cybergate | e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692

General

Target

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Size

600KB
MD5

df36daf910c8049303329f0c68459e85
SHA1

043570af7cf8983c7d84b89d13eed833e5d7af53
SHA256

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692
SHA512

058043d1202a4aa9ea6c04f08b015e4872476967395f936c1cfdfb5ef4de2ed916df3de5c93fe8ba17794c4caacde9fb17406c7d4b66d5169ba388c166e56d65
SSDEEP

12288:McCD0ODKrDcsexNTFehkrUnh0olIOOCWjx5Ay9:McMeOHZqkrJolIOOCk39

Score

10^/10

cybergate 5 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.09.5

Botnet

5

C2

miwebhost.no-ip.info:81

Mutex

78I7IMIKAK471E

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
RAD.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
blowfish
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\RAD.exe"	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\RAD.exe"	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

Executes dropped EXE 2 IoCs

Processes:

RAD.exeRAD.exe

pid process

2512 RAD.exe
2264 RAD.exe

pid	process
2512	RAD.exe
2264	RAD.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7153307K-OGK4-AWNO-M8LR-6B24E3I66BEX}\StubPath = "C:\\Windows\\install\\RAD.exe Restart"	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7153307K-OGK4-AWNO-M8LR-6B24E3I66BEX}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7153307K-OGK4-AWNO-M8LR-6B24E3I66BEX}\StubPath = "C:\\Windows\\install\\RAD.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7153307K-OGK4-AWNO-M8LR-6B24E3I66BEX}	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2068-140-0x0000000010410000-0x0000000010476000-memory.dmp	upx
behavioral2/memory/2068-145-0x0000000010480000-0x00000000104E6000-memory.dmp	upx
behavioral2/memory/3948-148-0x0000000010480000-0x00000000104E6000-memory.dmp	upx
behavioral2/memory/3948-149-0x0000000010480000-0x00000000104E6000-memory.dmp	upx
behavioral2/memory/2068-153-0x00000000104F0000-0x0000000010556000-memory.dmp	upx
behavioral2/memory/2068-158-0x0000000010560000-0x00000000105C6000-memory.dmp	upx
behavioral2/memory/4712-162-0x0000000010560000-0x00000000105C6000-memory.dmp	upx
behavioral2/memory/3948-175-0x0000000010480000-0x00000000104E6000-memory.dmp	upx
behavioral2/memory/4712-176-0x0000000010560000-0x00000000105C6000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\RAD.exe"	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\RAD.exe"	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exeRAD.exe

description	pid	process	target process
PID 4708 set thread context of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 2512 set thread context of 2264	2512	RAD.exe	RAD.exe

Drops file in Windows directory 4 IoCs

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exee0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

description	ioc	process
File created	C:\Windows\install\RAD.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
File opened for modification	C:\Windows\install\RAD.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
File opened for modification	C:\Windows\install\RAD.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
File opened for modification	C:\Windows\install\	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4288 2264 WerFault.exe RAD.exe

pid	pid_target	process	target process
4288	2264	WerFault.exe	RAD.exe

Modifies registry class 1 IoCs

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

pid	process
2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

pid process

4712 e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

pid	process
4712	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exee0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

description	pid	process
Token: SeBackupPrivilege	3948	explorer.exe
Token: SeRestorePrivilege	3948	explorer.exe
Token: SeBackupPrivilege	4712	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Token: SeRestorePrivilege	4712	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Token: SeDebugPrivilege	4712	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Token: SeDebugPrivilege	4712	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

pid process

2068 e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exeRAD.exe

pid process

4708 e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
2512 RAD.exe

pid	process
4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
2512	RAD.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exee0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe

description	pid	process	target process
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 4708 wrote to memory of 2068	4708	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE
PID 2068 wrote to memory of 2932	2068	e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
"C:\Users\Admin\AppData\Local\Temp\e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
"C:\Users\Admin\AppData\Local\Temp\e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe
"C:\Users\Admin\AppData\Local\Temp\e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692.exe"
4⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\install\RAD.exe
"C:\Windows\install\RAD.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\install\RAD.exe
"C:\Windows\install\RAD.exe"
6⤵
- Executes dropped EXE
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 556
7⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2264 -ip 2264
1⤵
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
225KB

MD5
4fe441f2f8dc81497acafbd38f5ae627

SHA1
67a1978b6f74faa9ed1794d7a1f4053cae51f538

SHA256
967b1164b3bbb07d3e44905f7507bfab5ac94084dc391f44dca81e73266b6891

SHA512
b70d037df95c4a789f13c34d9f896d12c0e5493aae809cefce80cf7f7a329761e7e1a9c697bbbeecc6d5c66b3e5b1cecc022ff44034a1af4fae1542227baf4db

Download Submit
C:\Windows\install\RAD.exe
Filesize
600KB

MD5
df36daf910c8049303329f0c68459e85

SHA1
043570af7cf8983c7d84b89d13eed833e5d7af53

SHA256
e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692

SHA512
058043d1202a4aa9ea6c04f08b015e4872476967395f936c1cfdfb5ef4de2ed916df3de5c93fe8ba17794c4caacde9fb17406c7d4b66d5169ba388c166e56d65

Download Submit
C:\Windows\install\RAD.exe
Filesize
600KB

MD5
df36daf910c8049303329f0c68459e85

SHA1
043570af7cf8983c7d84b89d13eed833e5d7af53

SHA256
e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692

SHA512
058043d1202a4aa9ea6c04f08b015e4872476967395f936c1cfdfb5ef4de2ed916df3de5c93fe8ba17794c4caacde9fb17406c7d4b66d5169ba388c166e56d65

Download Submit
C:\Windows\install\RAD.exe
Filesize
600KB

MD5
df36daf910c8049303329f0c68459e85

SHA1
043570af7cf8983c7d84b89d13eed833e5d7af53

SHA256
e0253c98e65a797fcbe5addf6207d9ca3fed7d5c94214bf2c30741135eebc692

SHA512
058043d1202a4aa9ea6c04f08b015e4872476967395f936c1cfdfb5ef4de2ed916df3de5c93fe8ba17794c4caacde9fb17406c7d4b66d5169ba388c166e56d65

Download Submit
memory/2068-153-0x00000000104F0000-0x0000000010556000-memory.dmp

Filesize
408KB

Download
memory/2068-136-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2068-140-0x0000000010410000-0x0000000010476000-memory.dmp

Filesize
408KB

Download
memory/2068-145-0x0000000010480000-0x00000000104E6000-memory.dmp

Filesize
408KB

Download
memory/2068-135-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2068-163-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2068-138-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2068-137-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2068-134-0x0000000000000000-mapping.dmp

Download
memory/2068-158-0x0000000010560000-0x00000000105C6000-memory.dmp

Filesize
408KB

Download
memory/2264-168-0x0000000000000000-mapping.dmp

Download
memory/2264-172-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2264-173-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2264-174-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2512-164-0x0000000000000000-mapping.dmp

Download
memory/3948-149-0x0000000010480000-0x00000000104E6000-memory.dmp

Filesize
408KB

Download
memory/3948-148-0x0000000010480000-0x00000000104E6000-memory.dmp

Filesize
408KB

Download
memory/3948-144-0x0000000000000000-mapping.dmp

Download
memory/3948-175-0x0000000010480000-0x00000000104E6000-memory.dmp

Filesize
408KB

Download
memory/4712-157-0x0000000000000000-mapping.dmp

Download
memory/4712-162-0x0000000010560000-0x00000000105C6000-memory.dmp

Filesize
408KB

Download
memory/4712-176-0x0000000010560000-0x00000000105C6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads