cybergate | f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
Size

341KB
MD5

a491c799d482368deccdf8d9c47ac62d
SHA1

29c23737756a17bb386cffe9404336f24d4a4c8c
SHA256

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c
SHA512

f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc
SSDEEP

6144:pJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHS:xDXXbQL31z7KFCoNrFGdOJa9f5eRS

Score

10^/10

cybergate hawkeye remote keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

ir0kz.zapto.org:1213

Mutex

0G7MT5Q26I65Q0

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
wincfg
install_file
newudp.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audiodgi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audiodgi.exe

Executes dropped EXE 6 IoCs

Processes:

svchost.exesvchost.exeaudiodgi.exewmpmetwk.exewmpmetwk.exewmpmetwk.exe

pid process

936 svchost.exe
1332 svchost.exe
2004 audiodgi.exe
676 wmpmetwk.exe
1644 wmpmetwk.exe
1784 wmpmetwk.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1644-81-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1644-83-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1644-84-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1644-89-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1644-91-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1644-90-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1644-100-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

936 svchost.exe

Loads dropped DLL 8 IoCs

Processes:

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exewmpmetwk.exewmpmetwk.exe

pid	process
1812	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
1812	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
936	svchost.exe
936	svchost.exe
2004	audiodgi.exe
2004	audiodgi.exe
676	wmpmetwk.exe
1644	wmpmetwk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

audiodgi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

svchost.exewmpmetwk.exe

description	pid	process	target process
PID 936 set thread context of 1332	936	svchost.exe	svchost.exe
PID 676 set thread context of 1644	676	wmpmetwk.exe	wmpmetwk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeaudiodgi.exewmpmetwk.exe

pid	process
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
936	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exewmpmetwk.exe

description	pid	process
Token: SeDebugPrivilege	1812	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
Token: SeDebugPrivilege	936	svchost.exe
Token: SeDebugPrivilege	2004	audiodgi.exe
Token: SeDebugPrivilege	676	wmpmetwk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exesvchost.exeaudiodgi.exewmpmetwk.exewmpmetwk.exe

description	pid	process	target process
PID 1812 wrote to memory of 936	1812	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe	svchost.exe
PID 1812 wrote to memory of 936	1812	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe	svchost.exe
PID 1812 wrote to memory of 936	1812	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe	svchost.exe
PID 1812 wrote to memory of 936	1812	f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe	svchost.exe
PID 936 wrote to memory of 1332	936	svchost.exe	svchost.exe
PID 936 wrote to memory of 1332	936	svchost.exe	svchost.exe
PID 936 wrote to memory of 1332	936	svchost.exe	svchost.exe
PID 936 wrote to memory of 1332	936	svchost.exe	svchost.exe
PID 936 wrote to memory of 1332	936	svchost.exe	svchost.exe
PID 936 wrote to memory of 2004	936	svchost.exe	audiodgi.exe
PID 936 wrote to memory of 2004	936	svchost.exe	audiodgi.exe
PID 936 wrote to memory of 2004	936	svchost.exe	audiodgi.exe
PID 936 wrote to memory of 2004	936	svchost.exe	audiodgi.exe
PID 2004 wrote to memory of 676	2004	audiodgi.exe	wmpmetwk.exe
PID 2004 wrote to memory of 676	2004	audiodgi.exe	wmpmetwk.exe
PID 2004 wrote to memory of 676	2004	audiodgi.exe	wmpmetwk.exe
PID 2004 wrote to memory of 676	2004	audiodgi.exe	wmpmetwk.exe
PID 676 wrote to memory of 1644	676	wmpmetwk.exe	wmpmetwk.exe
PID 676 wrote to memory of 1644	676	wmpmetwk.exe	wmpmetwk.exe
PID 676 wrote to memory of 1644	676	wmpmetwk.exe	wmpmetwk.exe
PID 676 wrote to memory of 1644	676	wmpmetwk.exe	wmpmetwk.exe
PID 676 wrote to memory of 1644	676	wmpmetwk.exe	wmpmetwk.exe
PID 676 wrote to memory of 1644	676	wmpmetwk.exe	wmpmetwk.exe
PID 676 wrote to memory of 1644	676	wmpmetwk.exe	wmpmetwk.exe
PID 676 wrote to memory of 1644	676	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe
PID 1644 wrote to memory of 1784	1644	wmpmetwk.exe	wmpmetwk.exe

C:\Users\Admin\AppData\Local\Temp\f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe
"C:\Users\Admin\AppData\Local\Temp\f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
3⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
"C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
6⤵
- Executes dropped EXE
PID:1784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
105B

MD5
fc25c3b01b648207bf8db948858fc547

SHA1
5b06754b8fe5e58d6b1362bdecddec4aa9409191

SHA256
e532f4ede6191bf01838b4b4fe9d00eb251562a517e060d20f522af94ee561cf

SHA512
95646c5a3d5744528475c4f3210d43200c6bb93971f9a38be270e40e34524241df543c6d9248a340dd0d1e28ba525fd49e5869a7ac4afa611b4af495f8c729e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
Filesize
7KB

MD5
2e18e07194565987ef816f36c4a2134e

SHA1
5278b14dc0704abd700264bb9f8610caf5d007eb

SHA256
44c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7

SHA512
7160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
Filesize
7KB

MD5
2e18e07194565987ef816f36c4a2134e

SHA1
5278b14dc0704abd700264bb9f8610caf5d007eb

SHA256
44c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7

SHA512
7160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
Filesize
7KB

MD5
2e18e07194565987ef816f36c4a2134e

SHA1
5278b14dc0704abd700264bb9f8610caf5d007eb

SHA256
44c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7

SHA512
7160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930

Download Submit
\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
341KB

MD5
a491c799d482368deccdf8d9c47ac62d

SHA1
29c23737756a17bb386cffe9404336f24d4a4c8c

SHA256
f83c15e4e5e47d7e339e9d5f8083e51683edf4fa02f04b5b6a0131bd2896b18c

SHA512
f2dbe41e8c2f7d466c791fbad12eedf40c2c1f1db0f1bdeff41dabefecea88a59a5f79e914a09f393fb54f5bd2fa3ee94940d9e0ca2c56ba969bbf19bcb01abc

Download Submit
memory/676-93-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/676-107-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/676-76-0x0000000000000000-mapping.dmp

Download
memory/936-65-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/936-105-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/936-58-0x0000000000000000-mapping.dmp

Download
memory/1332-68-0x0000000000054FD0-mapping.dmp

Download
memory/1644-85-0x0000000000454FD0-mapping.dmp

Download
memory/1644-84-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1644-83-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1644-81-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1644-89-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1644-91-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1644-90-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1644-80-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1644-100-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1644-94-0x0000000000412000-0x0000000000456000-memory.dmp

Filesize
272KB

Download
memory/1784-97-0x0000000000000000-mapping.dmp

Download
memory/1784-103-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1812-62-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1812-55-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-71-0x0000000000000000-mapping.dmp

Download
memory/2004-92-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-106-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download

pid	process
936	svchost.exe
1332	svchost.exe
2004	audiodgi.exe
676	wmpmetwk.exe
1644	wmpmetwk.exe
1784	wmpmetwk.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads