cybergate | be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

Analysis

max time kernel
205s
max time network
128s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Size

500KB
MD5

1ffec4a81cd122db8c875c8a86e1ee25
SHA1

93f459990b26e1457aca3a44f28e57d702102ce5
SHA256

be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0
SHA512

5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47
SSDEEP

12288:aHDyYR3qxc8DQkDQ+pODfh357RTt/TIvu0/44myrp/z9AY7GH:aHOYR6xc8DnQ+pip7RTtAQ4pFzf+

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

poisonserver14.zapto.org:80

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe"	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe

Executes dropped EXE 8 IoCs

pid	Process
2916	server.exe
2992	server.exe
4080	server.exe
4116	server.exe
4264	server.exe
5704	server.exe
5724	server.exe
5888	server.exe

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe Restart"	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe Restart"	server.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/572-57-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/572-59-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/572-60-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/572-64-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/572-65-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/572-66-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/572-91-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2992-118-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2992-135-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/572-150-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2992-159-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/5704-186-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/5724-187-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/5724-194-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/5704-195-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
1280	explorer.exe
1280	explorer.exe
1280	explorer.exe
1280	explorer.exe
1280	explorer.exe
1280	explorer.exe
4116	server.exe
4116	server.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\spynet\\server.exe"	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\spynet\\server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe"	explorer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spynet\server.exe	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
File opened for modification	C:\Windows\SysWOW64\spynet\server.exe	server.exe
File created	C:\Windows\SysWOW64\spynet\server.exe	server.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 268 set thread context of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 2916 set thread context of 2992	2916	server.exe	33
PID 4264 set thread context of 5704	4264	server.exe	39
PID 4080 set thread context of 5724	4080	server.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
2992	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4116	server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	server.exe
Token: SeDebugPrivilege	4116	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
2916	server.exe
4080	server.exe
4264	server.exe
5888	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 268 wrote to memory of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 268 wrote to memory of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 268 wrote to memory of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 268 wrote to memory of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 268 wrote to memory of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 268 wrote to memory of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 268 wrote to memory of 572	268	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	28
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17
PID 572 wrote to memory of 1264	572	be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
  "C:\Users\Admin\AppData\Local\Temp\be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
    C:\Users\Admin\AppData\Local\Temp\be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Loads dropped DLL
      Adds Run key to start application
      PID:1280
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2916
      - C:\Windows\SysWOW64\spynet\server.exe
        
        C:\Windows\SysWOW64\spynet\server.exe
        6⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\SysWOW64\spynet\server.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\spynet\server.exe
        
        "C:\Users\Admin\AppData\Roaming\spynet\server.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5888
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4080
      - C:\Windows\SysWOW64\spynet\server.exe
        
        C:\Windows\SysWOW64\spynet\server.exe
        6⤵
        Executes dropped EXE
        
        PID:5724
    - - C:\Windows\SysWOW64\spynet\server.exe
        
        "C:\Windows\system32\spynet\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4264
      - C:\Windows\SysWOW64\spynet\server.exe
        
        C:\Windows\SysWOW64\spynet\server.exe
        6⤵
        Executes dropped EXE
        
        PID:5704
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe
      "C:\Users\Admin\AppData\Local\Temp\be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0.exe"
      4⤵
      PID:2964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
586KB

MD5
13726e91383b8adac6ef476e3ebc7dfc

SHA1
fc32079c65196699716a6f5adae8a192bcecc7fe

SHA256
c9bb30d2bb3b1b366d7c0960de4976e44d4a9feaffdbaee4690b6989cef4eb3d

SHA512
4e5e9f8ea33e30e0fd8d811af51da08ed78c0646b2d39279ef76287fb7a3db60ab49588e8101281403a2063f55a17602ea5ea092c88de8931750e3d2d3cb59d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
586KB

MD5
18023fc5df532a0f129f3f036dad938d

SHA1
5b5bcca58985801fd572f360cdaa6ae4e9e1a6cd

SHA256
062bfb8deb70c3929a599c3437fefd756316da318b1bab2730308d5c5944266f

SHA512
9297fcf50b7d0f43be938c33ccec5b24322aea559a94b351597a8f8889edd4603e29a420974ea6f766cd22787675d3b45abab4b2fa94aea25398ca9d2071c229

Download Submit
C:\Users\Admin\AppData\Roaming\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Users\Admin\AppData\Roaming\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
C:\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
\Users\Admin\AppData\Roaming\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
\Users\Admin\AppData\Roaming\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
\Windows\SysWOW64\spynet\server.exe

Filesize
500KB

MD5
1ffec4a81cd122db8c875c8a86e1ee25

SHA1
93f459990b26e1457aca3a44f28e57d702102ce5

SHA256
be96d529001748ec2816f6ec81c734728af61622d24aff771080fce264a667f0

SHA512
5f7136713930128619a0e35a0656eacce4a09e929f78d99efc89cb130250a75fff62745c72498d5d99e67df2e051aa3219648eb76df9a01dafc5087021565f47

Download Submit
memory/572-68-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/572-66-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-93-0x00000000104D0000-0x000000001052C000-memory.dmp

Filesize
368KB

Download
memory/572-150-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-56-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-64-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-91-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-63-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/572-57-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-61-0x00000000004AA4E0-mapping.dmp

Download
memory/572-137-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/572-59-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-65-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-60-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/572-80-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1264-74-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/1280-79-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1280-90-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1280-77-0x0000000000000000-mapping.dmp

Download
memory/2916-97-0x0000000000000000-mapping.dmp

Download
memory/2964-106-0x0000000000000000-mapping.dmp

Download
memory/2964-163-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/2964-197-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/2992-118-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2992-159-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2992-135-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2992-112-0x00000000004AA4E0-mapping.dmp

Download
memory/4080-121-0x0000000000000000-mapping.dmp

Download
memory/4116-160-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/4116-133-0x0000000000000000-mapping.dmp

Download
memory/4116-196-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/4264-139-0x0000000000000000-mapping.dmp

Download
memory/5704-174-0x00000000004AA4E0-mapping.dmp

Download
memory/5704-195-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5704-186-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5724-187-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5724-194-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/5724-177-0x00000000004AA4E0-mapping.dmp

Download
memory/5888-190-0x0000000000000000-mapping.dmp

Download