cybergate | bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058

General

Target

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe
Size

372KB
MD5

9bfe9e7024f854d84fbf0a506cd155c6
SHA1

1638f48961c38614171673ef3eb669f00f14bd8f
SHA256

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058
SHA512

7f898ab6683257359c2a511a403caba9a1a7b990a293f60f49fbed6a86f6fc707486f720ecff14f1ee749ac3c1e5db5464634a92dc01ec27490ad69160edcd0a
SSDEEP

6144:8d4zz2iOUcQWS2BcyyDS96o0+JIWYH/8bE4FwlbqeRkqw9sGuCYokrC0CEC:8mziZQWS2Bv7IZH/8LFw8wYinCYjrCZE

Score

10^/10

cybergate 1 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

1

C2

ghostik.no-ip.info:80

Mutex

FKC688XE85HD5N

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
777
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

Executes dropped EXE 2 IoCs

Processes:

server.exeserver.EXE

pid process

4848 server.exe
4432 server.EXE

pid	process
4848	server.exe
4432	server.EXE

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXEexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{KG4576R3-F3UQ-8JDO-G06G-WH05NUENN4S0}	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{KG4576R3-F3UQ-8JDO-G06G-WH05NUENN4S0}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{KG4576R3-F3UQ-8JDO-G06G-WH05NUENN4S0}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{KG4576R3-F3UQ-8JDO-G06G-WH05NUENN4S0}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4692-141-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral2/memory/4692-146-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/2500-149-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/2500-152-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral2/memory/4692-154-0x0000000010510000-0x0000000010582000-memory.dmp	upx
behavioral2/memory/4692-159-0x0000000010590000-0x0000000010602000-memory.dmp	upx
behavioral2/memory/2688-162-0x0000000010590000-0x0000000010602000-memory.dmp	upx
behavioral2/memory/2688-164-0x0000000010590000-0x0000000010602000-memory.dmp	upx
behavioral2/memory/2688-177-0x0000000010590000-0x0000000010602000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe"	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe"	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exeserver.exe

description	pid	process	target process
PID 1620 set thread context of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 4848 set thread context of 4432	4848	server.exe	server.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXEserver.EXE

pid	process
4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
4432	server.EXE
4432	server.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

pid process

2688 bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

pid	process
2688	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exebea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

description	pid	process
Token: SeBackupPrivilege	2500	explorer.exe
Token: SeRestorePrivilege	2500	explorer.exe
Token: SeBackupPrivilege	2688	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Token: SeRestorePrivilege	2688	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Token: SeDebugPrivilege	2688	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Token: SeDebugPrivilege	2688	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

pid process

4692 bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exeserver.exe

pid process

1620 bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe
4848 server.exe

pid	process
1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe
4848	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exebea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE

description	pid	process	target process
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 1620 wrote to memory of 4692	1620	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE
PID 4692 wrote to memory of 2632	4692	bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe
"C:\Users\Admin\AppData\Local\Temp\bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
"C:\Users\Admin\AppData\Local\Temp\bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE
"C:\Users\Admin\AppData\Local\Temp\bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058.EXE"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4848

C:\directory\CyberGate\install\server.EXE
"C:\directory\CyberGate\install\server.EXE"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
236KB

MD5
ebc5e820f96bfbd43d65b844f6df334f

SHA1
e54033b4faa62b4e794bafa0530a76df4c9db9b2

SHA256
86fdd9dd6c572275a19c8b9aaa0374c42adaac5d7a5250ff00f22a9261695696

SHA512
5a07d6ab02d35dd30844b2577cb1d101669860194dfd3bef58bfebb46c8eb5c6c60c8d20b60dcabe0628eccfcb7d047251e63c87a5a44d8bdf7a9af0e336922d

Download Submit
C:\directory\CyberGate\install\server.exe
Filesize
372KB

MD5
9bfe9e7024f854d84fbf0a506cd155c6

SHA1
1638f48961c38614171673ef3eb669f00f14bd8f

SHA256
bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058

SHA512
7f898ab6683257359c2a511a403caba9a1a7b990a293f60f49fbed6a86f6fc707486f720ecff14f1ee749ac3c1e5db5464634a92dc01ec27490ad69160edcd0a

Download Submit
C:\directory\CyberGate\install\server.exe
Filesize
372KB

MD5
9bfe9e7024f854d84fbf0a506cd155c6

SHA1
1638f48961c38614171673ef3eb669f00f14bd8f

SHA256
bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058

SHA512
7f898ab6683257359c2a511a403caba9a1a7b990a293f60f49fbed6a86f6fc707486f720ecff14f1ee749ac3c1e5db5464634a92dc01ec27490ad69160edcd0a

Download Submit
\??\c:\directory\CyberGate\install\server.exe
Filesize
372KB

MD5
9bfe9e7024f854d84fbf0a506cd155c6

SHA1
1638f48961c38614171673ef3eb669f00f14bd8f

SHA256
bea9dcbf75a0a70029f1fa493446fea7e06ce465f74547ff5e7de1c777b0d058

SHA512
7f898ab6683257359c2a511a403caba9a1a7b990a293f60f49fbed6a86f6fc707486f720ecff14f1ee749ac3c1e5db5464634a92dc01ec27490ad69160edcd0a

Download Submit
memory/1620-138-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2500-145-0x0000000000000000-mapping.dmp

Download
memory/2500-149-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/2500-152-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/2688-162-0x0000000010590000-0x0000000010602000-memory.dmp

Filesize
456KB

Download
memory/2688-177-0x0000000010590000-0x0000000010602000-memory.dmp

Filesize
456KB

Download
memory/2688-164-0x0000000010590000-0x0000000010602000-memory.dmp

Filesize
456KB

Download
memory/2688-158-0x0000000000000000-mapping.dmp

Download
memory/2688-163-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4432-178-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4432-176-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4432-170-0x0000000000000000-mapping.dmp

Download
memory/4692-139-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4692-159-0x0000000010590000-0x0000000010602000-memory.dmp

Filesize
456KB

Download
memory/4692-154-0x0000000010510000-0x0000000010582000-memory.dmp

Filesize
456KB

Download
memory/4692-165-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4692-137-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4692-136-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4692-135-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4692-141-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/4692-146-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/4692-134-0x0000000000000000-mapping.dmp

Download
memory/4848-166-0x0000000000000000-mapping.dmp

Download
memory/4848-175-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads