cybergate | 8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

Analysis

max time kernel
153s
max time network
91s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Size

330KB
MD5

cd80eca254868c30797bdd77cd963a05
SHA1

515d407fbe6378ab65be05372b686085d04c3ae9
SHA256

8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d
SHA512

fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c
SSDEEP

6144:IBV/o1gC4/jgHjGPdOrz+4CoT4QZyDqOpb8FRPO6zBdkmjH3Oc32NI:aCCeGgXVJ06mb8DPh7jH+32

Score

10^/10

cybergate 17 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

fbihacking007.no-ip.biz:81

Mutex

4B86S756Q0423F

Attributes

enable_keylogger
false
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
Winlogon.exe
install_dir
Microsoft Corporation
install_file
Windows Update.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
SORRY
message_box_title
no compatible
password
171717
regkey_hkcu
Inisial System Operation
regkey_hklm
Windows Actualisation

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe"	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe"	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	Windows Update.exe
1612	Windows Update.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0VV45P7-SPS3-BPCD-372G-B7IGHL702XE3}\StubPath = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0VV45P7-SPS3-BPCD-372G-B7IGHL702XE3}	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0VV45P7-SPS3-BPCD-372G-B7IGHL702XE3}\StubPath = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe Restart"	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0VV45P7-SPS3-BPCD-372G-B7IGHL702XE3}	explorer.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-56-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1972-59-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1972-61-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1972-62-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1972-63-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1972-65-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1972-74-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1528-79-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1528-80-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1972-82-0x0000000000460000-0x00000000004C5000-memory.dmp	upx
behavioral1/memory/1972-90-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1972-96-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1644-95-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1644-97-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1612-119-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1612-118-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1612-113-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1612-120-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1612-121-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1528-122-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1644-123-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
1644	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
1724	Windows Update.exe
1724	Windows Update.exe
1724	Windows Update.exe
1724	Windows Update.exe
1612	Windows Update.exe
1612	Windows Update.exe
1612	Windows Update.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Actualisation = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe"	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inisial System Operation = "C:\\Windows\\system32\\Microsoft Corporation\\Windows Update.exe"	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Microsoft Corporation\	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe	Windows Update.exe
File created	C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1724 set thread context of 1612	1724	Windows Update.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1528	explorer.exe
Token: SeRestorePrivilege	1528	explorer.exe
Token: SeBackupPrivilege	1644	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Token: SeRestorePrivilege	1644	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Token: SeDebugPrivilege	1644	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
Token: SeDebugPrivilege	1644	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
1644	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
1724	Windows Update.exe
1724	Windows Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1992 wrote to memory of 1972	1992	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	26
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13
PID 1972 wrote to memory of 1192	1972	8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
  "C:\Users\Admin\AppData\Local\Temp\8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
    "C:\Users\Admin\AppData\Local\Temp\8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe
      "C:\Users\Admin\AppData\Local\Temp\8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1644
    - - C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe
        
        "C:\Windows\system32\Microsoft Corporation\Windows Update.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1724
      - C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe
        
        "C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
d5c35b40182154bc199c6984709e37be

SHA1
443501ca4a2d3173093401928a54cc5f433f2d71

SHA256
09abdbf3c7f1e3d8f83a022d9b425498575aaa00305fc56d5d8c10e40b4c79ce

SHA512
2ecc7fb78f5ed11006eb3d4d61a6415757c9f71882363dd1862bc577f73da4a9e003c971bbc4ed2648eb5c9b494a94cc66982418c7b7c8f9ec16ae81d9e9cc66

Download Submit
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
C:\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
\Windows\SysWOW64\Microsoft Corporation\Windows Update.exe

Filesize
330KB

MD5
cd80eca254868c30797bdd77cd963a05

SHA1
515d407fbe6378ab65be05372b686085d04c3ae9

SHA256
8e520ab6f1697aa4154510f2279a0d27277ef274d1b5835162309b5c5ec4bc3d

SHA512
fe2faa550d21c4b8f756c702d2f0c97a8ecee1f2c24533e070d702b02138e1053bd95337cc83de708ac9b0dca54ebedf36ff1542327cb13d3ee158339542963c

Download Submit
memory/1192-68-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1528-80-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1528-79-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1528-73-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/1528-122-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1612-119-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1612-121-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1612-120-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1612-113-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1612-118-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1644-95-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1644-97-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1644-123-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1972-62-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1972-56-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1972-60-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1972-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1972-63-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1972-61-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1972-59-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1972-65-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1972-74-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1972-82-0x0000000000460000-0x00000000004C5000-memory.dmp

Filesize
404KB

Download
memory/1972-90-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download