cybergate | b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69

General

Target

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
Size

1.0MB
MD5

2a7463a6a8c0d8070bba46d64d7bf510
SHA1

42ca122e7cd13cfc9b92ac21bdaceb2bd907472a
SHA256

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69
SHA512

e033750b7308cd084946ad842eba236d95b6c485958e82490d1a71ea164a605f6c57f001f8992daf2fe9f2286b8661599d8962b6c681ff76577729d754c034f5
SSDEEP

12288:TdBxXYib/OGpEhmnH5rfC3oVMM8rUG2fSOfF9TH8JqxpwKcIQUdZ9xxVPC:JXXYib/+4JfCoorU17ffTHEqHwzrUzfC

Score

10^/10

cybergate victima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

Victima

C2

192.168.0.17:84

192.168.0.1:84

85.137.57.212:84

192.168.0.10:84

192.168.0.22:84

62.42.230.24, 62.42.63.52:84

62.42.63.52:84

62.42.230.24:84

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
explores.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Consulte con Megal 24
message_box_title
Error 404
password
101010
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\explores.exe"	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\explores.exe"	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe

Executes dropped EXE 2 IoCs

Processes:

explores.exeexplores.exe

pid process

4272 explores.exe
4300 explores.exe

pid	process
4272	explores.exe
4300	explores.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71ENI266-507B-TC2N-FLJI-EMCUYYILY8E8}\StubPath = "C:\\Windows\\system32\\install\\explores.exe Restart"	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{71ENI266-507B-TC2N-FLJI-EMCUYYILY8E8}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71ENI266-507B-TC2N-FLJI-EMCUYYILY8E8}\StubPath = "C:\\Windows\\system32\\install\\explores.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{71ENI266-507B-TC2N-FLJI-EMCUYYILY8E8}	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2008-55-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2008-57-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2008-58-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2008-62-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2008-63-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2008-64-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/4300-116-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/4300-118-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/4300-117-0x0000000000400000-0x00000000004AD000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2824 explorer.exe
Loads dropped DLL 2 IoCs

Processes:

explorer.exe

pid process

2824 explorer.exe
2824 explorer.exe

pid	process
2824	explorer.exe

pid	process
2824	explorer.exe
2824	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\explores.exe"	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\explores.exe"	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 4 IoCs

Processes:

explorer.exeb31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\install\	explorer.exe
File created	C:\Windows\SysWOW64\install\explores.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
File opened for modification	C:\Windows\SysWOW64\install\explores.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
File opened for modification	C:\Windows\SysWOW64\install\explores.exe	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exeexplores.exe

description	pid	process	target process
PID 856 set thread context of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 4272 set thread context of 4300	4272	explores.exe	explores.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exeexplores.exe

pid process

2008 b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
4300 explores.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2824 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 2824 explorer.exe
Token: SeDebugPrivilege 2824 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exeexplorer.exe

pid process

2008 b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
2824 explorer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

explorer.exe

pid process

2824 explorer.exe

pid	process
2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
4300	explores.exe

pid	process
2824	explorer.exe

description	pid	process
Token: SeDebugPrivilege	2824	explorer.exe
Token: SeDebugPrivilege	2824	explorer.exe

pid	process
2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
2824	explorer.exe

pid	process
2824	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exeb31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe

description	pid	process	target process
PID 856 wrote to memory of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 856 wrote to memory of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 856 wrote to memory of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 856 wrote to memory of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 856 wrote to memory of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 856 wrote to memory of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 856 wrote to memory of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 856 wrote to memory of 2008	856	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE
PID 2008 wrote to memory of 1260	2008	b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
"C:\Users\Admin\AppData\Local\Temp\b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
C:\Users\Admin\AppData\Local\Temp\b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:956

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Deletes itself
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824

C:\Windows\SysWOW64\install\explores.exe
"C:\Windows\system32\install\explores.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4272

C:\Windows\SysWOW64\install\explores.exe
C:\Windows\SysWOW64\install\explores.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
589KB

MD5
98232f93229f0de7badc48e26c8eddca

SHA1
62f1d233f7743956136069d910d0844792a497a4

SHA256
c4113360b66d7b732ebc4777eb21eb2e6dd4ffcc672c225b9ed836110a8a4e6b

SHA512
6f45d775783aa41c35b6210082df02c638cec0fa3c24b51a16fd0502cf4f77cb7d8e3e995c1b002f987af97149b73d8feec12c6954de3f6db62afb7df7811e30

Download Submit
C:\Windows\SysWOW64\install\explores.exe
Filesize
1.0MB

MD5
2a7463a6a8c0d8070bba46d64d7bf510

SHA1
42ca122e7cd13cfc9b92ac21bdaceb2bd907472a

SHA256
b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69

SHA512
e033750b7308cd084946ad842eba236d95b6c485958e82490d1a71ea164a605f6c57f001f8992daf2fe9f2286b8661599d8962b6c681ff76577729d754c034f5

Download Submit
C:\Windows\SysWOW64\install\explores.exe
Filesize
1.0MB

MD5
2a7463a6a8c0d8070bba46d64d7bf510

SHA1
42ca122e7cd13cfc9b92ac21bdaceb2bd907472a

SHA256
b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69

SHA512
e033750b7308cd084946ad842eba236d95b6c485958e82490d1a71ea164a605f6c57f001f8992daf2fe9f2286b8661599d8962b6c681ff76577729d754c034f5

Download Submit
C:\Windows\SysWOW64\install\explores.exe
Filesize
1.0MB

MD5
2a7463a6a8c0d8070bba46d64d7bf510

SHA1
42ca122e7cd13cfc9b92ac21bdaceb2bd907472a

SHA256
b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69

SHA512
e033750b7308cd084946ad842eba236d95b6c485958e82490d1a71ea164a605f6c57f001f8992daf2fe9f2286b8661599d8962b6c681ff76577729d754c034f5

Download Submit
\Windows\SysWOW64\install\explores.exe
Filesize
1.0MB

MD5
2a7463a6a8c0d8070bba46d64d7bf510

SHA1
42ca122e7cd13cfc9b92ac21bdaceb2bd907472a

SHA256
b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69

SHA512
e033750b7308cd084946ad842eba236d95b6c485958e82490d1a71ea164a605f6c57f001f8992daf2fe9f2286b8661599d8962b6c681ff76577729d754c034f5

Download Submit
\Windows\SysWOW64\install\explores.exe
Filesize
1.0MB

MD5
2a7463a6a8c0d8070bba46d64d7bf510

SHA1
42ca122e7cd13cfc9b92ac21bdaceb2bd907472a

SHA256
b31b0e51438a2c2b501ad090edd78ad17a914d310843c551ce2a80d8a6297f69

SHA512
e033750b7308cd084946ad842eba236d95b6c485958e82490d1a71ea164a605f6c57f001f8992daf2fe9f2286b8661599d8962b6c681ff76577729d754c034f5

Download Submit
memory/956-89-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/956-78-0x0000000074D51000-0x0000000074D53000-memory.dmp

Filesize
8KB

Download
memory/956-76-0x0000000000000000-mapping.dmp

Download
memory/1260-73-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2008-63-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2008-58-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2008-65-0x0000000000437000-0x00000000004AC000-memory.dmp

Filesize
468KB

Download
memory/2008-64-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2008-79-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/2008-54-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2008-62-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2008-61-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/2008-55-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2008-94-0x00000000104D0000-0x000000001052C000-memory.dmp

Filesize
368KB

Download
memory/2008-57-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2008-67-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2008-59-0x00000000004ABE10-mapping.dmp

Download
memory/2824-102-0x00000000104D0000-0x000000001052C000-memory.dmp

Filesize
368KB

Download
memory/2824-91-0x0000000000000000-mapping.dmp

Download
memory/2824-119-0x00000000104D0000-0x000000001052C000-memory.dmp

Filesize
368KB

Download
memory/4272-105-0x0000000000000000-mapping.dmp

Download
memory/4300-112-0x00000000004ABE10-mapping.dmp

Download
memory/4300-116-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4300-118-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4300-117-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads