcf340f2f69d904342b1d6a485ce9a

SHA1
ce71a273144a515bb2b5d9981b51da7265bb0953

SHA256
824dc553e28c2f3d6b6a615e4df55b67689628117d4e9917ccfb30f0650e8920

SHA512
000c4cbd2897ed03655cf1617727531b84d95ae6e68dcfca5e155e0768ef5f658cadb6f6ace2442bb53f42a26a747586d83ce6a89107a281bdcc9cd7250a806d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
10KB

MD5
b3bbb175906ed2831daef23eccea6a2c

SHA1
ed5cb8c8f225ead014298ae5636c142cfed448dd

SHA256
be649d0f7996abd93f2a4f05d71cf65ab688f9007017c6791cd94033133947eb

SHA512
185a3c6f62dd68f3d9c2b9d49079363bf3c8cbbcbbd89a8416060af2f47c28e72055bad653d7d1832326eccde38169fd826fcc2a4867ae61483d56893d9bd986

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
Filesize
10KB

MD5
b3bbb175906ed2831daef23eccea6a2c

SHA1
ed5cb8c8f225ead014298ae5636c142cfed448dd

SHA256
be649d0f7996abd93f2a4f05d71cf65ab688f9007017c6791cd94033133947eb

SHA512
185a3c6f62dd68f3d9c2b9d49079363bf3c8cbbcbbd89a8416060af2f47c28e72055bad653d7d1832326eccde38169fd826fcc2a4867ae61483d56893d9bd986

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
644KB

MD5
42d92860641858293168711b52ca8a22

SHA1
340c35f46bb6eaba3136cd4dd5cb93984cd16e43

SHA256
17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632

SHA512
7d1b015e549bd3d4cba7943bcd8622d708d7cf11512e436d16bf1bc3d93525db058a54271f2f25215b046c12222c1e32117dcb2678bcf262d3673922d56c8ada

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
Filesize
644KB

MD5
42d92860641858293168711b52ca8a22

SHA1
340c35f46bb6eaba3136cd4dd5cb93984cd16e43

SHA256
17ad873381566e1428cf5d0cb36a9d533926138843c8e658ee970462a5912632

SHA512
7d1b015e549bd3d4cba7943bcd8622d708d7cf11512e436d16bf1bc3d93525db058a54271f2f25215b046c12222c1e32117dcb2678bcf262d3673922d56c8ada

Download Submit
memory/344-275-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/344-270-0x0000000000000000-mapping.dmp

Download
memory/344-274-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/456-178-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/456-152-0x0000000000000000-mapping.dmp

Download
memory/456-156-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/456-158-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/1440-184-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1440-180-0x0000000000000000-mapping.dmp

Download
memory/1440-185-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1564-269-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1564-268-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1564-264-0x0000000000000000-mapping.dmp

Download
memory/1596-186-0x0000000000000000-mapping.dmp

Download
memory/1596-195-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1596-190-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2208-263-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2208-262-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2208-258-0x0000000000000000-mapping.dmp

Download
memory/2212-221-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2212-215-0x0000000000000000-mapping.dmp

Download
memory/2212-219-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2336-206-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2336-202-0x0000000000000000-mapping.dmp

Download
memory/2336-207-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2736-176-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2736-179-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2736-172-0x0000000000000000-mapping.dmp

Download
memory/3064-132-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3064-133-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3064-220-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3244-232-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3244-228-0x0000000000000000-mapping.dmp

Download
memory/3244-233-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3404-192-0x0000000000000000-mapping.dmp

Download
memory/3404-194-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-213-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3412-239-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3412-234-0x0000000000000000-mapping.dmp

Download
memory/3412-238-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3424-276-0x0000000000000000-mapping.dmp

Download
memory/3424-280-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3484-196-0x0000000000000000-mapping.dmp

Download
memory/3484-201-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3484-200-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3528-251-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3528-250-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3528-246-0x0000000000000000-mapping.dmp

Download
memory/3648-240-0x0000000000000000-mapping.dmp

Download
memory/3648-245-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3648-244-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3692-214-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3692-208-0x0000000000000000-mapping.dmp

Download
memory/3692-212-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3732-177-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3732-150-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/3732-139-0x0000000000000000-mapping.dmp

Download
memory/3760-165-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3760-164-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3760-160-0x0000000000000000-mapping.dmp

Download
memory/3992-252-0x0000000000000000-mapping.dmp

Download
memory/3992-256-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3992-257-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4276-227-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4276-226-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4276-222-0x0000000000000000-mapping.dmp

Download
memory/4696-170-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4696-171-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4696-166-0x0000000000000000-mapping.dmp

Download
memory/5088-147-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/5088-153-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/5088-143-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/5088-159-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5088-138-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5088-137-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5088-136-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5088-135-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5088-134-0x0000000000000000-mapping.dmp

Download