cybergate | f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee

Analysis

max time kernel
192s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Size

332KB
MD5

5996ae5ce5b1ba79aab211992dba3d42
SHA1

4308c54a7d5ef62b379d7f171a29ab11875a9b95
SHA256

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee
SHA512

c9101394f08fc71d273b74a1d99e5400bd1f1e8120f122c26f068668c059778e7c64efe43834b15f3e44ae644a570bc5369ecc937db55d5a674604541940479d
SSDEEP

6144:k17kgF25dWLF3zkPw3VM7+nJ6qLfyi87lw01793r5i78Adcvk05/Navio2maa1/h:sAgG4QyVq6J6+f8a01h3r59Ad4/Av/rj

Score

10^/10

cybergate hack persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

hack

theshow.no-ip.org:81

Mutex

UDO638P2R8427W

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windr
install_file
kkkiii.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Test
message_box_title
test
password
fred11
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windr\\kkkiii.exe"	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windr\\kkkiii.exe"	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Executes dropped EXE 3 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exef65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exekkkiii.exe

pid	process
1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
2028	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
1016	kkkiii.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85035Y1R-3X7X-JJ5X-14TM-IITI37VNLX4F}\StubPath = "C:\\Windows\\system32\\windr\\kkkiii.exe Restart"	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{85035Y1R-3X7X-JJ5X-14TM-IITI37VNLX4F}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85035Y1R-3X7X-JJ5X-14TM-IITI37VNLX4F}\StubPath = "C:\\Windows\\system32\\windr\\kkkiii.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{85035Y1R-3X7X-JJ5X-14TM-IITI37VNLX4F}	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1528-84-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1528-94-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1044-99-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1044-102-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1528-104-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1528-111-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/2028-117-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/2028-118-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/2028-123-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exef65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

pid	process
960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
2028	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
2028	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windr\\kkkiii.exe"	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windr\\kkkiii.exe"	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Drops file in System32 directory 4 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exef65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description	ioc	process
File created	C:\Windows\SysWOW64\windr\kkkiii.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
File opened for modification	C:\Windows\SysWOW64\windr\kkkiii.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
File opened for modification	C:\Windows\SysWOW64\windr\kkkiii.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
File opened for modification	C:\Windows\SysWOW64\windr\	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description	pid	process	target process
PID 960 set thread context of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

pid process

1528 f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

pid process

2028 f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

pid	process
2028	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exeexplorer.exef65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description	pid	process
Token: SeDebugPrivilege	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Token: SeBackupPrivilege	1044	explorer.exe
Token: SeRestorePrivilege	1044	explorer.exe
Token: SeBackupPrivilege	2028	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Token: SeRestorePrivilege	2028	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Token: SeDebugPrivilege	2028	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Token: SeDebugPrivilege	2028	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

pid process

1528 f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.execsc.exef65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe

description	pid	process	target process
PID 960 wrote to memory of 844	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	csc.exe
PID 960 wrote to memory of 844	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	csc.exe
PID 960 wrote to memory of 844	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	csc.exe
PID 960 wrote to memory of 844	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	csc.exe
PID 844 wrote to memory of 564	844	csc.exe	cvtres.exe
PID 844 wrote to memory of 564	844	csc.exe	cvtres.exe
PID 844 wrote to memory of 564	844	csc.exe	cvtres.exe
PID 844 wrote to memory of 564	844	csc.exe	cvtres.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 960 wrote to memory of 1528	960	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE
PID 1528 wrote to memory of 1224	1528	f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
"C:\Users\Admin\AppData\Local\Temp\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tflidi_8.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF671.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF651.tmp"
4⤵
PID:564

C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1752

C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
"C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\windr\kkkiii.exe
"C:\Windows\system32\windr\kkkiii.exe"
5⤵
- Executes dropped EXE
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
b18dfcebfc78c170c8b952d9779c715d

SHA1
1667a43dbd67c9f270c4febd398f588bfddf4a21

SHA256
ee1380bf926d7dcc5b653092ecfe46d7b5b4d0c5b48c1b3550f320c67e676d4f

SHA512
f60f4e1c15ff7f7160fec72256911c16857a1152546a91547b87dfd035927cf2a72e41ab30740faf34697392986ae92b92a00b2c6d3f9d3f1259e377d8bbe023

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF671.tmp
Filesize
1KB

MD5
e85c7d0f414924db906600f4adc28a4b

SHA1
579a2e6456b70df4ebf482b90e443ac472acf709

SHA256
279d2f944d1c2e700b19aa2065c5b158c613299204dbc373ebbda0fc8bc775c6

SHA512
397a440030ac19f4980db942fcb1530bb5b4324e441b3427858c8e36a94fc71a83d62a00138272e1d99e9671468a7de9a3b49215190138ca0c9b20efecf5bc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tflidi_8.dll
Filesize
5KB

MD5
bf537adeb3bd0e852db446b01a76900e

SHA1
5ea6d191769ade3165b727e4b9157a025a4504da

SHA256
7e08b02c97337cd428e8d0d0ed1335d8cfa6fa14301e6a3e2e9e341d90d80134

SHA512
880d2b7d53e98f69f549e9de90e1ccfa792123ca82f2a7d2a2ed70cc482234137649008f76c47b17ecfabc765e0320a89787cc6de10d52adc96b376686a83437

Download Submit
C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Windows\SysWOW64\windr\kkkiii.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Windows\SysWOW64\windr\kkkiii.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF651.tmp
Filesize
652B

MD5
5dc8e6c7f5586d38776f2c8bf055dd19

SHA1
5cbb70da5c12b225fd59c428fd5a3816e5223de8

SHA256
744a1347de460211212b876d377c72faa0a12513c1c9504b153577665858373d

SHA512
3435dc79c337acf705adba596e0ff5cbc4ffada9ab2a81a2b995aec015bf521a1090ef280cb0107a4a0b51fa2f28932314de75c1c6c030d4a12bbe54b3afcbeb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tflidi_8.0.cs
Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tflidi_8.cmdline
Filesize
206B

MD5
41e30ccf33a7c21601e68c0effd65f7b

SHA1
d9d6f692a6e9d0fe70e4ab997f8c981b2556f46f

SHA256
5e6024a319750c53fafaac99c1fc05076efcdb6e975b02bdb89d1ea8c846e27f

SHA512
c4a7d99736640463bdf76e91e15dc1ce285066435d35e810069e878ed4da44e63e711abea2dd51bd276acfbebfe6c4e59b6261fec57d95ce8b383f66c09a170a

Download Submit
\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Users\Admin\AppData\Roaming\f65aa0d9474becc2e522804b93cb2c5880777b2a5fddc7a9e566156935434aee.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\windr\kkkiii.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\Windows\SysWOW64\windr\kkkiii.exe
Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
memory/564-59-0x0000000000000000-mapping.dmp

Download
memory/844-56-0x0000000000000000-mapping.dmp

Download
memory/960-78-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/960-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1016-121-0x0000000000000000-mapping.dmp

Download
memory/1044-102-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1044-99-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1044-93-0x0000000074821000-0x0000000074823000-memory.dmp

Filesize
8KB

Download
memory/1044-90-0x0000000000000000-mapping.dmp

Download
memory/1224-87-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1528-81-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-70-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-80-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-91-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-77-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-94-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1528-75-0x000000000040E1A8-mapping.dmp

Download
memory/1528-74-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-72-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-69-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-104-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1528-84-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1528-71-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-111-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1528-116-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-65-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-68-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1528-66-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2028-108-0x0000000000000000-mapping.dmp

Download
memory/2028-118-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2028-117-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2028-123-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download