cybergate | b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2

Analysis

max time kernel
354s
max time network
416s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
Size

756KB
MD5

3fcd710621e35d3b44cfdf5526713409
SHA1

9ae6828fe48e807f657d0bcec12bdc08bf127f91
SHA256

b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2
SHA512

746be9048423dbd744516ee5b1a119b97e011397e580f673a12659eb17d10b6aff38124aa6529871de4e917f1ece7f088c225bce4d753722cc61de27fbd4de6d
SSDEEP

12288:ptDKf5rbJVpa/ZPJ0qY55dvq2W2C2yoCyBCZM6OdXA3N544+DeuAKksdj2LpGZ8K:pgpayvj4HvjZCWK4+De4lZPFHG0KadHN

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victime

ownyou78.no-ip.org:1605

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exevbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe"	vbc.exe

Executes dropped EXE 7 IoCs

Processes:

UjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exe

pid	process
3696	UjKeLIOIcLXr.exe
1808	UjKeLIOIcLXr.exe
4384	UjKeLIOIcLXr.exe
5108	UjKeLIOIcLXr.exe
3888	UjKeLIOIcLXr.exe
2940	UjKeLIOIcLXr.exe
4552	UjKeLIOIcLXr.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exevbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{50U322NA-MH13-G4K1-J78N-4YE08B206J74}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50U322NA-MH13-G4K1-J78N-4YE08B206J74}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{50U322NA-MH13-G4K1-J78N-4YE08B206J74}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50U322NA-MH13-G4K1-J78N-4YE08B206J74}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart"	vbc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3484-164-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3436-165-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exeb19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

UjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exeUjKeLIOIcLXr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\IMG788_548745.exe"	UjKeLIOIcLXr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\IMG788_548745.exe"	UjKeLIOIcLXr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\IMG788_548745.exe"	UjKeLIOIcLXr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\IMG788_548745.exe"	UjKeLIOIcLXr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\IMG788_548745.exe"	UjKeLIOIcLXr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\IMG788_548745.exe"	UjKeLIOIcLXr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\IMG788_548745.exe"	UjKeLIOIcLXr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exeb19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe

description	pid	process	target process
PID 3560 set thread context of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 set thread context of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exeb19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe

pid	process
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exeb19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe

description	pid	process
Token: SeDebugPrivilege	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
Token: SeDebugPrivilege	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

vbc.exevbc.exe

pid process

3436 vbc.exe
3484 vbc.exe

pid	process
3436	vbc.exe
3484	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exeb19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exevbc.exevbc.exe

description	pid	process	target process
PID 4860 wrote to memory of 3560	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
PID 4860 wrote to memory of 3560	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
PID 4860 wrote to memory of 3560	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3436	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 3560 wrote to memory of 3696	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 3560 wrote to memory of 3696	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 3560 wrote to memory of 3696	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 3560 wrote to memory of 1808	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 3560 wrote to memory of 1808	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 3560 wrote to memory of 1808	3560	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 4860 wrote to memory of 3484	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	vbc.exe
PID 4860 wrote to memory of 4384	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 4860 wrote to memory of 4384	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 4860 wrote to memory of 4384	4860	b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe	UjKeLIOIcLXr.exe
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3436 wrote to memory of 2888	3436	vbc.exe	Explorer.EXE
PID 3436 wrote to memory of 2888	3436	vbc.exe	Explorer.EXE
PID 3436 wrote to memory of 2888	3436	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE
PID 3484 wrote to memory of 2888	3484	vbc.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
"C:\Users\Admin\AppData\Local\Temp\b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe
"C:\Users\Admin\AppData\Local\Temp\b19d472c52c3060d1e41e7b203c725be2571acb91d30bf53269d241d1487f0c2.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
PID:4916

C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
"C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1808

C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
"C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3696

C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
"C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3888

C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
"C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:3372

C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
"C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4384

C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
"C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5108

C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
"C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\UjKeLIOIcLXr.exe.log
Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
229KB

MD5
0de49df5cbe5454d53fe0224b1c0df11

SHA1
142946dab4f1a475018c7fe9d3b893a7e5d91df5

SHA256
0853955abfb984190fddb0b6ab6807b7a8be310fd387331ee3b014c96123769c

SHA512
930f515018868617cd86500d90aa878f04cd59d0acf79dbfc3be95ecd669be965218461c3aee6b25860c8ac293a1a10054f2270d5d495acea199f4f55ce00eb1

Download Submit
C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
Filesize
4KB

MD5
81b6841fca7fea086a8fbfd80c2291f0

SHA1
38e402c930ded07e524de07e3667eb5209cbfce8

SHA256
87f3f7dad59792435ef54bf704a1915fd05d7e02c544c852a53b2e800d5976d4

SHA512
818fdd6e246f166b4eb0c36a093dd1b29102139179f161c2afdf4294987b0ee984e643435b3a3cbea8c498930a294fde2779583eb7fb5c3c11ac8ca799b537b6

Download Submit
C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
Filesize
4KB

MD5
81b6841fca7fea086a8fbfd80c2291f0

SHA1
38e402c930ded07e524de07e3667eb5209cbfce8

SHA256
87f3f7dad59792435ef54bf704a1915fd05d7e02c544c852a53b2e800d5976d4

SHA512
818fdd6e246f166b4eb0c36a093dd1b29102139179f161c2afdf4294987b0ee984e643435b3a3cbea8c498930a294fde2779583eb7fb5c3c11ac8ca799b537b6

Download Submit
C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
Filesize
4KB

MD5
81b6841fca7fea086a8fbfd80c2291f0

SHA1
38e402c930ded07e524de07e3667eb5209cbfce8

SHA256
87f3f7dad59792435ef54bf704a1915fd05d7e02c544c852a53b2e800d5976d4

SHA512
818fdd6e246f166b4eb0c36a093dd1b29102139179f161c2afdf4294987b0ee984e643435b3a3cbea8c498930a294fde2779583eb7fb5c3c11ac8ca799b537b6

Download Submit
C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
Filesize
4KB

MD5
81b6841fca7fea086a8fbfd80c2291f0

SHA1
38e402c930ded07e524de07e3667eb5209cbfce8

SHA256
87f3f7dad59792435ef54bf704a1915fd05d7e02c544c852a53b2e800d5976d4

SHA512
818fdd6e246f166b4eb0c36a093dd1b29102139179f161c2afdf4294987b0ee984e643435b3a3cbea8c498930a294fde2779583eb7fb5c3c11ac8ca799b537b6

Download Submit
C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
Filesize
4KB

MD5
81b6841fca7fea086a8fbfd80c2291f0

SHA1
38e402c930ded07e524de07e3667eb5209cbfce8

SHA256
87f3f7dad59792435ef54bf704a1915fd05d7e02c544c852a53b2e800d5976d4

SHA512
818fdd6e246f166b4eb0c36a093dd1b29102139179f161c2afdf4294987b0ee984e643435b3a3cbea8c498930a294fde2779583eb7fb5c3c11ac8ca799b537b6

Download Submit
C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
Filesize
4KB

MD5
81b6841fca7fea086a8fbfd80c2291f0

SHA1
38e402c930ded07e524de07e3667eb5209cbfce8

SHA256
87f3f7dad59792435ef54bf704a1915fd05d7e02c544c852a53b2e800d5976d4

SHA512
818fdd6e246f166b4eb0c36a093dd1b29102139179f161c2afdf4294987b0ee984e643435b3a3cbea8c498930a294fde2779583eb7fb5c3c11ac8ca799b537b6

Download Submit
C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
Filesize
4KB

MD5
81b6841fca7fea086a8fbfd80c2291f0

SHA1
38e402c930ded07e524de07e3667eb5209cbfce8

SHA256
87f3f7dad59792435ef54bf704a1915fd05d7e02c544c852a53b2e800d5976d4

SHA512
818fdd6e246f166b4eb0c36a093dd1b29102139179f161c2afdf4294987b0ee984e643435b3a3cbea8c498930a294fde2779583eb7fb5c3c11ac8ca799b537b6

Download Submit
C:\Users\Admin\AppData\Roaming\UjKeLIOIcLXr.exe
Filesize
4KB

MD5
81b6841fca7fea086a8fbfd80c2291f0

SHA1
38e402c930ded07e524de07e3667eb5209cbfce8

SHA256
87f3f7dad59792435ef54bf704a1915fd05d7e02c544c852a53b2e800d5976d4

SHA512
818fdd6e246f166b4eb0c36a093dd1b29102139179f161c2afdf4294987b0ee984e643435b3a3cbea8c498930a294fde2779583eb7fb5c3c11ac8ca799b537b6

Download Submit
memory/1808-154-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/1808-143-0x0000000000000000-mapping.dmp

Download
memory/2940-186-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/2940-182-0x0000000000000000-mapping.dmp

Download
memory/3372-180-0x0000000000000000-mapping.dmp

Download
memory/3436-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3436-165-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3436-140-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3436-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3436-136-0x0000000000000000-mapping.dmp

Download
memory/3436-156-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3436-162-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3484-157-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3484-163-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3484-164-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3484-141-0x0000000000000000-mapping.dmp

Download
memory/3560-135-0x0000000000000000-mapping.dmp

Download
memory/3560-161-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/3560-139-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/3696-142-0x0000000000000000-mapping.dmp

Download
memory/3696-153-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/3888-174-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/3888-171-0x0000000000000000-mapping.dmp

Download
memory/3888-176-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4384-150-0x0000000000000000-mapping.dmp

Download
memory/4384-155-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4552-184-0x0000000000000000-mapping.dmp

Download
memory/4552-187-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4860-134-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4860-133-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/4916-181-0x0000000000000000-mapping.dmp

Download
memory/5108-177-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/5108-175-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/5108-170-0x0000000000000000-mapping.dmp

Download