cybergate | 8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2

Analysis

max time kernel
189s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Size

583KB
MD5

fd8043969aa9c35b39b4e1f92c4b0cb2
SHA1

38f26c94f872162bd708b29b43c44971391ca3dd
SHA256

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2
SHA512

a93d1d37de8b12d38a347e7fa944cb804c4c93f3909500ef6fa07d34b5fbb24984ee38d3394ef54bd2bcc438e090b6b5a3bb5f27788dde0c1516986b06a79eae
SSDEEP

12288:bZeVQkTrvj4PfvD2po0cu+T8fC5QYPnvEzIeeMIkc1PqMIEsjfhNcMvK:bwQkTf4Pf7263t8fkQYgveMBKPqfrIqK

Score

10^/10

cybergate hacker persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

hacker

dragonworld.no-ip.biz:81

Mutex

N6V5YN76140Q38

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid process

1340 server.exe
996 server.exe

pid	process
1340	server.exe
996	server.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85DPS53-VJL8-L1K0-3575-85D3E66EVVX5}	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85DPS53-VJL8-L1K0-3575-85D3E66EVVX5}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85DPS53-VJL8-L1K0-3575-85D3E66EVVX5}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D85DPS53-VJL8-L1K0-3575-85D3E66EVVX5}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1588-103-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1588-108-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1588-109-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1588-110-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1588-112-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/1588-121-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/2012-127-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1588-143-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/996-199-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1628-200-0x0000000010560000-0x00000000105C1000-memory.dmp	upx
behavioral1/memory/996-201-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2012-202-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/1628-203-0x0000000010560000-0x00000000105C1000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

pid	process
1628	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
1628	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

Drops file in System32 directory 4 IoCs

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
File opened for modification	C:\Windows\SysWOW64\install\	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
File created	C:\Windows\SysWOW64\install\server.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exeserver.exe

description	pid	process	target process
PID 1384 set thread context of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1340 set thread context of 996	1340	server.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1500 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

pid process

1628 8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

pid	process
1500	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Token: SeDebugPrivilege	1628	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Token: SeDebugPrivilege	1628	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
Token: SeDebugPrivilege	1340	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

pid process

1588 8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

pid	process
1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe

description	pid	process	target process
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1384 wrote to memory of 1588	1384	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE
PID 1588 wrote to memory of 1196	1588	8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
"C:\Users\Admin\AppData\Local\Temp\8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
"C:\Users\Admin\AppData\Local\Temp\8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:2012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe
"C:\Users\Admin\AppData\Local\Temp\8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2.exe"
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\disclaimer.ini
5⤵
- Opens file in notepad (likely ransom note)
PID:1500

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\SysWOW64\install\server.exe"
6⤵
- Executes dropped EXE
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
222KB

MD5
b0f7e2dc419e628e9eee0517b8a8005a

SHA1
748966b60eeed15f1984b4f9f1768062e8585e33

SHA256
2351cad23fee81b979766bde7dc4804ac979ba0338bcc45cef2e15d093188e64

SHA512
1b2d7d52f80b57a75e1e274b606dd1931b0cd267df4aa0b3a8922973dfd18b36f91d58a56f9ea0ef328ef46244659292a97b3a5c3f09a064254cd2ae43c2dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\disclaimer.ini
Filesize
44B

MD5
95f034689e202b643a319e17b6bc015c

SHA1
34d8f9a62691ca0ad8082acfe7abbb29f4351238

SHA256
6fe5b8aa7700464cbe87cffa308b9f4d325be7cde6be5002d3e3b8f69003add4

SHA512
9b47de45aa26c11f9b7d60c0eac8ae834f2f0c22f992da642a38826a870c3ea6795a6ff049cca8afdfc8485b0622a7b42f181559347c00660a184e7284826777

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
583KB

MD5
fd8043969aa9c35b39b4e1f92c4b0cb2

SHA1
38f26c94f872162bd708b29b43c44971391ca3dd

SHA256
8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2

SHA512
a93d1d37de8b12d38a347e7fa944cb804c4c93f3909500ef6fa07d34b5fbb24984ee38d3394ef54bd2bcc438e090b6b5a3bb5f27788dde0c1516986b06a79eae

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
583KB

MD5
fd8043969aa9c35b39b4e1f92c4b0cb2

SHA1
38f26c94f872162bd708b29b43c44971391ca3dd

SHA256
8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2

SHA512
a93d1d37de8b12d38a347e7fa944cb804c4c93f3909500ef6fa07d34b5fbb24984ee38d3394ef54bd2bcc438e090b6b5a3bb5f27788dde0c1516986b06a79eae

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
583KB

MD5
fd8043969aa9c35b39b4e1f92c4b0cb2

SHA1
38f26c94f872162bd708b29b43c44971391ca3dd

SHA256
8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2

SHA512
a93d1d37de8b12d38a347e7fa944cb804c4c93f3909500ef6fa07d34b5fbb24984ee38d3394ef54bd2bcc438e090b6b5a3bb5f27788dde0c1516986b06a79eae

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
583KB

MD5
fd8043969aa9c35b39b4e1f92c4b0cb2

SHA1
38f26c94f872162bd708b29b43c44971391ca3dd

SHA256
8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2

SHA512
a93d1d37de8b12d38a347e7fa944cb804c4c93f3909500ef6fa07d34b5fbb24984ee38d3394ef54bd2bcc438e090b6b5a3bb5f27788dde0c1516986b06a79eae

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
583KB

MD5
fd8043969aa9c35b39b4e1f92c4b0cb2

SHA1
38f26c94f872162bd708b29b43c44971391ca3dd

SHA256
8338894c6785b6ad2f1acd5c2e65d2b6a6a7feecff428dd0be5eef230c619cc2

SHA512
a93d1d37de8b12d38a347e7fa944cb804c4c93f3909500ef6fa07d34b5fbb24984ee38d3394ef54bd2bcc438e090b6b5a3bb5f27788dde0c1516986b06a79eae

Download Submit
memory/996-192-0x0000000000453A50-mapping.dmp

Download
memory/996-199-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/996-201-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1196-115-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/1340-148-0x0000000000000000-mapping.dmp

Download
memory/1340-196-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1384-94-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-100-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-71-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-72-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-75-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-74-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-73-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-76-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-79-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-80-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-78-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-81-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-82-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-77-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-85-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-86-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-84-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-83-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-87-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-88-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1384-89-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-91-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-92-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-90-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-93-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-54-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-96-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-95-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-97-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-98-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-99-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-70-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-101-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-102-0x0000000000608000-0x000000000060C000-memory.dmp

Filesize
16KB

Download
memory/1384-57-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1384-58-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-106-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1384-59-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-60-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-61-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-62-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-69-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-63-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-64-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-67-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-68-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-65-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1384-66-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/1500-145-0x0000000000000000-mapping.dmp

Download
memory/1588-110-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1588-104-0x0000000000453A50-mapping.dmp

Download
memory/1588-143-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1588-121-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1588-103-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1588-108-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1588-112-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/1588-109-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1628-135-0x0000000000000000-mapping.dmp

Download
memory/1628-200-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/1628-203-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/2012-127-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/2012-118-0x0000000000000000-mapping.dmp

Download
memory/2012-120-0x00000000749F1000-0x00000000749F3000-memory.dmp

Filesize
8KB

Download
memory/2012-202-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download