cybergate | 9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c

General

Target

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Size

540KB
MD5

76d0f963836c3470ab54c153d33b304c
SHA1

c54fef3d8d4606ba7a1a2a3674424b5312a93347
SHA256

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c
SHA512

8ac0aee88e95e39636e3a79bd16d366fc395d818c3fff4143fb51cf9f4497dc3011e13ba56c534c8dc57ef2c4de90ed4ac0b32ca98c75181df6f4a9ad64dc685
SSDEEP

6144:Pq2ZDGGNrlIAJFpY4FAhI6u+IjS9Br4ZvHFO85eywacmMVIinYjS0QBDgS3Hhlh2:7NrGYpY4cI6unusVj58a7SIinASpE

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

victima

C2

127.0.0.1:81

broadcast.no-ip.biz:4662

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
medardo
regkey_hkcu
win32
regkey_hklm
win32

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services = "C:\\Windows\\system32\\system32\\win32.exe"	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services = "C:\\Windows\\system32\\system32\\win32.exe"	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe

Executes dropped EXE 2 IoCs

Processes:

win32.exewin32.exe

pid process

3676 win32.exe
1652 win32.exe

pid	process
3676	win32.exe
1652	win32.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\system32\\win32.exe Restart"	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\system32\\win32.exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/176-144-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/176-147-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/176-148-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/176-149-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/176-174-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1652-197-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1652-198-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1652-199-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\system32\\win32.exe"	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\system32\\win32.exe"	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe

Drops file in System32 directory 5 IoCs

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exeexplorer.exewin32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\system32\win32.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
File opened for modification	C:\Windows\SysWOW64\system32\win32.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
File opened for modification	C:\Windows\SysWOW64\system32\win32.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\system32\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\system32\win32.exe	win32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exewin32.exe

description	pid	process	target process
PID 2476 set thread context of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 3676 set thread context of 1652	3676	win32.exe	win32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2408 1652 WerFault.exe win32.exe
Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe

pid	pid_target	process	target process
2408	1652	WerFault.exe	win32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe

pid	process
176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1616 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1616 explorer.exe
Token: SeDebugPrivilege 1616 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe

pid process

176 9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exewin32.exe

pid process

2476 9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
3676 win32.exe

pid	process
1616	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1616	explorer.exe
Token: SeDebugPrivilege	1616	explorer.exe

pid	process
2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
3676	win32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe

description	pid	process	target process
PID 2476 wrote to memory of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 2476 wrote to memory of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 2476 wrote to memory of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 2476 wrote to memory of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 2476 wrote to memory of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 2476 wrote to memory of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 2476 wrote to memory of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 2476 wrote to memory of 176	2476	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE
PID 176 wrote to memory of 964	176	9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
"C:\Users\Admin\AppData\Local\Temp\9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
C:\Users\Admin\AppData\Local\Temp\9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:176

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:3900

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\system32\win32.exe
"C:\Windows\system32\system32\win32.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Windows\SysWOW64\system32\win32.exe
C:\Windows\SysWOW64\system32\win32.exe
6⤵
- Executes dropped EXE
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 564
7⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1652 -ip 1652
1⤵
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
628KB

MD5
63cb8667c3ea30370a34d28d73e79d0c

SHA1
d10a05c6834bf2159166a7c402da8fdfb95395fb

SHA256
a317c75e8393e7d781feee729d926b14de899a9a17e3efddb8516e474f8b9368

SHA512
fe0d37bf4cbe48d31a34402db6e2a757ac771856ce82d9ab3ab8c4e6d480df80ba7d441cd45e99f4f48a315eb0b9aad21b8a88467185f3528b5cdc096bae50b5

Download Submit
C:\Windows\SysWOW64\system32\win32.exe
Filesize
540KB

MD5
76d0f963836c3470ab54c153d33b304c

SHA1
c54fef3d8d4606ba7a1a2a3674424b5312a93347

SHA256
9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c

SHA512
8ac0aee88e95e39636e3a79bd16d366fc395d818c3fff4143fb51cf9f4497dc3011e13ba56c534c8dc57ef2c4de90ed4ac0b32ca98c75181df6f4a9ad64dc685

Download Submit
C:\Windows\SysWOW64\system32\win32.exe
Filesize
540KB

MD5
76d0f963836c3470ab54c153d33b304c

SHA1
c54fef3d8d4606ba7a1a2a3674424b5312a93347

SHA256
9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c

SHA512
8ac0aee88e95e39636e3a79bd16d366fc395d818c3fff4143fb51cf9f4497dc3011e13ba56c534c8dc57ef2c4de90ed4ac0b32ca98c75181df6f4a9ad64dc685

Download Submit
C:\Windows\SysWOW64\system32\win32.exe
Filesize
540KB

MD5
76d0f963836c3470ab54c153d33b304c

SHA1
c54fef3d8d4606ba7a1a2a3674424b5312a93347

SHA256
9fc21729db7dd8e5853e1f5dd22b0030b719f14fed15c7774ad725c5a38fb32c

SHA512
8ac0aee88e95e39636e3a79bd16d366fc395d818c3fff4143fb51cf9f4497dc3011e13ba56c534c8dc57ef2c4de90ed4ac0b32ca98c75181df6f4a9ad64dc685

Download Submit
memory/176-168-0x00000000104D0000-0x000000001052C000-memory.dmp

Filesize
368KB

Download
memory/176-147-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/176-174-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/176-151-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/176-149-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/176-148-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/176-159-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/176-143-0x0000000000000000-mapping.dmp

Download
memory/176-144-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1616-167-0x0000000000000000-mapping.dmp

Download
memory/1616-179-0x00000000104D0000-0x000000001052C000-memory.dmp

Filesize
368KB

Download
memory/1616-177-0x00000000104D0000-0x000000001052C000-memory.dmp

Filesize
368KB

Download
memory/1652-198-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1652-192-0x0000000000000000-mapping.dmp

Download
memory/1652-197-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1652-199-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2476-139-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2476-140-0x0000000002090000-0x00000000020A0000-memory.dmp

Filesize
64KB

Download
memory/2476-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2476-138-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2476-146-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2476-137-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2476-142-0x00000000020B0000-0x00000000020C0000-memory.dmp

Filesize
64KB

Download
memory/2476-136-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2476-141-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/2476-135-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2476-134-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2476-133-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3676-190-0x0000000001F90000-0x0000000001FA0000-memory.dmp

Filesize
64KB

Download
memory/3676-182-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/3676-185-0x0000000001F50000-0x0000000001F60000-memory.dmp

Filesize
64KB

Download
memory/3676-186-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/3676-187-0x0000000001F70000-0x0000000001F80000-memory.dmp

Filesize
64KB

Download
memory/3676-189-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3676-188-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/3676-180-0x0000000000000000-mapping.dmp

Download
memory/3676-191-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/3676-183-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/3676-184-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/3676-196-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3900-165-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/3900-178-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/3900-158-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads