cybergate | 0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0

General

Target

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Size

643KB
MD5

3d8791d281ae6a73bb52fcec92badb90
SHA1

3492649ce3410c39a0634a12f4afe51fc2cc0464
SHA256

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0
SHA512

4a63507d648de7abb487bda3416d9df0b6052768cfb3d30af3db63c56747e34ed5dbe768985ef1966bf48ee8b80527f802aa6dc7cd1527ab2ad711d3f97abcfb
SSDEEP

12288:J4zr8W2XcMMnlWmPFqZXnFpE00YglJLobyQqVtQhU7:SgMMMlW2FqBPB0YMNYyQqV5

Score

10^/10

cybergate l2ru agilenet persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

l2ru

C2

brosto.strangled.net:81

brosto.strangled.net:4123

brosto.strangled.net:6745

brosto.strangled.net:7534

brosto.strangled.net:7653

sasaze.chickenkiller.com:7875

sasaze.chickenkiller.com:8545

sasaze.chickenkiller.com:8642

sasaze.chickenkiller.com:8742

sasaze.chickenkiller.com:8954

brostod.jumpingcrab.com:9647

brostod.jumpingcrab.com:9743

brostod.jumpingcrab.com:9866

brostod.jumpingcrab.com:10535

brostod.jumpingcrab.com:10877

1844205166:53575

1844205166:58656

1844205166:59534

1844205166:59642

Mutex

1J06T62M0GRU16

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
interface
install_file
csrsc.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
a123123123
regkey_hkcu
exploruse
regkey_hklm
exploruse

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\taskmgi = "C:\\Windows\\system32\\interface\\csrsc.exe"	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\taskmgi = "C:\\Windows\\system32\\interface\\csrsc.exe"	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6OGA7127-5C37-657A-L4Q6-15W15NGG1HHI}	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6OGA7127-5C37-657A-L4Q6-15W15NGG1HHI}\StubPath = "C:\\Windows\\system32\\interface\\csrsc.exe Restart"	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6OGA7127-5C37-657A-L4Q6-15W15NGG1HHI}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6OGA7127-5C37-657A-L4Q6-15W15NGG1HHI}\StubPath = "C:\\Windows\\system32\\interface\\csrsc.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/308-140-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/308-145-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/4700-148-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/4700-151-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/308-153-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/308-158-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/636-161-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/636-162-0x0000000010560000-0x00000000105D0000-memory.dmp	upx
behavioral2/memory/636-164-0x0000000010560000-0x00000000105D0000-memory.dmp	upx

Drops startup file 3 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrsc.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrsc.exe	explorer.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Windows\SysWOW64\interface\csrsc.exe	agile_net

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\exploruse = "C:\\Windows\\system32\\interface\\csrsc.exe"	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exploruse = "C:\\Windows\\system32\\interface\\csrsc.exe"	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

Drops file in System32 directory 2 IoCs

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\interface\csrsc.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
File created	C:\Windows\SysWOW64\interface\csrsc.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

description	pid	process	target process
PID 3248 set thread context of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

pid	process
3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
Token: SeDebugPrivilege	636	explorer.exe
Token: SeDebugPrivilege	636	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

pid process

308 0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

pid	process
308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe

description	pid	process	target process
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 3248 wrote to memory of 308	3248	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE
PID 308 wrote to memory of 2440	308	0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
"C:\Users\Admin\AppData\Local\Temp\0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe
"C:\Users\Admin\AppData\Local\Temp\0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:2276

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
234KB

MD5
752f9d9d08494d0fb4d68fbe3f15ce39

SHA1
74f008ed52f7e94877ba5fab76df11b48c4d7852

SHA256
04e77ba535043392102974c9e5c2b7bd0c4e1ff3196b22dc94de7f90d6a8f979

SHA512
11c3842c62358f86e20fb7460ee305f0169156a3797f4558c7160955e9b489f2dd49a28bb4e7d49c17dd041ac88e9b8c17826507edc8902bc2ae4f8db2409d9f

Download Submit
C:\Windows\SysWOW64\interface\csrsc.exe
Filesize
643KB

MD5
3d8791d281ae6a73bb52fcec92badb90

SHA1
3492649ce3410c39a0634a12f4afe51fc2cc0464

SHA256
0e59feb575e3c40de1da9964c7403d425ebd39ed607105cd4446bf6c5c6215d0

SHA512
4a63507d648de7abb487bda3416d9df0b6052768cfb3d30af3db63c56747e34ed5dbe768985ef1966bf48ee8b80527f802aa6dc7cd1527ab2ad711d3f97abcfb

Download Submit
memory/308-135-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/308-145-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/308-158-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/308-153-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/308-138-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/308-140-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/308-163-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/308-136-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/308-133-0x0000000000000000-mapping.dmp

Download
memory/308-134-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/636-162-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/636-161-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/636-164-0x0000000010560000-0x00000000105D0000-memory.dmp

Filesize
448KB

Download
memory/636-157-0x0000000000000000-mapping.dmp

Download
memory/3248-137-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3248-132-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4700-151-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/4700-148-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/4700-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads