Analysis
-
max time kernel
178s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 08:05
Static task
static1
Behavioral task
behavioral1
Sample
842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe
Resource
win7-20221111-en
General
-
Target
842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe
-
Size
695KB
-
MD5
62b260e46ec032956277c2e830d4e2f5
-
SHA1
3c40a0a54422a7a9beb146b786ce3f3f5c32e4fc
-
SHA256
842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9
-
SHA512
2d75e8d1da5bee0f45f410e2e9d5b09423f5d47ca30f824e8969848f02d0dd3d3a8d0181fb0c7fab89f8e3d3c3fdc33b68059b85f9a5ae98f0a980ac77e6823d
-
SSDEEP
12288:OWzjD9iow5EfeeVqJ1ZUmoxQak98yNW7Pj7oHtqyYLBAMqw+mVNeaziNY69/Xjgg:bzjD9iDDZUmSW8MWfHrLtqw+UNeeZ6J1
Malware Config
Extracted
cybergate
v1.04.8
remote
rockstarrr.no-ip.org:3014
1GL2I4EXWXL2H7
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
svchost.exe
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
hundekuchen
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\LOIC.exe family_neshta \Windows\SysWOW64\LOIC.exe family_neshta C:\Windows\SysWOW64\LOIC.exe family_neshta C:\Windows\SysWOW64\LOIC.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
LOIC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LOIC.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe -
Executes dropped EXE 7 IoCs
Processes:
server.exeserver.exeserver.exeserver.exeLOIC.exeserver.exeLOIC.exepid process 668 server.exe 1420 server.exe 2040 server.exe 1068 server.exe 1724 LOIC.exe 1824 server.exe 268 LOIC.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
explorer.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PAN05537-056U-1GD8-RWOD-3WO20K607HYS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PAN05537-056U-1GD8-RWOD-3WO20K607HYS} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PAN05537-056U-1GD8-RWOD-3WO20K607HYS}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe Restart" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PAN05537-056U-1GD8-RWOD-3WO20K607HYS} explorer.exe -
Processes:
resource yara_rule behavioral1/memory/668-63-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral1/memory/668-72-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral1/memory/1992-77-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral1/memory/1992-80-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral1/memory/668-82-0x00000000104F0000-0x0000000010551000-memory.dmp upx behavioral1/memory/668-92-0x0000000010560000-0x00000000105C1000-memory.dmp upx behavioral1/memory/1420-101-0x0000000010560000-0x00000000105C1000-memory.dmp upx behavioral1/memory/1420-102-0x0000000010560000-0x00000000105C1000-memory.dmp upx behavioral1/memory/2040-111-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral1/memory/1068-116-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral1/memory/1420-118-0x0000000010560000-0x00000000105C1000-memory.dmp upx behavioral1/memory/1068-127-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral1/memory/1068-136-0x0000000010480000-0x00000000104E1000-memory.dmp upx -
Loads dropped DLL 10 IoCs
Processes:
842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exeserver.exeexplorer.exeserver.exeLOIC.exepid process 2044 842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe 2044 842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe 668 server.exe 1992 explorer.exe 1992 explorer.exe 1068 server.exe 1068 server.exe 1724 LOIC.exe 1724 LOIC.exe 1724 LOIC.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe" server.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe" server.exe -
Drops file in System32 directory 2 IoCs
Processes:
server.exeserver.exedescription ioc process File created C:\Windows\SysWOW64\svchost.exe\server.exe server.exe File created C:\Windows\SysWOW64\LOIC.exe server.exe -
Drops file in Program Files directory 64 IoCs
Processes:
LOIC.exedescription ioc process File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe LOIC.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe LOIC.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE LOIC.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe LOIC.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE LOIC.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE LOIC.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe LOIC.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE LOIC.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE LOIC.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE LOIC.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe LOIC.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE LOIC.exe -
Drops file in Windows directory 1 IoCs
Processes:
LOIC.exedescription ioc process File opened for modification C:\Windows\svchost.com LOIC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
LOIC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LOIC.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
server.exeserver.exeserver.exepid process 668 server.exe 2040 server.exe 1824 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 1068 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1068 server.exe Token: SeDebugPrivilege 1068 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
server.exepid process 668 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exeserver.exedescription pid process target process PID 2044 wrote to memory of 668 2044 842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe server.exe PID 2044 wrote to memory of 668 2044 842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe server.exe PID 2044 wrote to memory of 668 2044 842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe server.exe PID 2044 wrote to memory of 668 2044 842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe server.exe PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE PID 668 wrote to memory of 1300 668 server.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe"C:\Users\Admin\AppData\Local\Temp\842313aedbc2fb9ae9aaa1e41d9e32c11ab2a3196eec3c188d52c382becc29d9.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe"C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe"C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\LOIC.exe"C:\Windows\system32\LOIC.exe"7⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe"C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exeFilesize
132KB
MD5b596e7cacbad1e814b0cd053086c4900
SHA126ef60c870017ebc85901fb2fbce740b82032eb1
SHA2561b26fcf0da549a47dceefb4e99fd520d63dec3a7cd539d3edcf1d7c1d4a95fd5
SHA512c8c08ff9e6ec7d30eea619cf1f82d737a79ad8edec33469b8afc3c41df49a6a4ec6011082ea5d8faef8e34a63a5e02811c425ba1d684bb99c38eea1759440230
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exeFilesize
132KB
MD5b596e7cacbad1e814b0cd053086c4900
SHA126ef60c870017ebc85901fb2fbce740b82032eb1
SHA2561b26fcf0da549a47dceefb4e99fd520d63dec3a7cd539d3edcf1d7c1d4a95fd5
SHA512c8c08ff9e6ec7d30eea619cf1f82d737a79ad8edec33469b8afc3c41df49a6a4ec6011082ea5d8faef8e34a63a5e02811c425ba1d684bb99c38eea1759440230
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
394KB
MD5406e54903c5a3c73b1d34faacaad3cb8
SHA169190c7222c094baba50ca52c646e96445b693ec
SHA25641f611a08057096bc026ae634e4e5434b1c4d7570986a961fdc842ad79894a9b
SHA512d4cc73c6d28c5c8686c211b489a6e76ac04c077a6af40df839b5a1d3e0dab5d6cc6e2102a1c2edada6f6b00ff1d1767fa08bdf76c4d2c399d56d2b262d997782
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
394KB
MD512b20a2714153107593a3d85e57210d4
SHA1944ef7d38624b5f24ec49653c14c24be68f3d240
SHA256b37a6364bb851a57156de9c4482d638c7a38fb56fcd4807360884e285a1f6978
SHA51275c8e4d83708c26f303d15af42c470c8a5b8ccd5fdb5a26d040ca662290e7dd843be7b88d027310b24b2fbb3677435422d37fba12808852a1c2f405dbfbef954
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
C:\Users\Admin\AppData\Roaming\svchost.exe\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
C:\Users\Admin\AppData\Roaming\svchost.exe\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
C:\Users\Admin\AppData\Roaming\svchost.exe\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
C:\Users\Admin\AppData\Roaming\svchost.exe\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
C:\Windows\SysWOW64\LOIC.exeFilesize
172KB
MD5b126225f373c5f22976965dcc1cf311b
SHA1ab6d2473233c75a740c0d1579c50e1ce82e9e2f9
SHA2563a175e3ad1abc6c8261d41dde9c69d2c31044d47ca474753618530d0ab09bb8c
SHA5121e67742fd17103d927fbd92de6ab1ff775b8c3c90069bdcb80d9d708dc6cc231defd91139336a76fa031cebafd9c063ad41fd92e388eda7ee696a483f7ea1394
-
C:\Windows\SysWOW64\LOIC.exeFilesize
172KB
MD5b126225f373c5f22976965dcc1cf311b
SHA1ab6d2473233c75a740c0d1579c50e1ce82e9e2f9
SHA2563a175e3ad1abc6c8261d41dde9c69d2c31044d47ca474753618530d0ab09bb8c
SHA5121e67742fd17103d927fbd92de6ab1ff775b8c3c90069bdcb80d9d708dc6cc231defd91139336a76fa031cebafd9c063ad41fd92e388eda7ee696a483f7ea1394
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\LOIC.exeFilesize
132KB
MD5b596e7cacbad1e814b0cd053086c4900
SHA126ef60c870017ebc85901fb2fbce740b82032eb1
SHA2561b26fcf0da549a47dceefb4e99fd520d63dec3a7cd539d3edcf1d7c1d4a95fd5
SHA512c8c08ff9e6ec7d30eea619cf1f82d737a79ad8edec33469b8afc3c41df49a6a4ec6011082ea5d8faef8e34a63a5e02811c425ba1d684bb99c38eea1759440230
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
\Users\Admin\AppData\Roaming\svchost.exe\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
\Users\Admin\AppData\Roaming\svchost.exe\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
\Users\Admin\AppData\Roaming\svchost.exe\server.exeFilesize
461KB
MD5695bf86281f1405fb3efa445ba97605f
SHA122e59822bf576c7226fdb4c344fd16b293b4f8e0
SHA256770ddffd464e6a5ea091ddf3e92766f571ff17dee40b29ab8c20ad84b9dcc8f4
SHA51259f5a79ed547161d680b58b55843ec12a32c67add70ad1f3bacdea7e1d012096d3735d6434a6970818db140cad7f4bf797eb518369e490b62bf8627d168d8518
-
\Windows\SysWOW64\LOIC.exeFilesize
172KB
MD5b126225f373c5f22976965dcc1cf311b
SHA1ab6d2473233c75a740c0d1579c50e1ce82e9e2f9
SHA2563a175e3ad1abc6c8261d41dde9c69d2c31044d47ca474753618530d0ab09bb8c
SHA5121e67742fd17103d927fbd92de6ab1ff775b8c3c90069bdcb80d9d708dc6cc231defd91139336a76fa031cebafd9c063ad41fd92e388eda7ee696a483f7ea1394
-
\Windows\SysWOW64\LOIC.exeFilesize
172KB
MD5b126225f373c5f22976965dcc1cf311b
SHA1ab6d2473233c75a740c0d1579c50e1ce82e9e2f9
SHA2563a175e3ad1abc6c8261d41dde9c69d2c31044d47ca474753618530d0ab09bb8c
SHA5121e67742fd17103d927fbd92de6ab1ff775b8c3c90069bdcb80d9d708dc6cc231defd91139336a76fa031cebafd9c063ad41fd92e388eda7ee696a483f7ea1394
-
memory/268-135-0x000000001B386000-0x000000001B3A5000-memory.dmpFilesize
124KB
-
memory/268-133-0x0000000000390000-0x00000000003B6000-memory.dmpFilesize
152KB
-
memory/268-130-0x0000000000000000-mapping.dmp
-
memory/668-82-0x00000000104F0000-0x0000000010551000-memory.dmpFilesize
388KB
-
memory/668-72-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/668-92-0x0000000010560000-0x00000000105C1000-memory.dmpFilesize
388KB
-
memory/668-58-0x0000000000000000-mapping.dmp
-
memory/668-63-0x0000000010410000-0x0000000010471000-memory.dmpFilesize
388KB
-
memory/1068-108-0x0000000000000000-mapping.dmp
-
memory/1068-136-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1068-116-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1068-127-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1300-66-0x0000000010410000-0x0000000010471000-memory.dmpFilesize
388KB
-
memory/1420-118-0x0000000010560000-0x00000000105C1000-memory.dmpFilesize
388KB
-
memory/1420-101-0x0000000010560000-0x00000000105C1000-memory.dmpFilesize
388KB
-
memory/1420-102-0x0000000010560000-0x00000000105C1000-memory.dmpFilesize
388KB
-
memory/1420-87-0x0000000000000000-mapping.dmp
-
memory/1724-121-0x0000000000000000-mapping.dmp
-
memory/1824-124-0x0000000000000000-mapping.dmp
-
memory/1992-69-0x0000000000000000-mapping.dmp
-
memory/1992-77-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1992-71-0x0000000071C11000-0x0000000071C13000-memory.dmpFilesize
8KB
-
memory/1992-80-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/2040-94-0x0000000000000000-mapping.dmp
-
memory/2040-111-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/2044-54-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/2044-90-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB
-
memory/2044-55-0x0000000074AF0000-0x000000007509B000-memory.dmpFilesize
5.7MB