cybergate | 9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

Analysis

max time kernel
179s
max time network
187s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Size

327KB
MD5

0d2478e9ce7bbd1791aac10d37e4ced0
SHA1

0356aeffe6ce2a270a8fd845df0080f686404a15
SHA256

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5
SHA512

9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23
SSDEEP

6144:Y5GWFJFFuqly0X+lmTxi1/vWrpyfSMnQSEqQqTWfXJNmf:YIAzFjulmS/vWrpyFQS0qTWf6f

Score

10^/10

cybergate 2 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

84.120.59.104:4222

90.162.61.13:4332

84.120.55.87:4112

90.162.61.78:4442

leskieroatodos.no-ip.org:4552

Mutex

4VEUT705FC0A46

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
acrobat
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
borito1010
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\adobe\\acrobat\\explorer.exe"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\adobe\\acrobat\\explorer.exe"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

592 explorer.exe
1688 explorer.exe

pid	process
592	explorer.exe
1688	explorer.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1D623TV-QCMN-6R6G-H1U4-66L8HTL68Q52}	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1D623TV-QCMN-6R6G-H1U4-66L8HTL68Q52}\StubPath = "c:\\adobe\\acrobat\\explorer.exe Restart"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1D623TV-QCMN-6R6G-H1U4-66L8HTL68Q52}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{S1D623TV-QCMN-6R6G-H1U4-66L8HTL68Q52}\StubPath = "c:\\adobe\\acrobat\\explorer.exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/932-83-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/932-92-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1680-97-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1680-100-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/932-105-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1764-110-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1764-111-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1764-150-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Loads dropped DLL 7 IoCs

Processes:

explorer.exeWerFault.exe

pid process

1764 explorer.exe
1764 explorer.exe
1588 WerFault.exe
1588 WerFault.exe
1588 WerFault.exe
1588 WerFault.exe
1588 WerFault.exe

pid	process
1764	explorer.exe
1764	explorer.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe
1588	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\adobe\\acrobat\\explorer.exe"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\adobe\\acrobat\\explorer.exe"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exeexplorer.exe

description	pid	process	target process
PID 1868 set thread context of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 592 set thread context of 1688	592	explorer.exe	explorer.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
824	1868	WerFault.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
1588	592	WerFault.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

pid process

932 9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1764 explorer.exe

pid	process
932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

pid	process
1764	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exeexplorer.exe

description	pid	process
Token: SeBackupPrivilege	1680	explorer.exe
Token: SeRestorePrivilege	1680	explorer.exe
Token: SeBackupPrivilege	1764	explorer.exe
Token: SeRestorePrivilege	1764	explorer.exe
Token: SeDebugPrivilege	1764	explorer.exe
Token: SeDebugPrivilege	1764	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exeexplorer.exe

pid process

932 9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
1764 explorer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

explorer.exe

pid process

1764 explorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exeexplorer.exe

pid process

1868 9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
592 explorer.exe

pid	process
932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
1764	explorer.exe

pid	process
1764	explorer.exe

pid	process
1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
592	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

description	pid	process	target process
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 932	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 1868 wrote to memory of 824	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	WerFault.exe
PID 1868 wrote to memory of 824	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	WerFault.exe
PID 1868 wrote to memory of 824	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	WerFault.exe
PID 1868 wrote to memory of 824	1868	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	WerFault.exe
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 932 wrote to memory of 1296	932	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
"C:\Users\Admin\AppData\Local\Temp\9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
C:\Users\Admin\AppData\Local\Temp\9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1764

C:\adobe\acrobat\explorer.exe
"C:\adobe\acrobat\explorer.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:592

C:\adobe\acrobat\explorer.exe
C:\adobe\acrobat\explorer
6⤵
- Executes dropped EXE
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 236
6⤵
- Loads dropped DLL
- Program crash
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 236
3⤵
- Program crash
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
225KB

MD5
2c1574194e8aa262c6d85bf8682f99fa

SHA1
2a11a7e639a078a4b5af02c72322b468b4a1237e

SHA256
b18d2f87e716fc406e796be752791e4035dc6d81dc9beea694d4490a7e4f6264

SHA512
cfb0cd94f28369ddaeeb7ba3f5f732ec9f70e92536c180c94c2808c4dd672f4c5e0a3742193cfd2720b0b914802e08a9fa7b1ec2cae62f61c6479b238618e115

Download Submit
C:\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
C:\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\??\c:\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
memory/592-114-0x0000000000000000-mapping.dmp

Download
memory/592-149-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/824-81-0x0000000000000000-mapping.dmp

Download
memory/932-77-0x000000000040E1A8-mapping.dmp

Download
memory/932-58-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-83-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/932-60-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-92-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/932-64-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-80-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-78-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-67-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-70-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-105-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/932-72-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/932-75-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1296-86-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1588-139-0x0000000000000000-mapping.dmp

Download
memory/1680-100-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1680-89-0x0000000000000000-mapping.dmp

Download
memory/1680-91-0x00000000747C1000-0x00000000747C3000-memory.dmp

Filesize
8KB

Download
memory/1680-97-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1688-137-0x000000000040E1A8-mapping.dmp

Download
memory/1764-102-0x0000000000000000-mapping.dmp

Download
memory/1764-110-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1764-148-0x0000000003CB0000-0x0000000003CBB000-memory.dmp

Filesize
44KB

Download
memory/1764-111-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1764-150-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1764-153-0x0000000003CB0000-0x0000000003CBB000-memory.dmp

Filesize
44KB

Download
memory/1764-154-0x0000000003CB0000-0x0000000003CBB000-memory.dmp

Filesize
44KB

Download
memory/1868-63-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/1868-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1868-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1868-151-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1868-152-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download