cybergate | ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b

General

Target

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Size

500KB
MD5

2beeb28066bebbc7413c177a95423b6e
SHA1

ab487604abc06e9e313156986e262c4ca0705d82
SHA256

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b
SHA512

b581db7b9ef6114d6ad89f533a0c87bc519c115c932caab04314d9bee6ffd7402519ef09bc4e8d54fcee2198c3eb466cdc86d5ad96d6867f71283ff4b9b8de61
SSDEEP

12288:UF5nN3kwcpKk3atHKjs6yhg68U6Uu9eN:UF5N31lgjsx/B6

Score

10^/10

cybergate system persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

System

C2

rambler.3utilities.com:25000

Mutex

M80U2O834D5551

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinRAR
install_file
WinRARExt.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
priv
regkey_hkcu
WinRARn
regkey_hklm
WinRARn

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinRAREx = "C:\\Program Files (x86)\\WinRAR\\WinRARExt.exe"	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinRAREx = "C:\\Program Files (x86)\\WinRAR\\WinRARExt.exe"	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

Executes dropped EXE 2 IoCs

Processes:

WinRARExt.exeWinRARExt.exe

pid process

1172 WinRARExt.exe
1676 WinRARExt.exe

pid	process
1172	WinRARExt.exe
1676	WinRARExt.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{LBQV4T3W-083S-2Q05-ONIH-AO754EJ0G4K0}	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{LBQV4T3W-083S-2Q05-ONIH-AO754EJ0G4K0}\StubPath = "C:\\Program Files (x86)\\WinRAR\\WinRARExt.exe Restart"	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{LBQV4T3W-083S-2Q05-ONIH-AO754EJ0G4K0}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{LBQV4T3W-083S-2Q05-ONIH-AO754EJ0G4K0}\StubPath = "C:\\Program Files (x86)\\WinRAR\\WinRARExt.exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/524-73-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/524-82-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/900-87-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/900-90-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/524-94-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral1/memory/1680-99-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral1/memory/1680-106-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral1/memory/1680-126-0x00000000104F0000-0x0000000010551000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

pid	process
1680	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
1680	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinRARn = "C:\\Program Files (x86)\\WinRAR\\WinRARExt.exe"	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRARn = "C:\\Program Files (x86)\\WinRAR\\WinRARExt.exe"	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exeWinRARExt.exe

description	pid	process	target process
PID 1756 set thread context of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1172 set thread context of 1676	1172	WinRARExt.exe	WinRARExt.exe

Drops file in Program Files directory 4 IoCs

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exeba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

description	ioc	process
File created	C:\Program Files (x86)\WinRAR\WinRARExt.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinRARExt.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinRARExt.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
File opened for modification	C:\Program Files (x86)\WinRAR\	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exeWinRARExt.exe

pid process

524 ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
1676 WinRARExt.exe

pid	process
524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
1676	WinRARExt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

description	pid	process
Token: SeDebugPrivilege	1680	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
Token: SeDebugPrivilege	1680	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

pid process

524 ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

pid	process
524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exeba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe

description	pid	process	target process
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 1756 wrote to memory of 524	1756	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE
PID 524 wrote to memory of 1276	524	ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
"C:\Users\Admin\AppData\Local\Temp\ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
"C:\Users\Admin\AppData\Local\Temp\ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:900

C:\Users\Admin\AppData\Local\Temp\ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe
"C:\Users\Admin\AppData\Local\Temp\ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b.exe"
4⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Program Files (x86)\WinRAR\WinRARExt.exe
"C:\Program Files (x86)\WinRAR\WinRARExt.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1172

C:\Program Files (x86)\WinRAR\WinRARExt.exe
"C:\Program Files (x86)\WinRAR\WinRARExt.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRAR\WinRARExt.exe
Filesize
500KB

MD5
2beeb28066bebbc7413c177a95423b6e

SHA1
ab487604abc06e9e313156986e262c4ca0705d82

SHA256
ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b

SHA512
b581db7b9ef6114d6ad89f533a0c87bc519c115c932caab04314d9bee6ffd7402519ef09bc4e8d54fcee2198c3eb466cdc86d5ad96d6867f71283ff4b9b8de61

Download Submit
C:\Program Files (x86)\WinRAR\WinRARExt.exe
Filesize
500KB

MD5
2beeb28066bebbc7413c177a95423b6e

SHA1
ab487604abc06e9e313156986e262c4ca0705d82

SHA256
ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b

SHA512
b581db7b9ef6114d6ad89f533a0c87bc519c115c932caab04314d9bee6ffd7402519ef09bc4e8d54fcee2198c3eb466cdc86d5ad96d6867f71283ff4b9b8de61

Download Submit
C:\Program Files (x86)\WinRAR\WinRARExt.exe
Filesize
500KB

MD5
2beeb28066bebbc7413c177a95423b6e

SHA1
ab487604abc06e9e313156986e262c4ca0705d82

SHA256
ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b

SHA512
b581db7b9ef6114d6ad89f533a0c87bc519c115c932caab04314d9bee6ffd7402519ef09bc4e8d54fcee2198c3eb466cdc86d5ad96d6867f71283ff4b9b8de61

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
222KB

MD5
24646f7ee8e56142453677281f0f1621

SHA1
1049ef100d8a1c45f994c877724900ea52b1ed55

SHA256
e054016a09fb0b230faed3d28af2c7d78741b3fd1b13f8e4a9b626e4334432e2

SHA512
7c8c4f32f9767bce1b786e442148f7002b2608f9ed212bd61759a61b950995e18d1861e2d9dbd196656ed37908f74b9ec92d3952937b277dfd0793ac3e9de3f0

Download Submit
\Program Files (x86)\WinRAR\WinRARExt.exe
Filesize
500KB

MD5
2beeb28066bebbc7413c177a95423b6e

SHA1
ab487604abc06e9e313156986e262c4ca0705d82

SHA256
ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b

SHA512
b581db7b9ef6114d6ad89f533a0c87bc519c115c932caab04314d9bee6ffd7402519ef09bc4e8d54fcee2198c3eb466cdc86d5ad96d6867f71283ff4b9b8de61

Download Submit
\Program Files (x86)\WinRAR\WinRARExt.exe
Filesize
500KB

MD5
2beeb28066bebbc7413c177a95423b6e

SHA1
ab487604abc06e9e313156986e262c4ca0705d82

SHA256
ba30cf259f6212a8b1e1ef6f7c71c7be53ede3a80c9d6a423237bc0c4e224d2b

SHA512
b581db7b9ef6114d6ad89f533a0c87bc519c115c932caab04314d9bee6ffd7402519ef09bc4e8d54fcee2198c3eb466cdc86d5ad96d6867f71283ff4b9b8de61

Download Submit
memory/524-66-0x000000000040BBCC-mapping.dmp

Download
memory/524-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-63-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-67-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-71-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-73-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/524-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-100-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-94-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/524-82-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/524-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/524-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/900-90-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/900-81-0x0000000074C21000-0x0000000074C23000-memory.dmp

Filesize
8KB

Download
memory/900-87-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/900-79-0x0000000000000000-mapping.dmp

Download
memory/1172-121-0x00000000732F0000-0x000000007389B000-memory.dmp

Filesize
5.7MB

Download
memory/1172-103-0x0000000000000000-mapping.dmp

Download
memory/1172-107-0x00000000732F0000-0x000000007389B000-memory.dmp

Filesize
5.7MB

Download
memory/1276-76-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/1676-125-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1676-124-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1676-123-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1676-118-0x000000000040BBCC-mapping.dmp

Download
memory/1680-99-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/1680-106-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/1680-92-0x0000000000000000-mapping.dmp

Download
memory/1680-126-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/1756-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1756-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1756-69-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads