cybergate | 80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2

Analysis

max time kernel
171s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Size

448KB
MD5

a1f04201e6668cdb2697a6824e890677
SHA1

d527009253c57eaac003071a91d301215066f15f
SHA256

80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2
SHA512

f4689735dd123c606eabb6a0658abc2511c6abe01bb823e17b92d9db23e6d4ce08d7740d385429ca3fe5df0459d85d95c1fb0c646aaae0fb67530577eb683222
SSDEEP

6144:PlkZ8ZJd1uDIzou1z8KfSUUB2TPk2kyn5O8MTBW6AgOW0/TRJNOIN:PlkZeLG3eNh5mTBW6AfW0tJNN

Score

10^/10

cybergate jakun evasion persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

jakun

kucingtikus.ath.cx:15963

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
5
ftp_password
965332abc
ftp_port
21
ftp_server
thepirate.justfree.com
ftp_username
thepirate
injected_process
explorer.exe
install_dir
install
install_file
avguard32.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1q2w3e
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\avguard32.exe"	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\avguard32.exe"	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
3588	avguard32.exe
4024	avguard32.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{04F0J6PG-PQ83-L1FR-50DI-W3D25J8XPC7N}	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04F0J6PG-PQ83-L1FR-50DI-W3D25J8XPC7N}\StubPath = "C:\\Windows\\system32\\install\\avguard32.exe Restart"	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4900-136-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4900-138-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4900-139-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4900-141-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4900-143-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4900-148-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4900-152-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4800-151-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4800-156-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4800-157-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4024-167-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4024-168-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4024-171-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4024-172-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\avguard32.exe"	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\avguard32.exe"	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	avguard32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	avguard32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\install\	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
File created	C:\Windows\SysWOW64\install\avguard32.exe	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
File opened for modification	C:\Windows\SysWOW64\install\avguard32.exe	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
File opened for modification	C:\Windows\SysWOW64\install\avguard32.exe	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3236 set thread context of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 3588 set thread context of 4024	3588	avguard32.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
4024	avguard32.exe
4024	avguard32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4800	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
Token: SeDebugPrivilege	4800	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
3588	avguard32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 3236 wrote to memory of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 3236 wrote to memory of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 3236 wrote to memory of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 3236 wrote to memory of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 3236 wrote to memory of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 3236 wrote to memory of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 3236 wrote to memory of 4900	3236	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	82
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83
PID 4900 wrote to memory of 4500	4900	80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe	83

C:\Users\Admin\AppData\Local\Temp\80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
"C:\Users\Admin\AppData\Local\Temp\80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
  C:\Users\Admin\AppData\Local\Temp\80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe
    "C:\Users\Admin\AppData\Local\Temp\80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
  - - C:\Windows\SysWOW64\install\avguard32.exe
      "C:\Windows\system32\install\avguard32.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3588
    - - C:\Windows\SysWOW64\install\avguard32.exe
        
        C:\Windows\SysWOW64\install\avguard32.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
64bd9a644bd182581368e3ce024dad9a

SHA1
1520bd16d65200bfa86d889eb88f4f62a65dd007

SHA256
5814095df174f580f08019718d2f8d05177276906620e36564588ba4b19ddfdb

SHA512
af1ec9959334ae377a1b199a44ec31a3cadc1273512f8a2644eb8b3b21f24d4afe1c0515a3bb685bd35a0856c2d6383504ee7e72ae67f87f3bda0a8ff91ec5db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
25e7413a64615be6b7471f8a2b03218a

SHA1
797a322a02901d7749f54ac9778ad252826838ee

SHA256
0c4ece6204fcbc0a66afc68cbe3673032c329e4d7555b24b157239b82b312307

SHA512
170bc7d4b0dc6b57e12257083f68d7ae866d7cccbbefb6bffa0af4e5d90e063c720435ae496b5809fde8f8232f9280de0674a51c3ab2418ce68f9788de85463e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
a79ef25d730f5025701d4d668275580d

SHA1
b7327f5a8da46f56ff706385de6b7e845e9c951b

SHA256
51bad229ef9261e040cb1ac58f936323377a2e9946fab7132f407403e40b22da

SHA512
9d68cfc1f62b9e6cb10f21e385beaf9dbaec5651a8033c3d644aa2743366bc376d36eaaa43b5903ecb70cbf5542eace634e7153616d3f229be88a1a3fd50e2de

Download Submit
C:\Windows\SysWOW64\install\avguard32.exe

Filesize
448KB

MD5
a1f04201e6668cdb2697a6824e890677

SHA1
d527009253c57eaac003071a91d301215066f15f

SHA256
80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2

SHA512
f4689735dd123c606eabb6a0658abc2511c6abe01bb823e17b92d9db23e6d4ce08d7740d385429ca3fe5df0459d85d95c1fb0c646aaae0fb67530577eb683222

Download Submit
C:\Windows\SysWOW64\install\avguard32.exe

Filesize
448KB

MD5
a1f04201e6668cdb2697a6824e890677

SHA1
d527009253c57eaac003071a91d301215066f15f

SHA256
80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2

SHA512
f4689735dd123c606eabb6a0658abc2511c6abe01bb823e17b92d9db23e6d4ce08d7740d385429ca3fe5df0459d85d95c1fb0c646aaae0fb67530577eb683222

Download Submit
C:\Windows\SysWOW64\install\avguard32.exe

Filesize
448KB

MD5
a1f04201e6668cdb2697a6824e890677

SHA1
d527009253c57eaac003071a91d301215066f15f

SHA256
80c4a2585162fdfa6993b61ededb8b89cc10d398c32ec0cd1b45e44118721fd2

SHA512
f4689735dd123c606eabb6a0658abc2511c6abe01bb823e17b92d9db23e6d4ce08d7740d385429ca3fe5df0459d85d95c1fb0c646aaae0fb67530577eb683222

Download Submit
memory/3236-140-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3236-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3236-175-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3588-173-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3588-174-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3588-162-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4024-167-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4024-168-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4024-172-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4024-171-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4800-155-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4800-157-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4800-156-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4800-151-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4900-152-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4900-148-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4900-143-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4900-141-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4900-139-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4900-138-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4900-136-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download