cybergate | 9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

General

Target

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Size

327KB
MD5

0d2478e9ce7bbd1791aac10d37e4ced0
SHA1

0356aeffe6ce2a270a8fd845df0080f686404a15
SHA256

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5
SHA512

9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23
SSDEEP

6144:Y5GWFJFFuqly0X+lmTxi1/vWrpyfSMnQSEqQqTWfXJNmf:YIAzFjulmS/vWrpyFQS0qTWf6f

Score

10^/10

cybergate 2 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

2

C2

84.120.59.104:4222

90.162.61.13:4332

84.120.55.87:4112

90.162.61.78:4442

leskieroatodos.no-ip.org:4552

Mutex

4VEUT705FC0A46

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
acrobat
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
borito1010
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\adobe\\acrobat\\explorer.exe"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\adobe\\acrobat\\explorer.exe"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

4828 explorer.exe
3860 explorer.exe

pid	process
4828	explorer.exe
3860	explorer.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1D623TV-QCMN-6R6G-H1U4-66L8HTL68Q52}	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1D623TV-QCMN-6R6G-H1U4-66L8HTL68Q52}\StubPath = "c:\\adobe\\acrobat\\explorer.exe Restart"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1D623TV-QCMN-6R6G-H1U4-66L8HTL68Q52}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{S1D623TV-QCMN-6R6G-H1U4-66L8HTL68Q52}\StubPath = "c:\\adobe\\acrobat\\explorer.exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2468-148-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2468-153-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4100-156-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4100-157-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2468-160-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/3448-163-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/3448-164-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/3448-168-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\adobe\\acrobat\\explorer.exe"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\adobe\\acrobat\\explorer.exe"	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exeexplorer.exe

description	pid	process	target process
PID 4976 set thread context of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4828 set thread context of 3860	4828	explorer.exe	explorer.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5112	4976	WerFault.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
1992	4828	WerFault.exe	explorer.exe
4372	3860	WerFault.exe	explorer.exe

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

pid	process
2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3448 explorer.exe

pid	process
3448	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exeexplorer.exe

description	pid	process
Token: SeBackupPrivilege	4100	explorer.exe
Token: SeRestorePrivilege	4100	explorer.exe
Token: SeBackupPrivilege	3448	explorer.exe
Token: SeRestorePrivilege	3448	explorer.exe
Token: SeDebugPrivilege	3448	explorer.exe
Token: SeDebugPrivilege	3448	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

pid process

2468 9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exeexplorer.exe

pid process

4976 9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
4828 explorer.exe

pid	process
4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
4828	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe

description	pid	process	target process
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 4976 wrote to memory of 2468	4976	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE
PID 2468 wrote to memory of 380	2468	9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
"C:\Users\Admin\AppData\Local\Temp\9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5.exe
C:\Users\Admin\AppData\Local\Temp\9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\adobe\acrobat\explorer.exe
"C:\adobe\acrobat\explorer.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4828

C:\adobe\acrobat\explorer.exe
C:\adobe\acrobat\explorer
6⤵
- Executes dropped EXE
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 556
7⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 608
6⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 600
3⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4976 -ip 4976
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4828 -ip 4828
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3860 -ip 3860
1⤵
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
225KB

MD5
2c1574194e8aa262c6d85bf8682f99fa

SHA1
2a11a7e639a078a4b5af02c72322b468b4a1237e

SHA256
b18d2f87e716fc406e796be752791e4035dc6d81dc9beea694d4490a7e4f6264

SHA512
cfb0cd94f28369ddaeeb7ba3f5f732ec9f70e92536c180c94c2808c4dd672f4c5e0a3742193cfd2720b0b914802e08a9fa7b1ec2cae62f61c6479b238618e115

Download Submit
C:\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
C:\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
\??\c:\adobe\acrobat\explorer.exe
Filesize
327KB

MD5
0d2478e9ce7bbd1791aac10d37e4ced0

SHA1
0356aeffe6ce2a270a8fd845df0080f686404a15

SHA256
9498de5a2efcc4ded594c9f858308aa2f09a23ea49e31d309b54059b8f8112a5

SHA512
9914c9304067def845052fb0f5443fdfb458a3405633f8e2a9fd2860edf57a04e04b446dec307228d548959ede527d04974ab478456b31b91e7cbb71ce1cfd23

Download Submit
memory/2468-148-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2468-139-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2468-142-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2468-143-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2468-145-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2468-146-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2468-135-0x0000000000000000-mapping.dmp

Download
memory/2468-136-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2468-153-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2468-141-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2468-137-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2468-160-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/3448-159-0x0000000000000000-mapping.dmp

Download
memory/3448-163-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/3448-164-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/3448-168-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/3860-174-0x0000000000000000-mapping.dmp

Download
memory/3860-186-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4100-157-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4100-156-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4100-152-0x0000000000000000-mapping.dmp

Download
memory/4828-169-0x0000000000000000-mapping.dmp

Download
memory/4828-173-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4828-187-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4976-167-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4976-134-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads