cybergate | c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

Analysis

max time kernel
152s
max time network
116s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 23:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Size

583KB
MD5

b8c86d90b109edb252a41576f4a5fd1d
SHA1

bb99d66dfbf11a768bb881d8ed45b85b9d22df4b
SHA256

c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef
SHA512

9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518
SSDEEP

12288:W6Wq4aaE6KwyF5L0Y2D1PqLxrTg65kje2chPlUWEQ5oateL0mRdHPBm5:cthEVaPqLJTSEUWE4oategWC

Score

10^/10

cybergate x-man persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

X-MAN

mulenrug.zapto.org:100

Mutex

0BL8855T14VAV6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
desarakt.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Ìèëàÿ ìîÿ êèñà, æåëàþ òåáå ïðèÿòíîãî äíÿ è êðàñèâîãî ìóæ÷èíó ðÿäîì.
message_box_title
Äèìà
password
pirat
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\desarakt.exe"	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\desarakt.exe"	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe

Executes dropped EXE 6 IoCs

pid	Process
1176	desarakt.exe
1976	desarakt.exe
1648	desarakt.exe
1864	desarakt.exe
1492	desarakt.exe
972	desarakt.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{QCSQSICJ-55Y2-1B65-N7BS-H5P08A7C8E22}	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QCSQSICJ-55Y2-1B65-N7BS-H5P08A7C8E22}\StubPath = "C:\\Windows\\system32\\install\\desarakt.exe Restart"	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{QCSQSICJ-55Y2-1B65-N7BS-H5P08A7C8E22}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{QCSQSICJ-55Y2-1B65-N7BS-H5P08A7C8E22}\StubPath = "C:\\Windows\\system32\\install\\desarakt.exe"	explorer.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-56-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1700-58-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1700-59-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1352-62-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1700-64-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1700-65-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1700-66-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1700-68-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1700-77-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/572-82-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/files/0x000b000000012308-84.dat	upx
behavioral1/memory/572-85-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1700-87-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1700-93-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/624-98-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/files/0x000b000000012308-101.dat	upx
behavioral1/files/0x000b000000012308-99.dat	upx
behavioral1/memory/1700-105-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/files/0x000b000000012308-103.dat	upx
behavioral1/files/0x000b000000012308-106.dat	upx
behavioral1/memory/624-110-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/624-109-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1176-112-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/files/0x000b000000012308-118.dat	upx
behavioral1/memory/1176-119-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1648-122-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1648-125-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1976-132-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/files/0x000b000000012308-130.dat	upx
behavioral1/memory/572-133-0x0000000003AD0000-0x0000000003B92000-memory.dmp	upx
behavioral1/memory/1648-134-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1864-135-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1864-139-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/files/0x000b000000012308-140.dat	upx
behavioral1/files/0x000b000000012308-142.dat	upx
behavioral1/files/0x000b000000012308-150.dat	upx
behavioral1/memory/1492-152-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/972-156-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1864-159-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1648-158-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/624-160-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
572	explorer.exe
1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
624	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\desarakt.exe"	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\desarakt.exe"	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1352-62-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1176-112-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1176-119-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1976-132-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/572-133-0x0000000003AD0000-0x0000000003B92000-memory.dmp	autoit_exe
behavioral1/memory/1492-152-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/624-161-0x000000000BFA0000-0x000000000C062000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\desarakt.exe	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
File opened for modification	C:\Windows\SysWOW64\install\desarakt.exe	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
File opened for modification	C:\Windows\SysWOW64\install\desarakt.exe	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
File opened for modification	C:\Windows\SysWOW64\install\	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 1700	1352	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	28
PID 1176 set thread context of 1648	1176	desarakt.exe	34
PID 1976 set thread context of 1864	1976	desarakt.exe	35
PID 1492 set thread context of 972	1492	desarakt.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
624	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	572	explorer.exe
Token: SeRestorePrivilege	572	explorer.exe
Token: SeBackupPrivilege	624	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Token: SeRestorePrivilege	624	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Token: SeDebugPrivilege	624	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
Token: SeDebugPrivilege	624	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1700	1352	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	28
PID 1352 wrote to memory of 1700	1352	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	28
PID 1352 wrote to memory of 1700	1352	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	28
PID 1352 wrote to memory of 1700	1352	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	28
PID 1352 wrote to memory of 1700	1352	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	28
PID 1352 wrote to memory of 1700	1352	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	28
PID 1352 wrote to memory of 1700	1352	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	28
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12
PID 1700 wrote to memory of 1284	1700	c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
  "C:\Users\Admin\AppData\Local\Temp\c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
    "C:\Users\Admin\AppData\Local\Temp\c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:572
    - - C:\Windows\SysWOW64\install\desarakt.exe
        
        "C:\Windows\system32\install\desarakt.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1976
      - C:\Windows\SysWOW64\install\desarakt.exe
        
        "C:\Windows\SysWOW64\install\desarakt.exe"
        6⤵
        Executes dropped EXE
        
        PID:1864
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe
      "C:\Users\Admin\AppData\Local\Temp\c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:624
    - - C:\Windows\SysWOW64\install\desarakt.exe
        
        "C:\Windows\system32\install\desarakt.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1492
      - C:\Windows\SysWOW64\install\desarakt.exe
        
        "C:\Windows\SysWOW64\install\desarakt.exe"
        6⤵
        Executes dropped EXE
        
        PID:972
  - - C:\Windows\SysWOW64\install\desarakt.exe
      "C:\Windows\system32\install\desarakt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1176
    - - C:\Windows\SysWOW64\install\desarakt.exe
        
        "C:\Windows\SysWOW64\install\desarakt.exe"
        5⤵
        Executes dropped EXE
        
        PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
9f78446f12a2dce8a9844244e9cc1772

SHA1
fb89da3559ea1b83b03040d7d9d7f93b3bd677a3

SHA256
375b519123044ed6ae5cdf92189f902809fb6477fab9f0c69e9fdeca8a4e0a73

SHA512
aee0a5cac518fbb19c66e327f20f5168a944c306bc45eaa9862eceaba14e7b06bb91c451df2b5a3a1fba504f64a76194bc71947b62aeaaa69183ea47ac909af8

Download Submit
C:\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
C:\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
C:\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
C:\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
C:\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
C:\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
C:\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
\Windows\SysWOW64\install\desarakt.exe

Filesize
583KB

MD5
b8c86d90b109edb252a41576f4a5fd1d

SHA1
bb99d66dfbf11a768bb881d8ed45b85b9d22df4b

SHA256
c4275a86fa2d6d42e00f15cdc4aa3a09bddd19deef2e5253f9d09b45dadbaaef

SHA512
9308b43624d1bff2f33e91e7a6d066fabb6b47baa9ef012286d414f6d7a629ed5ef121f949559f4984d2555c823ef233ee56c587515244e0bc4e7072f9533518

Download Submit
memory/572-82-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/572-85-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/572-76-0x0000000074FE1000-0x0000000074FE3000-memory.dmp

Filesize
8KB

Download
memory/572-133-0x0000000003AD0000-0x0000000003B92000-memory.dmp

Filesize
776KB

Download
memory/624-160-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/624-161-0x000000000BFA0000-0x000000000C062000-memory.dmp

Filesize
776KB

Download
memory/624-109-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/624-157-0x000000000BFA0000-0x000000000C062000-memory.dmp

Filesize
776KB

Download
memory/624-110-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/624-98-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/972-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1176-112-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1176-119-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1284-71-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1352-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1352-62-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1492-152-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1648-125-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1648-158-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1648-134-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1648-122-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1700-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1700-55-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1700-59-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1700-77-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1700-105-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1700-64-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1700-68-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1700-108-0x0000000002180000-0x0000000002242000-memory.dmp

Filesize
776KB

Download
memory/1700-87-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1700-93-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1700-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1700-56-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1700-66-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1864-159-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1864-139-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1864-135-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1976-132-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download