cybergate | c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848

Analysis

max time kernel
151s
max time network
56s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
Size

780KB
MD5

e18a854f8a6075430a2e87c204a503f5
SHA1

4dbc773aaab4bdf80f183bb8c3b9f6297edc16b6
SHA256

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848
SHA512

d923b01666839cf7933181859657bc8d61c1e2d5b64d3ce47923dd5f8b472fc0cee1a30ad6590b077b6b7c86d3ada3d9e20f488419b1820dc33199fa5ed1b745
SSDEEP

12288:91TVHgeC+f33EkDuL6lZJ/5dEWOh+l5YsoaaLCXZeamzUw2:vtF/BlDxaWOIYsPZezUw2

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Victime

127.0.0.1:1024

jerem13.no-ip.biz:1024

rapphykravmaga.no-ip.biz:1024

Mutex

177M1D027VDKYA

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Je m'appelle raphael et j'aime les hommes
message_box_title
CyberGate
password
administrator
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lshss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lshss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	lshss.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lshss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	lshss.exe

Executes dropped EXE 3 IoCs

Processes:

lshss.exelshss.exeserver.exe

pid process

1692 lshss.exe
1364 lshss.exe
1960 server.exe

pid	process
1692	lshss.exe
1364	lshss.exe
1960	server.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lshss.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YUE2IP41-L6FS-O6PU-PFGT-J26GSPJ2K6QU}	lshss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YUE2IP41-L6FS-O6PU-PFGT-J26GSPJ2K6QU}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	lshss.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YUE2IP41-L6FS-O6PU-PFGT-J26GSPJ2K6QU}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YUE2IP41-L6FS-O6PU-PFGT-J26GSPJ2K6QU}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1692-83-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1692-94-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1548-99-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1548-102-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1692-104-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1692-111-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1364-116-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1364-118-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1364-125-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UxRNUZJ.exe	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

Loads dropped DLL 4 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exelshss.exe

pid	process
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1364	lshss.exe
1364	lshss.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exelshss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe = "C:\\Users\\Admin\\AppData\\Roaming\\c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe"	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lshss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	lshss.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	lshss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	lshss.exe

Drops file in System32 directory 4 IoCs

Processes:

lshss.exelshss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\install\server.exe	lshss.exe
File opened for modification	C:\Windows\SysWOW64\install\	lshss.exe
File created	C:\Windows\SysWOW64\install\server.exe	lshss.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	lshss.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

description	pid	process	target process
PID 1244 set thread context of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

pid	process
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lshss.exe

pid process

1364 lshss.exe

pid	process
1364	lshss.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exeexplorer.exelshss.exe

description	pid	process
Token: SeDebugPrivilege	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
Token: SeBackupPrivilege	1548	explorer.exe
Token: SeRestorePrivilege	1548	explorer.exe
Token: SeBackupPrivilege	1364	lshss.exe
Token: SeRestorePrivilege	1364	lshss.exe
Token: SeDebugPrivilege	1364	lshss.exe
Token: SeDebugPrivilege	1364	lshss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lshss.exe

pid process

1692 lshss.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

server.exe

pid process

1960 server.exe

pid	process
1692	lshss.exe

pid	process
1960	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.execsc.exelshss.exe

description	pid	process	target process
PID 1244 wrote to memory of 568	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	csc.exe
PID 1244 wrote to memory of 568	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	csc.exe
PID 1244 wrote to memory of 568	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	csc.exe
PID 1244 wrote to memory of 568	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	csc.exe
PID 568 wrote to memory of 1496	568	csc.exe	cvtres.exe
PID 568 wrote to memory of 1496	568	csc.exe	cvtres.exe
PID 568 wrote to memory of 1496	568	csc.exe	cvtres.exe
PID 568 wrote to memory of 1496	568	csc.exe	cvtres.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1244 wrote to memory of 1692	1244	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE
PID 1692 wrote to memory of 1204	1692	lshss.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
"C:\Users\Admin\AppData\Local\Temp\c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrsjjf2a.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E53.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2E52.tmp"
4⤵
PID:1496

C:\Users\Admin\AppData\Roaming\lshss.exe
C:\Users\Admin\AppData\Roaming\lshss.exe
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1684

C:\Users\Admin\AppData\Roaming\lshss.exe
"C:\Users\Admin\AppData\Roaming\lshss.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
36abea9860488a63743493cf7f16261a

SHA1
11cf50d8816ff29a3f9d80b8d21cf9c292082dc3

SHA256
e13c39dd521e744c3808c5f829ea386989632cdb2dc6d0312c4fc79985c5e60b

SHA512
7b6e0b16ee9f23188388c89c053e76ac9942ffc4446c2f87022a631ae7f146b325c35f8d1fe6d1653cd967f7789382f917b1e78d6e9ad09871f782aa7b3afd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E53.tmp
Filesize
1KB

MD5
0a8449ad3bd4cfd4d538c336f96c3e3a

SHA1
eec9c41301b678cf62531c3e159a22481f812895

SHA256
bd730e77a8cc94757574bfeb02b312fbe5610074aed0b04a0b484ba82f4e7af3

SHA512
241b3bbdc75d8cb5eb2ed329f7936d03d826cb6fd4b0253b7341539a0adc9fde19452a5092c486eeef227772b1aedca8fc240a8bfba1f905f17f043d057bbe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrsjjf2a.dll
Filesize
5KB

MD5
27f78d95c6e90669b221bf79cdf955c6

SHA1
073b83e9781ef75ce0036c93a546dec715188bee

SHA256
ea04d34839d1a527471a9fa44ad33029756d0d314cb7c80eae419d0c4f32d24f

SHA512
b6b721b9ebba240843511ce56b0b5a1d8b4b2d7a9982588018585784f1d4415ab1b51ade61aef94de48a7cf1d85a87ec2b6782ee3418fdf276e84728450dd921

Download Submit
C:\Users\Admin\AppData\Roaming\lshss.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
C:\Users\Admin\AppData\Roaming\lshss.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
C:\Users\Admin\AppData\Roaming\lshss.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2E52.tmp
Filesize
652B

MD5
1f0fcc5d57c1bc8de50e05b44d78136c

SHA1
595fbe20283fd309dd9bfc3f358d16db7a071fc8

SHA256
c396735e1c3cd795e4cd06766903a6f3a22d07b7cb67340b2ec224f8c6f9347e

SHA512
06a9aaa7b9492ad0d8c74e6a68f52bdae3a36e4838520edfbc2f84c71b9256dd703af7035dd2945366203b678cb0c7d797dc209d0db3cddf81124d55386813d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrsjjf2a.0.cs
Filesize
4KB

MD5
70f022f070cf482df351e9b5941d8aaa

SHA1
33fa087c2ba66617e82670fb6892a72d77839e48

SHA256
bc5521223a2a12258ef51cf5700ee2c4764fcbace68dff77f72c1a9ff3636097

SHA512
d81bb89414d68a6cdf740bab12b7afaf8018957ec55ceac982909373cca5c5239256651ee5ff7fc2236e1003067aaebaecc96e26d664cb5a7500edc7a8426170

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrsjjf2a.cmdline
Filesize
206B

MD5
4bb2de2cf3c2c84e811fb58b9ecc1314

SHA1
054bfaf29993fbe284e3e0d7f375135b6a0a2eae

SHA256
2e6b1cd365034a46e3d02a8bc34ea176ac14621d74a1ae8ee379cc2a99ae3b68

SHA512
9956dfcd9f5ad4fd3a216c7f51a6c9eca70b3b727f167d408d7b32f9a3c91347cb53c5174062fd86fbf06c193bd7e02f53f046c2664a463ecc88dbc5a20046b5

Download Submit
\Users\Admin\AppData\Roaming\lshss.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
\Users\Admin\AppData\Roaming\lshss.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
\Windows\SysWOW64\install\server.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
memory/568-56-0x0000000000000000-mapping.dmp

Download
memory/1204-86-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1244-55-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/1244-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1244-88-0x0000000074BA0000-0x000000007514B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-108-0x0000000000000000-mapping.dmp

Download
memory/1364-125-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1364-116-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1364-118-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1496-59-0x0000000000000000-mapping.dmp

Download
memory/1548-102-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1548-91-0x0000000000000000-mapping.dmp

Download
memory/1548-99-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1548-93-0x0000000071D41000-0x0000000071D43000-memory.dmp

Filesize
8KB

Download
memory/1692-66-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-74-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-94-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1692-83-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1692-80-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-79-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-77-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-104-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1692-75-0x000000000040E1A8-mapping.dmp

Download
memory/1692-89-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-111-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1692-117-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-72-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-70-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-71-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-65-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-69-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1692-68-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1960-121-0x0000000000000000-mapping.dmp

Download