cybergate | b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8

General

Target

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Size

606KB
MD5

6983b23403c4066b080525c06b93555d
SHA1

3d83c8f70967a68ea4e1fffcc8ed2bab7ed326a9
SHA256

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8
SHA512

c11546545e805b9b292ce6186aadeb6123af5f08b8d2b3a1f04e0e3f26098227d8087ae67e90e1c317d3abd06b02c6523b03bb8457b46dc2a74ca901cab67bde
SSDEEP

12288:IzRCiwkF3ClNsh+Rpq5/R8CHvZ69P6OtWjvbbqyUvX6:ORsapEqZtPZ69P6O8jp

Score

10^/10

cybergate hack persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.18

Botnet

Hack

C2

cerberus147.no-ip.biz:5454

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
Svchost.exe
install_dir
install
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Check Update
message_box_title
Error
password
aqwxszedcvfr
regkey_hkcu
Svchost
regkey_hklm
Rundll32

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\Svchost.exe"	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\Svchost.exe"	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

Executes dropped EXE 4 IoCs

Processes:

keyfinder.exefindkey.exeSvchost.exeSvchost.exe

pid process

4304 keyfinder.exe
3364 findkey.exe
3600 Svchost.exe
4800 Svchost.exe

pid	process
4304	keyfinder.exe
3364	findkey.exe
3600	Svchost.exe
4800	Svchost.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{UY6622A0-WEU0-WLF8-520J-3B83C5D080L4}	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UY6622A0-WEU0-WLF8-520J-3B83C5D080L4}\StubPath = "c:\\directory\\CyberGate\\install\\Svchost.exe Restart"	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{UY6622A0-WEU0-WLF8-520J-3B83C5D080L4}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{UY6622A0-WEU0-WLF8-520J-3B83C5D080L4}\StubPath = "c:\\directory\\CyberGate\\install\\Svchost.exe"	explorer.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4772-142-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/4772-147-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/4544-150-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/4544-153-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/4772-155-0x0000000000620000-0x000000000067F000-memory.dmp	upx
behavioral2/memory/4772-160-0x00000000240D0000-0x000000002412F000-memory.dmp	upx
behavioral2/memory/3388-163-0x00000000240D0000-0x000000002412F000-memory.dmp	upx
behavioral2/memory/3388-166-0x00000000240D0000-0x000000002412F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\keyfinder.exe	upx
C:\Users\Admin\AppData\Local\Temp\keyfinder.exe	upx
behavioral2/memory/4304-183-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3388-185-0x00000000240D0000-0x000000002412F000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

keyfinder.exeb1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	keyfinder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "c:\\directory\\CyberGate\\install\\Svchost.exe"	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "c:\\directory\\CyberGate\\install\\Svchost.exe"	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exeSvchost.exe

description	pid	process	target process
PID 5084 set thread context of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 3600 set thread context of 4800	3600	Svchost.exe	Svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3448 4800 WerFault.exe Svchost.exe

pid	pid_target	process	target process
3448	4800	WerFault.exe	Svchost.exe

Modifies registry class 1 IoCs

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

pid	process
4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

pid process

3388 b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

pid	process
3388	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

description	pid	process
Token: SeDebugPrivilege	3388	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Token: SeDebugPrivilege	3388	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

pid process

4772 b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exeSvchost.exe

pid process

5084 b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
3600 Svchost.exe

pid	process
5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
3600	Svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exeb1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe

description	pid	process	target process
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 5084 wrote to memory of 4772	5084	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE
PID 4772 wrote to memory of 3060	4772	b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
"C:\Users\Admin\AppData\Local\Temp\b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
C:\Users\Admin\AppData\Local\Temp\b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:4544

C:\Users\Admin\AppData\Local\Temp\b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe
"C:\Users\Admin\AppData\Local\Temp\b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8.exe"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Users\Admin\AppData\Local\Temp\keyfinder.exe
"C:\Users\Admin\AppData\Local\Temp\keyfinder.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4304

C:\Users\Admin\AppData\Local\Temp\RarSFX0\findkey.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\findkey.exe"
6⤵
- Executes dropped EXE
PID:3364

C:\directory\CyberGate\install\Svchost.exe
"C:\directory\CyberGate\install\Svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3600

C:\directory\CyberGate\install\Svchost.exe
C:\directory\CyberGate\install\Svchost.exe
6⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 532
7⤵
- Program crash
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800
1⤵
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\findkey.exe
Filesize
508KB

MD5
78eae2b3d4e14d08f03eb61624670670

SHA1
0befd14f7976eee2221ab4f71c66dc4cd0c18f24

SHA256
53a97b1f6cbffb6ff3acffb9e51c9c23e771bf451f7bd1012c55f1c10da88a5d

SHA512
fe6dd0180652c3123f23aae558f532db1d382bd841bc92bae753e5f5d92ff52a51f9c18dc46a25c2e423bdb34723b92a8fbd0e7fb1a96e89e430e6fd1b23baf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\findkey.exe
Filesize
508KB

MD5
78eae2b3d4e14d08f03eb61624670670

SHA1
0befd14f7976eee2221ab4f71c66dc4cd0c18f24

SHA256
53a97b1f6cbffb6ff3acffb9e51c9c23e771bf451f7bd1012c55f1c10da88a5d

SHA512
fe6dd0180652c3123f23aae558f532db1d382bd841bc92bae753e5f5d92ff52a51f9c18dc46a25c2e423bdb34723b92a8fbd0e7fb1a96e89e430e6fd1b23baf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
476KB

MD5
4f6f2f5028f518cf07c23c6dc78cde7d

SHA1
3a3451b9695543c7597c874251f3023ba1f6264a

SHA256
ea30b3f46adf9c8a9ff7063d79d7cd979538dcec5bf0bda5b886f93fa6eda6fe

SHA512
82a275f03872368054818c5ed8ce68ee9671b123b986f7ca5bc8619a46dbed9dd2b50c6247376c71cc2503ccacca3c39968851e18f5cbf6bff500d6c7398dda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\keyfinder.exe
Filesize
256KB

MD5
dda549c475a5dc212290cc3ffdb93d3f

SHA1
611508406f43276e8be166de278e6d908bb7592c

SHA256
65721d29f6d2939fdac358f3bb6f890713fead828f22b25e5995fec7fd9639a5

SHA512
1027bd9c23a38c6f171d6be4506adfcc587bff1693c10b03c659b36afad8892e9427e3b6052bc12eb477fa4456b7143912710cfbeeafa4b8c3e53f0d0869a05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\keyfinder.exe
Filesize
256KB

MD5
dda549c475a5dc212290cc3ffdb93d3f

SHA1
611508406f43276e8be166de278e6d908bb7592c

SHA256
65721d29f6d2939fdac358f3bb6f890713fead828f22b25e5995fec7fd9639a5

SHA512
1027bd9c23a38c6f171d6be4506adfcc587bff1693c10b03c659b36afad8892e9427e3b6052bc12eb477fa4456b7143912710cfbeeafa4b8c3e53f0d0869a05d

Download Submit
C:\directory\CyberGate\install\Svchost.exe
Filesize
606KB

MD5
6983b23403c4066b080525c06b93555d

SHA1
3d83c8f70967a68ea4e1fffcc8ed2bab7ed326a9

SHA256
b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8

SHA512
c11546545e805b9b292ce6186aadeb6123af5f08b8d2b3a1f04e0e3f26098227d8087ae67e90e1c317d3abd06b02c6523b03bb8457b46dc2a74ca901cab67bde

Download Submit
C:\directory\CyberGate\install\Svchost.exe
Filesize
606KB

MD5
6983b23403c4066b080525c06b93555d

SHA1
3d83c8f70967a68ea4e1fffcc8ed2bab7ed326a9

SHA256
b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8

SHA512
c11546545e805b9b292ce6186aadeb6123af5f08b8d2b3a1f04e0e3f26098227d8087ae67e90e1c317d3abd06b02c6523b03bb8457b46dc2a74ca901cab67bde

Download Submit
\??\c:\directory\CyberGate\install\Svchost.exe
Filesize
606KB

MD5
6983b23403c4066b080525c06b93555d

SHA1
3d83c8f70967a68ea4e1fffcc8ed2bab7ed326a9

SHA256
b1da2e289f2bdbe8a12efe02c57b2367d02bfdf5cbd638fa9a22db956fd0ffb8

SHA512
c11546545e805b9b292ce6186aadeb6123af5f08b8d2b3a1f04e0e3f26098227d8087ae67e90e1c317d3abd06b02c6523b03bb8457b46dc2a74ca901cab67bde

Download Submit
memory/3364-170-0x0000000000000000-mapping.dmp

Download
memory/3388-163-0x00000000240D0000-0x000000002412F000-memory.dmp

Filesize
380KB

Download
memory/3388-185-0x00000000240D0000-0x000000002412F000-memory.dmp

Filesize
380KB

Download
memory/3388-159-0x0000000000000000-mapping.dmp

Download
memory/3388-165-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3388-166-0x00000000240D0000-0x000000002412F000-memory.dmp

Filesize
380KB

Download
memory/3600-181-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3600-172-0x0000000000000000-mapping.dmp

Download
memory/4304-167-0x0000000000000000-mapping.dmp

Download
memory/4304-183-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4544-146-0x0000000000000000-mapping.dmp

Download
memory/4544-153-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4544-150-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4772-160-0x00000000240D0000-0x000000002412F000-memory.dmp

Filesize
380KB

Download
memory/4772-140-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4772-139-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4772-142-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/4772-137-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4772-136-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4772-147-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/4772-135-0x0000000000000000-mapping.dmp

Download
memory/4772-164-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4772-155-0x0000000000620000-0x000000000067F000-memory.dmp

Filesize
380KB

Download
memory/4800-184-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4800-177-0x0000000000000000-mapping.dmp

Download
memory/4800-182-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5084-138-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5084-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads