cybergate | c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
Size

780KB
MD5

e18a854f8a6075430a2e87c204a503f5
SHA1

4dbc773aaab4bdf80f183bb8c3b9f6297edc16b6
SHA256

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848
SHA512

d923b01666839cf7933181859657bc8d61c1e2d5b64d3ce47923dd5f8b472fc0cee1a30ad6590b077b6b7c86d3ada3d9e20f488419b1820dc33199fa5ed1b745
SSDEEP

12288:91TVHgeC+f33EkDuL6lZJ/5dEWOh+l5YsoaaLCXZeamzUw2:vtF/BlDxaWOIYsPZezUw2

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Victime

127.0.0.1:1024

jerem13.no-ip.biz:1024

rapphykravmaga.no-ip.biz:1024

Mutex

177M1D027VDKYA

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Je m'appelle raphael et j'aime les hommes
message_box_title
CyberGate
password
administrator
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lshss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	lshss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lshss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	lshss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lshss.exe

Executes dropped EXE 3 IoCs

Processes:

lshss.exelshss.exeserver.exe

pid process

524 lshss.exe
2372 lshss.exe
2732 server.exe

pid	process
524	lshss.exe
2372	lshss.exe
2732	server.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lshss.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YUE2IP41-L6FS-O6PU-PFGT-J26GSPJ2K6QU}	lshss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YUE2IP41-L6FS-O6PU-PFGT-J26GSPJ2K6QU}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	lshss.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YUE2IP41-L6FS-O6PU-PFGT-J26GSPJ2K6QU}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YUE2IP41-L6FS-O6PU-PFGT-J26GSPJ2K6QU}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/524-148-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/524-153-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2940-156-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2940-159-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/524-161-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/524-167-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/2372-170-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/2372-172-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/2372-176-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

lshss.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation lshss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	lshss.exe

Drops startup file 1 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UxRNUZJ.exe	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lshss.exec2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	lshss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe = "C:\\Users\\Admin\\AppData\\Roaming\\c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe"	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lshss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	lshss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	lshss.exe

Drops file in System32 directory 4 IoCs

Processes:

lshss.exelshss.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\server.exe	lshss.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	lshss.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	lshss.exe
File opened for modification	C:\Windows\SysWOW64\install\	lshss.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

description	pid	process	target process
PID 1100 set thread context of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

lshss.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ lshss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lshss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

pid	process
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lshss.exe

pid process

2372 lshss.exe

pid	process
2372	lshss.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exeexplorer.exelshss.exe

description	pid	process
Token: SeDebugPrivilege	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
Token: SeBackupPrivilege	2940	explorer.exe
Token: SeRestorePrivilege	2940	explorer.exe
Token: SeBackupPrivilege	2372	lshss.exe
Token: SeRestorePrivilege	2372	lshss.exe
Token: SeDebugPrivilege	2372	lshss.exe
Token: SeDebugPrivilege	2372	lshss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

lshss.exe

pid process

524 lshss.exe

pid	process
524	lshss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.execsc.exelshss.exe

description	pid	process	target process
PID 1100 wrote to memory of 1256	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	csc.exe
PID 1100 wrote to memory of 1256	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	csc.exe
PID 1100 wrote to memory of 1256	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	csc.exe
PID 1256 wrote to memory of 3408	1256	csc.exe	cvtres.exe
PID 1256 wrote to memory of 3408	1256	csc.exe	cvtres.exe
PID 1256 wrote to memory of 3408	1256	csc.exe	cvtres.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 1100 wrote to memory of 524	1100	c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe	lshss.exe
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE
PID 524 wrote to memory of 2432	524	lshss.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe
"C:\Users\Admin\AppData\Local\Temp\c2317978e0b8b9a9d83296bb0264b8a268abac03ddd7996b542e8da2c84af848.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8_4ghhpk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97C1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC97C0.tmp"
4⤵
PID:3408

C:\Users\Admin\AppData\Roaming\lshss.exe
C:\Users\Admin\AppData\Roaming\lshss.exe
3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4120

C:\Users\Admin\AppData\Roaming\lshss.exe
"C:\Users\Admin\AppData\Roaming\lshss.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
5⤵
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8_4ghhpk.dll
Filesize
5KB

MD5
2c110c0ac20d31c9e2c7da5e057a4f99

SHA1
31a81a645d5a4d61d92fc626aa3a1235da35231a

SHA256
97e29ba529d8b909858dd2d1c8f3b7bfb1b98a0e1069703ecb3a8c9738a4c87b

SHA512
9c168ec9170a92ca4e4ba57cdeb001dfbae72cac4f17338482b21fae53a56944785442cc2c224f458630fb0964d8d11e6460ea4cd779fc93c565f098fe8ae06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
36abea9860488a63743493cf7f16261a

SHA1
11cf50d8816ff29a3f9d80b8d21cf9c292082dc3

SHA256
e13c39dd521e744c3808c5f829ea386989632cdb2dc6d0312c4fc79985c5e60b

SHA512
7b6e0b16ee9f23188388c89c053e76ac9942ffc4446c2f87022a631ae7f146b325c35f8d1fe6d1653cd967f7789382f917b1e78d6e9ad09871f782aa7b3afd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97C1.tmp
Filesize
1KB

MD5
9526b9dcbc1fd76c803d929d06cf8fc9

SHA1
5bdf3de1dc623389a21de04c3ac060fbb0d5521d

SHA256
b4f53d30dbe12c2610de10d609b9b72730c9c7d3d1cca509516951e886ef2a26

SHA512
184d827a8770cc1a2490dfc8ae739b8cc3af383893362a262d764e402da786c67821c088a7e0fd41adae9837384ff9cd6dccca90c4f1ea02df1db2b6cd4b8f2e

Download Submit
C:\Users\Admin\AppData\Roaming\lshss.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
C:\Users\Admin\AppData\Roaming\lshss.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
C:\Users\Admin\AppData\Roaming\lshss.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
C:\Windows\SysWOW64\install\server.exe
Filesize
16KB

MD5
af7bc41714eb77b791b046bcc4fe06b5

SHA1
c317ad2591ded54999da7bd0506faaba28a627ae

SHA256
275ca108c4188a37ef8c1a97f501c9fd82960e1b4aa6d99a8c81f5a5c82b3b7b

SHA512
219e8fa248219686e3a0889a1bc8cc60897626b5268bcd42d7e08e3c7ae8319e3c296944c166a9d49b9a7db1b031c65f6bfb93f06625db671dc7a0a231573d2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8_4ghhpk.0.cs
Filesize
4KB

MD5
70f022f070cf482df351e9b5941d8aaa

SHA1
33fa087c2ba66617e82670fb6892a72d77839e48

SHA256
bc5521223a2a12258ef51cf5700ee2c4764fcbace68dff77f72c1a9ff3636097

SHA512
d81bb89414d68a6cdf740bab12b7afaf8018957ec55ceac982909373cca5c5239256651ee5ff7fc2236e1003067aaebaecc96e26d664cb5a7500edc7a8426170

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8_4ghhpk.cmdline
Filesize
206B

MD5
b2688ac911510a3cb7ce3f0552f778e1

SHA1
a5bc6219a9176b1a4981ff9c9e477e3330c539d9

SHA256
431f16d61367a2c987ed8c33b9044032ec73c6cf90fe5a5b6b6868d735a40082

SHA512
b6b13c8b6042df21485bdfbd1a2b12dd9d842838031eb426ba4ca4be893bda3ffef533100b42c418801e603e9d98eb0dbc93a9a445128fe5e97f052d29bc755d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC97C0.tmp
Filesize
652B

MD5
821d9046f00d5f2e23285ab726bad5ee

SHA1
a43742ab6d1ced5bd874fbf3604e12f8f8cd208f

SHA256
92fabfbfc01be195a43b9d1189b0e185d429e9ef1a053ea1746aff33482bd47e

SHA512
825d39f3774d96f43a673aa86e93e772ba8505f7e1f98b7fa4baab14c9f8d331bb511584bcb2659c30cee383a4d510ab034421e2dfae1fa297c7f7ed7521d009

Download Submit
memory/524-140-0x0000000000000000-mapping.dmp

Download
memory/524-161-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/524-145-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/524-146-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/524-148-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/524-171-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/524-153-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/524-167-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/524-141-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/524-144-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1100-132-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1100-175-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1256-133-0x0000000000000000-mapping.dmp

Download
memory/2372-165-0x0000000000000000-mapping.dmp

Download
memory/2372-170-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2372-172-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2372-176-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2732-173-0x0000000000000000-mapping.dmp

Download
memory/2940-159-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2940-156-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2940-152-0x0000000000000000-mapping.dmp

Download
memory/3408-136-0x0000000000000000-mapping.dmp

Download