cybergate | ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

General

Target

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Size

452KB
MD5

121c5efe1422bad203e907e8a44b0e20
SHA1

84638ef5445ac901628e3733e9bea075180d40da
SHA256

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb
SHA512

47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b
SSDEEP

12288:jDGRaAAAAAAAAAAAAACAAAAAw4E/sdYMpCNeL5Jp0OxmxKFSvgiPH:jS8AAAAAAAAAAAAACAAAAAw4EEdrpC0i

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

C2

dfrreaccountsnew.no-ip.org:3012

Mutex

***xMUTEx***

Attributes

enable_keylogger
false
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Uninstall
install_file
root
install_flag
true
keylogger_enable_ftp
false
message_box_caption
dll.start
message_box_title
Expired program
password
anonymous
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Uninstall\\root"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Uninstall\\root"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Executes dropped EXE 2 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

pid	process
1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ASQ07O4-PSG3-E40K-ANK5-06P40G4I1LE2}\StubPath = "C:\\Windows\\system32\\Uninstall\\root"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ASQ07O4-PSG3-E40K-ANK5-06P40G4I1LE2}	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ASQ07O4-PSG3-E40K-ANK5-06P40G4I1LE2}\StubPath = "C:\\Windows\\system32\\Uninstall\\root Restart"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2ASQ07O4-PSG3-E40K-ANK5-06P40G4I1LE2}	explorer.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1060-61-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1060-63-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1060-64-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1060-68-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1060-70-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1060-71-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1060-72-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1060-74-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1060-83-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1744-88-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1744-91-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1060-93-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral1/memory/1060-101-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1816-106-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1060-107-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1744-154-0x0000000031900000-0x000000003190D000-memory.dmp	upx
behavioral1/memory/1816-155-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1744-159-0x0000000031900000-0x000000003190D000-memory.dmp	upx
behavioral1/memory/1816-160-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Loads dropped DLL 2 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

pid	process
1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\InstallDir\\winlogon.exe"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\InstallDir\\winlogon.exe"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Uninstall\\root"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Uninstall\\root"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1048 1740 WerFault.exe IEXPLORE.EXE

pid	pid_target	process	target process
1048	1740	WerFault.exe	IEXPLORE.EXE

Drops file in System32 directory 4 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Uninstall\root	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File opened for modification	C:\Windows\SysWOW64\Uninstall\root	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File opened for modification	C:\Windows\SysWOW64\Uninstall\root	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File opened for modification	C:\Windows\SysWOW64\Uninstall\	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	pid	process	target process
PID 1476 set thread context of 1196	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 1476 set thread context of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Drops file in Windows directory 3 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File created	C:\Windows\InstallDir\winlogon.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File opened for modification	C:\Windows\InstallDir\winlogon.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377241516"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{52D4EC61-76B7-11ED-AA2C-DE5CC620A9B4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeWerFault.exe

pid	process
1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Token: SeDebugPrivilege	1816	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Token: SeDebugPrivilege	1048	WerFault.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeiexplore.exe

pid process

1060 ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
1196 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1196 iexplore.exe
1196 iexplore.exe
1740 IEXPLORE.EXE
1740 IEXPLORE.EXE

pid	process
1196	iexplore.exe
1196	iexplore.exe
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.execmd.exenet.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	pid	process	target process
PID 1476 wrote to memory of 600	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	cmd.exe
PID 1476 wrote to memory of 600	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	cmd.exe
PID 1476 wrote to memory of 600	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	cmd.exe
PID 1476 wrote to memory of 600	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	cmd.exe
PID 1476 wrote to memory of 1196	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 1476 wrote to memory of 1196	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 1476 wrote to memory of 1196	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 1476 wrote to memory of 1196	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 1476 wrote to memory of 1196	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 1476 wrote to memory of 1196	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 1476 wrote to memory of 1196	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 600 wrote to memory of 1140	600	cmd.exe	net.exe
PID 600 wrote to memory of 1140	600	cmd.exe	net.exe
PID 600 wrote to memory of 1140	600	cmd.exe	net.exe
PID 600 wrote to memory of 1140	600	cmd.exe	net.exe
PID 1140 wrote to memory of 1288	1140	net.exe	net1.exe
PID 1140 wrote to memory of 1288	1140	net.exe	net1.exe
PID 1140 wrote to memory of 1288	1140	net.exe	net1.exe
PID 1140 wrote to memory of 1288	1140	net.exe	net1.exe
PID 1476 wrote to memory of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 1476 wrote to memory of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 1476 wrote to memory of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 1476 wrote to memory of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 1476 wrote to memory of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 1476 wrote to memory of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 1476 wrote to memory of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 1476 wrote to memory of 1060	1476	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 1060 wrote to memory of 1380	1060	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:788

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
3⤵
PID:760

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
3⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:868

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:284

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1028

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:956

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
"C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
PID:1288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 736
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
"C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
240KB

MD5
900262717462e437f4bd09775eb8e573

SHA1
5b6e67bd4ef592a42d8c6845e09889dd517f4591

SHA256
02764dd16a648dea6886ffc581755a4d515c53bde9973b5381ee38ea54b9d74c

SHA512
929759127a3397706dea282d31bebeb5394f28a01f26008613d2e54863a4671695698a9c0abadf7ee74ff51845e6ba8e2e47e02f58b38bc8711a29e5336ea834

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Filesize
452KB

MD5
121c5efe1422bad203e907e8a44b0e20

SHA1
84638ef5445ac901628e3733e9bea075180d40da

SHA256
ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

SHA512
47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Filesize
452KB

MD5
121c5efe1422bad203e907e8a44b0e20

SHA1
84638ef5445ac901628e3733e9bea075180d40da

SHA256
ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

SHA512
47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b

Download Submit
C:\Windows\SysWOW64\Uninstall\root
Filesize
452KB

MD5
121c5efe1422bad203e907e8a44b0e20

SHA1
84638ef5445ac901628e3733e9bea075180d40da

SHA256
ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

SHA512
47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b

Download Submit
\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Filesize
452KB

MD5
121c5efe1422bad203e907e8a44b0e20

SHA1
84638ef5445ac901628e3733e9bea075180d40da

SHA256
ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

SHA512
47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b

Download Submit
\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Filesize
452KB

MD5
121c5efe1422bad203e907e8a44b0e20

SHA1
84638ef5445ac901628e3733e9bea075180d40da

SHA256
ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

SHA512
47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b

Download Submit
memory/260-108-0x0000000031770000-0x000000003177D000-memory.dmp

Filesize
52KB

Download
memory/600-56-0x0000000000000000-mapping.dmp

Download
memory/1048-158-0x0000000000000000-mapping.dmp

Download
memory/1060-60-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-74-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1060-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-68-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-70-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-72-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-107-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-101-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1060-93-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1060-65-0x0000000000457D20-mapping.dmp

Download
memory/1060-83-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1060-61-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1060-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1140-57-0x0000000000000000-mapping.dmp

Download
memory/1288-58-0x0000000000000000-mapping.dmp

Download
memory/1380-77-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1476-55-0x0000000000340000-0x0000000000344000-memory.dmp

Filesize
16KB

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1744-80-0x0000000000000000-mapping.dmp

Download
memory/1744-91-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1744-88-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1744-154-0x0000000031900000-0x000000003190D000-memory.dmp

Filesize
52KB

Download
memory/1744-82-0x00000000745F1000-0x00000000745F3000-memory.dmp

Filesize
8KB

Download
memory/1744-159-0x0000000031900000-0x000000003190D000-memory.dmp

Filesize
52KB

Download
memory/1816-98-0x0000000000000000-mapping.dmp

Download
memory/1816-106-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1816-155-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1816-160-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads