cybergate | 00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f

General

Target

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Size

563KB
MD5

23939410486a7bd7ea857410d178fa1b
SHA1

4aa1823574ca22d3d5f0bbdd4e096fa6d7b08492
SHA256

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f
SHA512

71959b8a17e2d37b77edba82d47a2d3c26cda0d3bd746fdb2f5fe7793639ea3a761589f84a97058e11e77efbd5f5c05cdf527de7ee36ad524a6e14c4e3f3cd93
SSDEEP

12288:MgOLxkWo1XiA+j5uz4Rj/byFVHLAbRotcYT0Iw5p7ix:MPLlbpA4Rj/YNADlTix

Score

10^/10

cybergate vítima bootkit persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

hbooob.no-ip.biz:333

hbooob1.no-ip.biz:333

xp8.no-ip.biz:333

ad3s.no-ip.biz:333

fof0.no-ip.biz:333

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Googleo
install_file
Googleo.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Googleo\\Googleo.exe"	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Googleo\\Googleo.exe"	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50R342J-GB15-7CLA-QLUV-2BJ54X5E6V13}	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F50R342J-GB15-7CLA-QLUV-2BJ54X5E6V13}\StubPath = "C:\\Windows\\system32\\Googleo\\Googleo.exe Restart"	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Drops startup file 2 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdater.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdater.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Executes dropped EXE 2 IoCs

Processes:

Googleo.exeGoogleo.exe

pid process

1904 Googleo.exe
2040 Googleo.exe

pid	process
1904	Googleo.exe
2040	Googleo.exe

Loads dropped DLL 2 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

pid	process
572	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
572	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1364-62-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1364-65-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1364-66-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1364-67-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1364-71-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1364-367-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/572-390-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2040-405-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2040-408-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/572-412-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/572-413-0x0000000006BC0000-0x0000000006DAB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Googleo\\Googleo.exe"	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Googleo\\Googleo.exe"	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exeGoogleo.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
File opened for modification	\??\PhysicalDrive0	Googleo.exe

Drops file in System32 directory 4 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Googleo\Googleo.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
File opened for modification	C:\Windows\SysWOW64\Googleo\Googleo.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
File opened for modification	C:\Windows\SysWOW64\Googleo\	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
File created	C:\Windows\SysWOW64\Googleo\Googleo.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exeGoogleo.exe

description	pid	process	target process
PID 1736 set thread context of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1904 set thread context of 2040	1904	Googleo.exe	Googleo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 6 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exeGoogleo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Googleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Googleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Googleo.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

pid process

1364 00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

pid process

572 00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

pid	process
1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

description	pid	process
Token: SeDebugPrivilege	572	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
Token: SeDebugPrivilege	572	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exeGoogleo.exe

pid process

1736 00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
1904 Googleo.exe

pid	process
1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
1904	Googleo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe

description	pid	process	target process
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1736 wrote to memory of 1364	1736	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe
PID 1364 wrote to memory of 568	1364	00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
"C:\Users\Admin\AppData\Local\Temp\00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe"
1⤵
- Drops startup file
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
"C:\Users\Admin\AppData\Local\Temp\00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe
"C:\Users\Admin\AppData\Local\Temp\00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f.exe"
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\Googleo\Googleo.exe
"C:\Windows\system32\Googleo\Googleo.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\SysWOW64\Googleo\Googleo.exe
"C:\Windows\SysWOW64\Googleo\Googleo.exe"
5⤵
- Executes dropped EXE
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
230KB

MD5
02cf31e7b89d93aa26182455bc2dc94d

SHA1
4e57f686f9efdc9f76d5421a44c4751051aed525

SHA256
b4d18e8fd1313c98a89058205346bd73df08ae9e55721481f1de43c5fa89b1b8

SHA512
bb33d85ef1db40842047e67b50e2bcc528eff70048a8d3ced95d5812dd549aab2c39b92d64190f1f708b11df60190e5511ea9c108e888e560b2540289065d904

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat
Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\Googleo\Googleo.exe
Filesize
563KB

MD5
23939410486a7bd7ea857410d178fa1b

SHA1
4aa1823574ca22d3d5f0bbdd4e096fa6d7b08492

SHA256
00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f

SHA512
71959b8a17e2d37b77edba82d47a2d3c26cda0d3bd746fdb2f5fe7793639ea3a761589f84a97058e11e77efbd5f5c05cdf527de7ee36ad524a6e14c4e3f3cd93

Download Submit
C:\Windows\SysWOW64\Googleo\Googleo.exe
Filesize
563KB

MD5
23939410486a7bd7ea857410d178fa1b

SHA1
4aa1823574ca22d3d5f0bbdd4e096fa6d7b08492

SHA256
00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f

SHA512
71959b8a17e2d37b77edba82d47a2d3c26cda0d3bd746fdb2f5fe7793639ea3a761589f84a97058e11e77efbd5f5c05cdf527de7ee36ad524a6e14c4e3f3cd93

Download Submit
C:\Windows\SysWOW64\Googleo\Googleo.exe
Filesize
563KB

MD5
23939410486a7bd7ea857410d178fa1b

SHA1
4aa1823574ca22d3d5f0bbdd4e096fa6d7b08492

SHA256
00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f

SHA512
71959b8a17e2d37b77edba82d47a2d3c26cda0d3bd746fdb2f5fe7793639ea3a761589f84a97058e11e77efbd5f5c05cdf527de7ee36ad524a6e14c4e3f3cd93

Download Submit
\Windows\SysWOW64\Googleo\Googleo.exe
Filesize
563KB

MD5
23939410486a7bd7ea857410d178fa1b

SHA1
4aa1823574ca22d3d5f0bbdd4e096fa6d7b08492

SHA256
00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f

SHA512
71959b8a17e2d37b77edba82d47a2d3c26cda0d3bd746fdb2f5fe7793639ea3a761589f84a97058e11e77efbd5f5c05cdf527de7ee36ad524a6e14c4e3f3cd93

Download Submit
\Windows\SysWOW64\Googleo\Googleo.exe
Filesize
563KB

MD5
23939410486a7bd7ea857410d178fa1b

SHA1
4aa1823574ca22d3d5f0bbdd4e096fa6d7b08492

SHA256
00634a9303a1701d8e8c8a550603ba5ee9764a905abcfee4b1cbfd88983d9a5f

SHA512
71959b8a17e2d37b77edba82d47a2d3c26cda0d3bd746fdb2f5fe7793639ea3a761589f84a97058e11e77efbd5f5c05cdf527de7ee36ad524a6e14c4e3f3cd93

Download Submit
memory/572-396-0x0000000006BC0000-0x0000000006DAB000-memory.dmp

Filesize
1.9MB

Download
memory/572-389-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/572-413-0x0000000006BC0000-0x0000000006DAB000-memory.dmp

Filesize
1.9MB

Download
memory/572-75-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/572-78-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/572-83-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/572-412-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/572-390-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1364-367-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1364-62-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1364-71-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1364-67-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1364-66-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1364-65-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1736-54-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1736-55-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/1736-64-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1736-61-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1736-60-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1904-397-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/1904-403-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2040-405-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2040-408-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads