cybergate | ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2

General

Target

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
Size

400KB
MD5

13693ca45e8932cb33703e42a16c7790
SHA1

e1264599e0341889523ec161e25cdc5efaccc577
SHA256

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2
SHA512

87ecefcd543b8ec59e9cbadec9ae72403631d39a4b403a895f49916ea8b4d2e705c22b408c3e7ad1fce928a0435827903911080270b3dbd805e59e0950e2ce56
SSDEEP

6144:DYuREg+KzpmpCJKhO81+eQSQXuECLkDzBa+QxWjEi8BH/xoMHQugveLdxe:UuD+BL1lQNJCLkDtasjEi8BH/xeBeQ

Score

10^/10

cybergate infected persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

Infected

C2

goforit.no-ip.biz:7410

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
DATAF
install_file
msrcv.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
goa

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\DATAF\\msrcv.exe"	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\DATAF\\msrcv.exe"	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

Executes dropped EXE 2 IoCs

Processes:

msrcv.exemsrcv.exe

pid process

968 msrcv.exe
1632 msrcv.exe

pid	process
968	msrcv.exe
1632	msrcv.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63P4418F-4T7L-TCOD-XF87-7LTE2O826T1E}\StubPath = "C:\\Windows\\system32\\DATAF\\msrcv.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{63P4418F-4T7L-TCOD-XF87-7LTE2O826T1E}	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63P4418F-4T7L-TCOD-XF87-7LTE2O826T1E}\StubPath = "C:\\Windows\\system32\\DATAF\\msrcv.exe Restart"	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{63P4418F-4T7L-TCOD-XF87-7LTE2O826T1E}	explorer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1724-73-0x0000000024010000-0x0000000024052000-memory.dmp	upx
behavioral1/memory/1724-82-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral1/memory/320-87-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral1/memory/320-90-0x0000000024060000-0x00000000240A2000-memory.dmp	upx
behavioral1/memory/1724-93-0x00000000240B0000-0x00000000240F2000-memory.dmp	upx
behavioral1/memory/1724-102-0x0000000024100000-0x0000000024142000-memory.dmp	upx
behavioral1/memory/320-109-0x00000000034D0000-0x0000000003539000-memory.dmp	upx
behavioral1/memory/608-116-0x0000000024100000-0x0000000024142000-memory.dmp	upx
behavioral1/memory/608-133-0x0000000024100000-0x0000000024142000-memory.dmp	upx
behavioral1/memory/608-137-0x0000000024100000-0x0000000024142000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

explorer.exe

pid process

320 explorer.exe
320 explorer.exe

pid	process
320	explorer.exe
320	explorer.exe

Drops file in System32 directory 4 IoCs

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exeee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\DATAF\	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
File created	C:\Windows\SysWOW64\DATAF\msrcv.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
File opened for modification	C:\Windows\SysWOW64\DATAF\msrcv.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
File opened for modification	C:\Windows\SysWOW64\DATAF\msrcv.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exemsrcv.exe

description	pid	process	target process
PID 1628 set thread context of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 968 set thread context of 1632	968	msrcv.exe	msrcv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exemsrcv.exe

pid process

1724 ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
1632 msrcv.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

pid process

608 ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

pid	process
1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
1632	msrcv.exe

pid	process
608	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

description	pid	process
Token: SeDebugPrivilege	608	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
Token: SeDebugPrivilege	608	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

pid process

1724 ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exemsrcv.exe

pid process

1628 ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
968 msrcv.exe

pid	process
1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

pid	process
1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
968	msrcv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exeee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe

description	pid	process	target process
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1628 wrote to memory of 1724	1628	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE
PID 1724 wrote to memory of 1244	1724	ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
"C:\Users\Admin\AppData\Local\Temp\ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
C:\Users\Admin\AppData\Local\Temp\ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
PID:320

C:\Windows\SysWOW64\DATAF\msrcv.exe
"C:\Windows\system32\DATAF\msrcv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\SysWOW64\DATAF\msrcv.exe
C:\Windows\SysWOW64\DATAF\msrcv.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe
"C:\Users\Admin\AppData\Local\Temp\ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
189KB

MD5
dc6034f89db74fdaf84a1db14c775888

SHA1
af5763839809e8a2870ca3598d852b048b720b6a

SHA256
adc4be444ed0760682567c28a908a7b4452887a720f35a915d17de5610a72a82

SHA512
01be0f17038c08483a43ca7ae86d58b6d45747972181353ff79e76761fe2eae111879d7aae82538833363a348811028bb149d732c9eb07f36a147e1e93e5eacd

Download Submit
C:\Windows\SysWOW64\DATAF\msrcv.exe
Filesize
400KB

MD5
13693ca45e8932cb33703e42a16c7790

SHA1
e1264599e0341889523ec161e25cdc5efaccc577

SHA256
ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2

SHA512
87ecefcd543b8ec59e9cbadec9ae72403631d39a4b403a895f49916ea8b4d2e705c22b408c3e7ad1fce928a0435827903911080270b3dbd805e59e0950e2ce56

Download Submit
C:\Windows\SysWOW64\DATAF\msrcv.exe
Filesize
400KB

MD5
13693ca45e8932cb33703e42a16c7790

SHA1
e1264599e0341889523ec161e25cdc5efaccc577

SHA256
ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2

SHA512
87ecefcd543b8ec59e9cbadec9ae72403631d39a4b403a895f49916ea8b4d2e705c22b408c3e7ad1fce928a0435827903911080270b3dbd805e59e0950e2ce56

Download Submit
C:\Windows\SysWOW64\DATAF\msrcv.exe
Filesize
400KB

MD5
13693ca45e8932cb33703e42a16c7790

SHA1
e1264599e0341889523ec161e25cdc5efaccc577

SHA256
ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2

SHA512
87ecefcd543b8ec59e9cbadec9ae72403631d39a4b403a895f49916ea8b4d2e705c22b408c3e7ad1fce928a0435827903911080270b3dbd805e59e0950e2ce56

Download Submit
\Windows\SysWOW64\DATAF\msrcv.exe
Filesize
400KB

MD5
13693ca45e8932cb33703e42a16c7790

SHA1
e1264599e0341889523ec161e25cdc5efaccc577

SHA256
ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2

SHA512
87ecefcd543b8ec59e9cbadec9ae72403631d39a4b403a895f49916ea8b4d2e705c22b408c3e7ad1fce928a0435827903911080270b3dbd805e59e0950e2ce56

Download Submit
\Windows\SysWOW64\DATAF\msrcv.exe
Filesize
400KB

MD5
13693ca45e8932cb33703e42a16c7790

SHA1
e1264599e0341889523ec161e25cdc5efaccc577

SHA256
ee9564a5cf6d6bd545264be766c4a8997abde1c24e79b21614d0af3c4caad5f2

SHA512
87ecefcd543b8ec59e9cbadec9ae72403631d39a4b403a895f49916ea8b4d2e705c22b408c3e7ad1fce928a0435827903911080270b3dbd805e59e0950e2ce56

Download Submit
memory/320-109-0x00000000034D0000-0x0000000003539000-memory.dmp

Filesize
420KB

Download
memory/320-79-0x0000000000000000-mapping.dmp

Download
memory/320-90-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/320-136-0x00000000034D0000-0x0000000003539000-memory.dmp

Filesize
420KB

Download
memory/320-87-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/320-81-0x00000000747A1000-0x00000000747A3000-memory.dmp

Filesize
8KB

Download
memory/320-112-0x00000000034D0000-0x0000000003539000-memory.dmp

Filesize
420KB

Download
memory/608-133-0x0000000024100000-0x0000000024142000-memory.dmp

Filesize
264KB

Download
memory/608-99-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/608-97-0x0000000000000000-mapping.dmp

Download
memory/608-116-0x0000000024100000-0x0000000024142000-memory.dmp

Filesize
264KB

Download
memory/608-137-0x0000000024100000-0x0000000024142000-memory.dmp

Filesize
264KB

Download
memory/968-130-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/968-115-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/968-104-0x0000000000000000-mapping.dmp

Download
memory/1244-76-0x0000000024010000-0x0000000024052000-memory.dmp

Filesize
264KB

Download
memory/1628-68-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1628-55-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1632-132-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1632-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1632-127-0x000000000040BBE4-mapping.dmp

Download
memory/1632-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-98-0x0000000001BC0000-0x0000000001C29000-memory.dmp

Filesize
420KB

Download
memory/1724-93-0x00000000240B0000-0x00000000240F2000-memory.dmp

Filesize
264KB

Download
memory/1724-102-0x0000000024100000-0x0000000024142000-memory.dmp

Filesize
264KB

Download
memory/1724-82-0x0000000024060000-0x00000000240A2000-memory.dmp

Filesize
264KB

Download
memory/1724-73-0x0000000024010000-0x0000000024052000-memory.dmp

Filesize
264KB

Download
memory/1724-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-114-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-69-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1724-67-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-66-0x000000000040BBE4-mapping.dmp

Download
memory/1724-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-62-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads