cybergate | 1d0128fd3184a765076397dd308e51bbc578a3639cb9c08ab6b5c36704d772b4

Resubmissions

14-11-2023 17:31

231114-v3qg7acf42 10

14-11-2023 17:21

28-10-2023 19:29

24-10-2023 13:29

18-10-2023 12:04

07-09-2023 12:10

Analysis

max time kernel
109s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Size

3.5MB
MD5

54837d1612edd427f413f55d6079fd5d
SHA1

d25af43ee7df4d41373d66bcba7da0a7d217c1c1
SHA256

8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f
SHA512

cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3
SSDEEP

6144:FSAP5c1MI2QLb9/REfzrjNG7i1BV+GKdyIpNd0f:FVTI2QLb9/kzHNGcaXIf

Score

10^/10

cybergate 1112 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

1112

111220402011.no-ip.org:8020

Mutex

XVYJ6C4S2P1EUJ

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Nvidia
install_file
csrss.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1112
regkey_hkcu
Nvidia
regkey_hklm
Nvidia

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Nvidia = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Nvidia = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Nvidia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Nvidia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Nvidia = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Nvidia = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}\StubPath = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe Restart"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}\StubPath = "C:\\Program Files (x86)\\Nvidia\\csrss.exe Restart"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\csrss.exe Restart"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DN65T524-XS4I-0A2Q-N6KC-H728FO7441XG}	explorer.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/memory/1688-26-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral18/memory/2640-27-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral18/memory/2672-28-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral18/memory/3940-232-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral18/memory/3564-234-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral18/memory/3940-252-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral18/memory/5064-259-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral18/memory/3564-261-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral18/memory/5064-332-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral18/memory/4552-445-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral18/memory/2212-468-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Nvidia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvidia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Nvidia = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Nvidia = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvidia = "C:\\Program Files (x86)\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvidia = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia\\csrss.exe"	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4204 set thread context of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 set thread context of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 set thread context of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nvidia\csrss.exe	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
File created	C:\Program Files (x86)\Nvidia\csrss.exe	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
File created	C:\Program Files (x86)\Nvidia\csrss.exe	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
File opened for modification	C:\Program Files (x86)\Nvidia\csrss.exe	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
File opened for modification	C:\Program Files (x86)\Nvidia\csrss.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\Nvidia\	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3940	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
Token: SeBackupPrivilege	3564	explorer.exe
Token: SeRestorePrivilege	3564	explorer.exe
Token: SeBackupPrivilege	3940	explorer.exe
Token: SeRestorePrivilege	3940	explorer.exe
Token: SeBackupPrivilege	5064	explorer.exe
Token: SeRestorePrivilege	5064	explorer.exe
Token: SeDebugPrivilege	3940	explorer.exe
Token: SeDebugPrivilege	3940	explorer.exe
Token: SeBackupPrivilege	4552	explorer.exe
Token: SeRestorePrivilege	4552	explorer.exe
Token: SeBackupPrivilege	4780	explorer.exe
Token: SeRestorePrivilege	4780	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2672	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
2640	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 2640	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	95
PID 4204 wrote to memory of 2672	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	93
PID 4204 wrote to memory of 1688	4204	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	94
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9
PID 1688 wrote to memory of 3308	1688	8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe	9

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3308
- C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    PID:2672
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in Program Files directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3940
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2212
- - C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5064
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4780
- - C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe
    "C:\Users\Admin\AppData\Local\Temp\8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    PID:2640
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4780 -ip 4780
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4552 -ip 4552
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nvidia\csrss.exe

Filesize
3.5MB

MD5
54837d1612edd427f413f55d6079fd5d

SHA1
d25af43ee7df4d41373d66bcba7da0a7d217c1c1

SHA256
8ba3f20419e36946e978e69ae892805569a3b8e5ae702038065296aae8dc414f

SHA512
cdd9687d6382f5cd3ff031753e00b5cd2a6abd403e37547143d0ac8ed1447b243c5f24d34f98ac08c5aab62c232e9cac2c0b287d7df8cdee605b7eeb07bdcdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
39a4ad803f2b91a95748fa37ea38ba99

SHA1
89625d19217cd3b98c816465d3b526e16076e019

SHA256
8e388d9e3e2e58f6ffb33a7a9b46801379f100cd681217cfe2d58f79799c1f80

SHA512
0d96841387db179f7972d117b04bf20663826ea94bed7d59e9ec8daad4697d1a1b32f6aeeba86156498ed64f255293f08edec65281daf6a00c57fbac7d6c00e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
39a4ad803f2b91a95748fa37ea38ba99

SHA1
89625d19217cd3b98c816465d3b526e16076e019

SHA256
8e388d9e3e2e58f6ffb33a7a9b46801379f100cd681217cfe2d58f79799c1f80

SHA512
0d96841387db179f7972d117b04bf20663826ea94bed7d59e9ec8daad4697d1a1b32f6aeeba86156498ed64f255293f08edec65281daf6a00c57fbac7d6c00e4

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1688-36-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1688-49-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1688-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1688-470-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1688-26-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2212-468-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2640-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2640-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2640-27-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2640-35-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2640-50-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2640-447-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2640-47-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2672-28-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/2672-37-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2672-471-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2672-48-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2672-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3564-261-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3564-234-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3940-252-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3940-232-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4204-4-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/4204-0-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4204-1-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4204-2-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/4204-15-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4204-3-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4552-445-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/5064-259-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/5064-332-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/5064-41-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/5064-44-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads