cybergate | ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

General

Target

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Size

452KB
MD5

121c5efe1422bad203e907e8a44b0e20
SHA1

84638ef5445ac901628e3733e9bea075180d40da
SHA256

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb
SHA512

47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b
SSDEEP

12288:jDGRaAAAAAAAAAAAAACAAAAAw4E/sdYMpCNeL5Jp0OxmxKFSvgiPH:jS8AAAAAAAAAAAAACAAAAAw4EEdrpC0i

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

C2

dfrreaccountsnew.no-ip.org:3012

Mutex

***xMUTEx***

Attributes

enable_keylogger
false
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Uninstall
install_file
root
install_flag
true
keylogger_enable_ftp
false
message_box_caption
dll.start
message_box_title
Expired program
password
anonymous
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Uninstall\\root"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Uninstall\\root"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Executes dropped EXE 2 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

pid	process
4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ASQ07O4-PSG3-E40K-ANK5-06P40G4I1LE2}\StubPath = "C:\\Windows\\system32\\Uninstall\\root"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ASQ07O4-PSG3-E40K-ANK5-06P40G4I1LE2}	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ASQ07O4-PSG3-E40K-ANK5-06P40G4I1LE2}\StubPath = "C:\\Windows\\system32\\Uninstall\\root Restart"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ASQ07O4-PSG3-E40K-ANK5-06P40G4I1LE2}	explorer.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4824-137-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4824-140-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4824-141-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4824-142-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4824-144-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/4824-149-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1952-152-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1952-155-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4824-157-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/4824-163-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/4824-167-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3832-166-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3832-168-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1952-169-0x0000000031BA0000-0x0000000031BAD000-memory.dmp	upx
behavioral2/memory/3832-170-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1952-171-0x0000000031BA0000-0x0000000031BAD000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\InstallDir\\winlogon.exe"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\InstallDir\\winlogon.exe"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Uninstall\\root"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Uninstall\\root"	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Drops file in System32 directory 4 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Uninstall\root	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File opened for modification	C:\Windows\SysWOW64\Uninstall\root	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File opened for modification	C:\Windows\SysWOW64\Uninstall\root	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File opened for modification	C:\Windows\SysWOW64\Uninstall\	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	pid	process	target process
PID 552 set thread context of 4876	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 552 set thread context of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Drops file in Windows directory 3 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	ioc	process
File opened for modification	C:\Windows\InstallDir	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File created	C:\Windows\InstallDir\winlogon.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
File opened for modification	C:\Windows\InstallDir\winlogon.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47D9BD71-76B7-11ED-B696-5203DB9D3E0F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377241485"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

pid	process
552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4876 iexplore.exe

pid	process
4876	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	pid	process
Token: SeDebugPrivilege	3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Token: SeDebugPrivilege	3832	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

pid process

4876 iexplore.exe
4824 ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4876 iexplore.exe
4876 iexplore.exe
1624 IEXPLORE.EXE
1624 IEXPLORE.EXE
1624 IEXPLORE.EXE
1624 IEXPLORE.EXE

pid	process
4876	iexplore.exe
4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

pid	process
4876	iexplore.exe
4876	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.execmd.exenet.exeiexplore.exeec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe

description	pid	process	target process
PID 552 wrote to memory of 480	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	cmd.exe
PID 552 wrote to memory of 480	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	cmd.exe
PID 552 wrote to memory of 480	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	cmd.exe
PID 552 wrote to memory of 4876	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 552 wrote to memory of 4876	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 552 wrote to memory of 4876	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 552 wrote to memory of 4876	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 552 wrote to memory of 4876	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 552 wrote to memory of 4876	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	iexplore.exe
PID 480 wrote to memory of 1292	480	cmd.exe	net.exe
PID 480 wrote to memory of 1292	480	cmd.exe	net.exe
PID 480 wrote to memory of 1292	480	cmd.exe	net.exe
PID 1292 wrote to memory of 2056	1292	net.exe	net1.exe
PID 1292 wrote to memory of 2056	1292	net.exe	net1.exe
PID 1292 wrote to memory of 2056	1292	net.exe	net1.exe
PID 4876 wrote to memory of 1624	4876	iexplore.exe	IEXPLORE.EXE
PID 4876 wrote to memory of 1624	4876	iexplore.exe	IEXPLORE.EXE
PID 4876 wrote to memory of 1624	4876	iexplore.exe	IEXPLORE.EXE
PID 552 wrote to memory of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 552 wrote to memory of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 552 wrote to memory of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 552 wrote to memory of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 552 wrote to memory of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 552 wrote to memory of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 552 wrote to memory of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 552 wrote to memory of 4824	552	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE
PID 4824 wrote to memory of 2724	4824	ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe	Explorer.EXE

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:376

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3372

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3448

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3732

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4656

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:4380

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:1996

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:2128

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:1100

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1744

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2492

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2632

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2612

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2068

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
"C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
PID:2056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4876 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
"C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:8

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:60

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:756

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 4c6f34909230dd0253f478a1bb7eabc1 FoT6OgCVgESEU/r8ikknEA.0.1.0.0.0
1⤵
PID:4080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:3872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2580

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
240KB

MD5
900262717462e437f4bd09775eb8e573

SHA1
5b6e67bd4ef592a42d8c6845e09889dd517f4591

SHA256
02764dd16a648dea6886ffc581755a4d515c53bde9973b5381ee38ea54b9d74c

SHA512
929759127a3397706dea282d31bebeb5394f28a01f26008613d2e54863a4671695698a9c0abadf7ee74ff51845e6ba8e2e47e02f58b38bc8711a29e5336ea834

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Filesize
452KB

MD5
121c5efe1422bad203e907e8a44b0e20

SHA1
84638ef5445ac901628e3733e9bea075180d40da

SHA256
ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

SHA512
47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb.exe
Filesize
452KB

MD5
121c5efe1422bad203e907e8a44b0e20

SHA1
84638ef5445ac901628e3733e9bea075180d40da

SHA256
ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

SHA512
47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b

Download Submit
C:\Windows\SysWOW64\Uninstall\root
Filesize
452KB

MD5
121c5efe1422bad203e907e8a44b0e20

SHA1
84638ef5445ac901628e3733e9bea075180d40da

SHA256
ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

SHA512
47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b

Download Submit
memory/480-132-0x0000000000000000-mapping.dmp

Download
memory/552-133-0x00000000005F0000-0x00000000005F4000-memory.dmp

Filesize
16KB

Download
memory/1292-134-0x0000000000000000-mapping.dmp

Download
memory/1952-155-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1952-169-0x0000000031BA0000-0x0000000031BAD000-memory.dmp

Filesize
52KB

Download
memory/1952-152-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1952-171-0x0000000031BA0000-0x0000000031BAD000-memory.dmp

Filesize
52KB

Download
memory/1952-148-0x0000000000000000-mapping.dmp

Download
memory/2056-135-0x0000000000000000-mapping.dmp

Download
memory/3832-161-0x0000000000000000-mapping.dmp

Download
memory/3832-166-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3832-170-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/3832-168-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4824-157-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4824-141-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4824-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4824-163-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4824-167-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4824-149-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4824-142-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4824-137-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4824-144-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/4824-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads