cybergate | 802c938affddb13b2d150a7ee30444f89ecf76d15937376a589153ff75b3ecb6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_57cb82b051febc9b951f50dc64aad273.exe
Size

1.1MB
MD5

57cb82b051febc9b951f50dc64aad273
SHA1

a550a69a0ab70d8474a88e3da83884aa14fe5d80
SHA256

802c938affddb13b2d150a7ee30444f89ecf76d15937376a589153ff75b3ecb6
SHA512

9aa5eec4ee72b95fb04c8c0cb1f6a275e2e1d57ffdf70e16b591a38aad84b2a03a11fb29b42e987109c3cb34ef01b96236f2a5aa39971acce40a90c5de52d1ab
SSDEEP

24576:x9eO3ttmSOQAfQ8RVfynHl1qAP/cw5/t8/2I:bks11t

Score

10^/10

cybergate cyber persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

mrelectrox.no-ip.biz:82

Mutex

10F0LQAB011466

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Detects binaries and memory artifacts referencing sandbox product IDs 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5048-34-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral2/memory/5048-35-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral2/memory/5048-33-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral2/memory/5048-31-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral2/memory/5048-134-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral2/memory/4356-147-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral2/memory/832-146-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral2/memory/832-153-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID
behavioral2/memory/4356-158-0x0000000000400000-0x0000000000451000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxProductID

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\YTBot.exe	UPX
C:\Users\Admin\AppData\Local\Temp\YTBot.exe	UPX
behavioral2/memory/1896-27-0x0000000000400000-0x00000000004C1000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\YTBot.exe	UPX
behavioral2/memory/5048-39-0x0000000010410000-0x0000000010475000-memory.dmp	UPX
behavioral2/memory/3680-105-0x0000000010480000-0x00000000104E5000-memory.dmp	UPX
behavioral2/memory/5048-100-0x0000000010480000-0x00000000104E5000-memory.dmp	UPX
behavioral2/memory/1896-155-0x0000000000400000-0x00000000004C1000-memory.dmp	UPX
behavioral2/memory/3680-979-0x0000000010480000-0x00000000104E5000-memory.dmp	UPX

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DEATH.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe"	DEATH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	DEATH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe"	DEATH.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	DEATH.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DEATH.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6W3AG713-UG5H-1EMU-F6QH-03V5H0JBE245}	DEATH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6W3AG713-UG5H-1EMU-F6QH-03V5H0JBE245}\StubPath = "C:\\Windows\\system32\\WinDir\\svchost.exe Restart"	DEATH.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_57cb82b051febc9b951f50dc64aad273.exeDEATH.exeDEATH.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	VirusShare_57cb82b051febc9b951f50dc64aad273.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEATH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	DEATH.exe

Executes dropped EXE 8 IoCs

Processes:

DEATH.exeYTBot.exeDEATH.exeDEATH.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

3880 DEATH.exe
1896 YTBot.exe
5048 DEATH.exe
3680 DEATH.exe
2108 svchost.exe
4092 svchost.exe
832 svchost.exe
4356 svchost.exe

pid	process
3880	DEATH.exe
1896	YTBot.exe
5048	DEATH.exe
3680	DEATH.exe
2108	svchost.exe
4092	svchost.exe
832	svchost.exe
4356	svchost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\YTBot.exe	upx
C:\Users\Admin\AppData\Local\Temp\YTBot.exe	upx
behavioral2/memory/1896-27-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\YTBot.exe	upx
behavioral2/memory/5048-39-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3680-105-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/5048-100-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1896-155-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/3680-979-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DEATH.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\svchost.exe"	DEATH.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\svchost.exe"	DEATH.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/1896-155-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

Processes:

DEATH.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WinDir\svchost.exe	DEATH.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\svchost.exe	DEATH.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DEATH.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3880 set thread context of 5048	3880	DEATH.exe	DEATH.exe
PID 2108 set thread context of 832	2108	svchost.exe	svchost.exe
PID 4092 set thread context of 4356	4092	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3464 832 WerFault.exe svchost.exe
552 4356 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DEATH.exe

pid process

5048 DEATH.exe
5048 DEATH.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

DEATH.exeYTBot.exe

pid process

3680 DEATH.exe
1896 YTBot.exe

pid	pid_target	process	target process
3464	832	WerFault.exe	svchost.exe
552	4356	WerFault.exe	svchost.exe

pid	process
5048	DEATH.exe
5048	DEATH.exe

pid	process
3680	DEATH.exe
1896	YTBot.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

DEATH.exe

description	pid	process
Token: SeBackupPrivilege	3680	DEATH.exe
Token: SeRestorePrivilege	3680	DEATH.exe
Token: SeDebugPrivilege	3680	DEATH.exe
Token: SeDebugPrivilege	3680	DEATH.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

YTBot.exe

pid	process
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

YTBot.exe

pid	process
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe
1896	YTBot.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

DEATH.exeYTBot.exesvchost.exesvchost.exe

pid process

3880 DEATH.exe
1896 YTBot.exe
1896 YTBot.exe
2108 svchost.exe
4092 svchost.exe

pid	process
3880	DEATH.exe
1896	YTBot.exe
1896	YTBot.exe
2108	svchost.exe
4092	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_57cb82b051febc9b951f50dc64aad273.exeDEATH.exeDEATH.exe

description	pid	process	target process
PID 2456 wrote to memory of 3880	2456	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	DEATH.exe
PID 2456 wrote to memory of 3880	2456	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	DEATH.exe
PID 2456 wrote to memory of 3880	2456	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	DEATH.exe
PID 2456 wrote to memory of 1896	2456	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	YTBot.exe
PID 2456 wrote to memory of 1896	2456	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	YTBot.exe
PID 2456 wrote to memory of 1896	2456	VirusShare_57cb82b051febc9b951f50dc64aad273.exe	YTBot.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 3880 wrote to memory of 5048	3880	DEATH.exe	DEATH.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe
PID 5048 wrote to memory of 1244	5048	DEATH.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_57cb82b051febc9b951f50dc64aad273.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_57cb82b051febc9b951f50dc64aad273.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\DEATH.exe
"C:\Users\Admin\AppData\Local\Temp\DEATH.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\DEATH.exe
C:\Users\Admin\AppData\Local\Temp\DEATH.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\DEATH.exe
"C:\Users\Admin\AppData\Local\Temp\DEATH.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\WinDir\svchost.exe
"C:\Windows\system32\WinDir\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Windows\SysWOW64\WinDir\svchost.exe
C:\Windows\SysWOW64\WinDir\svchost.exe
6⤵
- Executes dropped EXE
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 552
7⤵
- Program crash
PID:552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1244

C:\Windows\SysWOW64\WinDir\svchost.exe
"C:\Windows\system32\WinDir\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\WinDir\svchost.exe
C:\Windows\SysWOW64\WinDir\svchost.exe
5⤵
- Executes dropped EXE
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 588
6⤵
- Program crash
PID:3464

C:\Users\Admin\AppData\Local\Temp\YTBot.exe
"C:\Users\Admin\AppData\Local\Temp\YTBot.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 832 -ip 832
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4356 -ip 4356
1⤵
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
a64b56de1a171535c4c30e3dd6261629

SHA1
963627c48fe251dd7d7817d2e0af5318f1d7a2e7

SHA256
56b94ca42000d578753bee56caa99bdc353c90c0b8df4880815cac869c827b13

SHA512
928a5898b1828c5f37232d9dea9592ece6e990146b81e2832de9d51dad2c369ac8ba78054eb26e1dc94082ca04e402de5ddab862649d79de91bda50ccb22dc80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
5e3c7e143b5dae966ce52b5e3f737011

SHA1
2ee48f6aaf123c22031535a4516cc928e59221c7

SHA256
8300b92875b4572ad5aaa5700b8588f94c34177bbad335e0a684d74cb06426ed

SHA512
60c9fa2d5f778f2d68da78a9b01483d2f37c96fafd203b11835954f9aac0509326174400cc28a2fb4e6fdd8bed332327f1caf09fdc08f7eee6560cb38497c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
6379d76e775dc61e29590335785b4340

SHA1
690ddb04c4e7f394ecea1c03bfa431690541c081

SHA256
3df17da482bed104a00a8d1dfe95c22d55f42f04e3fb3e7be4dd0e56b22c19ee

SHA512
1a8cbb9c3778ab2a153333046186b5a16d20c492402192566dd444859ac163bcd7d58495b209e641a00443d417ed5ad3cbe28a63b81231bd2b9d1b092b26200c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
07247d77e088bd9f77d86783e5f08889

SHA1
816b5562ffe901e0fbc0f092b7cdd5c467942f8b

SHA256
72041391da524bed6727ca3b99f38c10a923a81e1e1f813207348b0fddf8183b

SHA512
0dda7d3b62fdfd29d8816f5b96eba5b96f48d39f9e99aae0e8c09d779454512a43e9e32c7edc2dd35d9b4c37b7cf2f1b143fea0107f635059fd870dec66db538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
e0d22cde262c2c0f60eb12b9f2a0bf2e

SHA1
88f04d71fe6272c7181de8553e3c79ff0cc4fbf1

SHA256
5a07a57c26d0bf4b7d5885400f5d40527bd8027a4e2dd43e31a05a1f88933cb8

SHA512
1b73eb9c9620b2631e31c4ee7c79549651301bb3725befbe77a1b6ccffea598b200868c32e4a78d7ecb5de99cfef4d07d0a1e4b989706faca710523c8285caa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
afb17f2f39c254193082c315e05e6ce0

SHA1
3aa83662833f648d54e4b3b553f721a63a897d36

SHA256
13be56e0aac3cd9d0864df8a5fbcc2bc3db522ad21c0e5cf605001823f20ce72

SHA512
db64e080b73776ec9c82c62cfd1c6e22ee1167f5f2cf9e1a32b17b2b66ad868f329de342eb31f42c2a00f649d1c6790aca52b2def53a7f3452dc7ed0039265f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
9be7243dbd6cdd10ef8163233f4323c4

SHA1
83a39e6798f9bb5ca036ce4d34cf949dd036ce01

SHA256
10f9cc635eb93291aa06100de1fab6383439e45d7ec62361b1ec70a2fce4747f

SHA512
325f00f86e9b92f3e19ea345ccfde7e1421a0a1b9ae1d791ad930001e7ead415011b1f4685df6ad395cc9b867566b67805dc688563a354fbd7b3d4d6e8069a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
d9aaa300ee5e3407e7d81d91aa789edd

SHA1
aa369aa5840cb00c476991a624d20d2f6cd80240

SHA256
a311e3520c1558b617a890a986ad20cfd13dacf61d974039bdeddbd6ae6dd3f7

SHA512
5009ba592873cb39ac0fbb5da16a10222c20a62d899197912982cb8bf2a5b68596d6412a0a082c0daa0a0d4028156bda09009fd06144ba7f5cacd16b8d633c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8d2f572a3b0f74d396e2a1afea5beae5

SHA1
a143ab20fddf3cde1af4e0700d5cb23c93af3c15

SHA256
658b36c7834d9897d71f238829d8988f194ac04ba2718185eff99faae31864d1

SHA512
201314eb71191b80f94944ac6b1096f7c78c5400efc0a7f474824b63388b3715179ff2507b07bf761378bab2c5f6b12e18227349d2a5acabc191a18a658909c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
68274e8fdfb1c650797ffc6bc46b6234

SHA1
d924a70531563ae482fc7196661592d8f739a270

SHA256
c037b3082e9797ebf446d3152f0e5ff81376ca97cb30134b956f94d305e679a9

SHA512
e0687c9c949fa3b2c8dc7e2a4cbb134803835add7715a2ba16fbad355f1d3ab597befac98eefa253f00d07e77ece0a3117de30837268333c198260d160fd0673

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2b97bb1b1d827526e450678eb0a822d8

SHA1
41e092ada7a39e6250af9a073695ec4d65f914da

SHA256
c8c1722697de291c771ed62a4ba555c0e37d28fdb5894b632af51979edf00e28

SHA512
eab9b4918fc769c95d522fc8ea5145cb636d576fe26000b3e46ac400fd7485eee73c09527d696ffe5832976106b37b6e6dd1d49dbc0e9798132973553fa37dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
58a50eefd29d08c8d0521fae7e395653

SHA1
2afe6538eb429a97c25088afe00b418e30d485c9

SHA256
5f037556728286a88f0dc43fb503b576707a6845571cdee24208ba01220c8bfe

SHA512
f61da75749b47ede99316f665cf7a6477e4291c8ca2fd48a27b11dccfc716fbc6be9fd8a0f2b268b491fb0e8fbfff021788a7f37d9e8c950e689ed52082132bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8e622497e3ad3e6148ac5de6c2dbd1e1

SHA1
96e035d6a4f32ca1ff53b36a3046a57a27257bf7

SHA256
9adabc13ba5f3ae3dba3cfc3ecc9cdc9fc9b4ed8c5dd205617f49ebd69bc006c

SHA512
cd2e681b5fd3cccd171364899a05ff07975d4c42812cb267aa8d9bf063660775a0f7f74466fbcbc5e82a2f51ca58a43dee2ba448fd57573d0d5dd6db85f6a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
8f304723219a77ba8f7a2b93ff7b2237

SHA1
7cdc5fa7067e9f9998365eecade224ee295322f2

SHA256
62d8f97d1041faf0d3535e75cdcde5230d573ecec30cb7058a76dbf33229980a

SHA512
69651e9c35a4c5bd0acd75c106e9f569a6aab37dec9f98980c195e57db0987292f198ebe685c815022a7dba7a9b66ef3d6e47cd8f20553cc4de6bc49eca06002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
7c0165f71dbde1003a9774c530be98f2

SHA1
c4915835f88e1157557fc0b792ef579bbd96d7b7

SHA256
efedc853c22d1dae3319977221ccd7d1bc5a118fd2c0bf5bda0dbd2f976df1ed

SHA512
f04cd8788ea327acc084133b5c43c7e4b9d9ff53f24b1dc56eba4c7c43b5a77c87457d50d6459c73beb5e13f2eaf689db8d881798e8132a7635adcb1891dce72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
4992ba3f4a42724c20c9468a03c47f28

SHA1
b5d0f2625ec47b61331e0d93cb64a7cfe60351cd

SHA256
72935c17f8d1f330ce4bbb77de7543d2854bcffa98468686e508e8ba45cf4b7c

SHA512
33d902a5e87831cc54da1f991c5f3085ff9a282e8f9c05732b9a07ce73bd92d22374bcfff2b822fe84179d9c0180fc60a81c9179abd101ee36137fe5f0866d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
09044d3de3dc222a434d8eba40f97730

SHA1
0d8c7fc398447fbeac9632e33f3d194e88a2a6cf

SHA256
e589ffa1e6ea4bb991bc67144408d8bd7933e05c7eff00ceb30ee13254d6f986

SHA512
11c0db2455ab6065e0d5b5b1d4ab18cc8e1615a1739d33ce54072be6b372c3d8a263f0a55b94c0f6f19efe718e3fadeefc6592945d57b0f2a2702cebf5dbb23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
851e44cf5090db85b172cc4a7471796f

SHA1
9aea2cba9a14fe7e44222bc4c63aee26e170345b

SHA256
900817f7e038dcc44f491dfdc5121bef7e94af5d141631b63fdb839c5f2596c0

SHA512
d4143bf01452883c565df2b204c348d81e2416079bf6dd1b38a5714c2e69990b9a4adf2991ab8dad210a4fa495f7f27b0ca943671a31328e2fa183d34fcc88cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
bd5afe2e4cd8c5c15d1aa50b513ca718

SHA1
184859568a448b1719bffd40417ec037d85fa3fa

SHA256
6de34d1e6504216854350ddb546eea7fd426f6162e1bc209653a8114791efe67

SHA512
87e28e16f9b73800e0a05e95039b6b113b0937bc3e754e80b357b0991923c4d9c02fb92ab4eef70c46760ecd99fb8e37f5d3984ecd9d71441f90cc38c1e15217

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEATH.exe
Filesize
29KB

MD5
9766899057d198c15e4bfae811811f68

SHA1
6bb59304809b9ae409cc6fd35ec05c40d4334305

SHA256
34d30a83716fce49db0d9ca41375942a84d9b174809987f4bd1064dbe6419275

SHA512
9e1061ccbc219cd9b8ceb5e658c9df8d633cd16b00eccc7ef2226ba3110dc70e404242dbd72642a83d5c0eab0a12a784b3c8a93affae4795a43ee6e6e130cd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEATH.exe
Filesize
28KB

MD5
107c91be8cdc5949bd0fa662c1d3de92

SHA1
c6763cba7e2580c088a727d9119a051dc98efdf7

SHA256
014d196bb01a3e67e9b903b44decaf7e9967e9c79694f72e2b5b71a692cf64e0

SHA512
e096b9c879468104ae97d07c90cd16970eea74231e013c244e2ebaf6b7b81b2f4c4b10c77135bf5381378d1edb4583966ba75eec98003a4f6d95d4efc0063e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEATH.exe
Filesize
195KB

MD5
f896ebd5a74fef5ec229b82d4acc55ca

SHA1
c7c83f0485e0054492d0aa39a729c0bf0782d86f

SHA256
d8f412c1b978c91ae71e0d0b3ecdb9aff9448b0d8be4a7fb5b915e2bad098b3b

SHA512
2b06a1cfbb5580eb69de89cf6b98ec65516af67e5a5c54496dde4762b663b351c5d52d3e6548d9929fae49a69c77ffb663573d3c8cb0d162362ddc95df88e2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEATH.exe
Filesize
420KB

MD5
4a94c16181fb048a62e3e2b6af772e46

SHA1
11b4fd7ebb9163e23a81148a1ba24e6aa8a0af07

SHA256
5d1d74ffa068e9eaf8bbf6ee0d4d50664019158815d5767563a37787f135fe03

SHA512
06a5f26c91b7ca93bea7ee7c51e5f2c31205003675e8f72b5331055c72d549adbcf0b57af14ac5ad27bbf18c8fb02194462f2621226b1611235cf33191e58598

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEATH.exe
Filesize
78KB

MD5
673e58e28f38a8014641bf95ae429463

SHA1
d58d05560442f8d87e35c141ba7de16604bc5a8c

SHA256
3716769d0eebb011876882fcf96311b562c9c386dfba9cba0c039e6a3b62de59

SHA512
e612b7e4b8f7e8cc1463145beaa172d8fa60d74cfbdc8b7bd72a95d69804b7825c1bc567d2d2991ccbcc2cffbc00c9e7619e48c9e1ee580f50c4ba55f045de03

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTBot.exe
Filesize
28KB

MD5
815ec0de6a0aa54b827a2d8700b4a637

SHA1
3997159c71df27330f366032f7caa0321a607bb4

SHA256
e8a9af3c8ca020dfa7bfb1f76aeff1b9b46cf913c75ede6f80aa41b95630683a

SHA512
ef993cb7166b7320b884488047af30e468e87927a867eefab671214e06192393f9c7c2cb5871c0360bf82755251ae50ee921785f5150bc1f92eee8abb18992a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTBot.exe
Filesize
33KB

MD5
0202ca0c83da07fad75565ae2c39256b

SHA1
21ed7f125f2ac332155b79118ed3d48271a7ae73

SHA256
94b2bec5fe62f2465e461b884cc767abc4b91e93a1e6dad4889d447ee5993678

SHA512
b09068cd2abbb4ff73a5cd604e3df735e9210d5c071276fca2e9c51142ffa12f9cad1d252cdd615cf5ea9f0e053fc280658685bf4353563b87fa36210fe1555d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTBot.exe
Filesize
33KB

MD5
173757ca84efc1c6b13a410e352d9a23

SHA1
51772517a8be093b926ba920e7f507d012f48773

SHA256
3a89b34b99df18321acd1673f0fb2da9e6fc953478ff4704c6798ee564404af0

SHA512
eaa25ee18bf341bfca9ea8ae93d78572a8679284b6b3fea1dffd165520a577f999d05983ea67c5c7304d42d55332ef7b65b454cdb1aad5501f7005dfef0f1d40

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat
Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\WinDir\svchost.exe
Filesize
376KB

MD5
6958575182fa9a9fd3978eea5b59a8ff

SHA1
10752591c7aeef4c8cf00fa5179569fe8dbfff6d

SHA256
6b2f74a4d5ac8d924751ca8a8559a2f3a70825c15b7cb7ef161281f94a11ff86

SHA512
0c7794d807ca028b53328f4cd94b939c359eb268e9bf6a16fa8d86ec92dd496fab016e33843bb424f26d3e2febd59dc45fa3d6b6aa3de498217642365254a0e2

Download Submit
C:\Windows\SysWOW64\WinDir\svchost.exe
Filesize
238KB

MD5
1081d7639342b8f1f68493a6e2b8cf26

SHA1
e73d60bc5395a768b7bd9f0291b2ee13d67eb551

SHA256
7b85bcfb6f4be7083337d27feb58ad9bd17687dafc5b6059eaeb88027e295159

SHA512
da977303933c955c7a9e30c9f274ebf0a07961c00d5a0169503dddc8a6bd632436916ce06bdf89b5ad3c03e79705046f1ef37b540af1d69f3c017abe619feb2c

Download Submit
memory/832-153-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/832-146-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1896-155-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1896-27-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2456-1-0x00007FFB48630000-0x00007FFB48FD1000-memory.dmp

Filesize
9.6MB

Download
memory/2456-2-0x00000000014D0000-0x00000000014E0000-memory.dmp

Filesize
64KB

Download
memory/2456-0-0x000000001BC50000-0x000000001BCF6000-memory.dmp

Filesize
664KB

Download
memory/2456-4-0x00007FFB48630000-0x00007FFB48FD1000-memory.dmp

Filesize
9.6MB

Download
memory/2456-29-0x00007FFB48630000-0x00007FFB48FD1000-memory.dmp

Filesize
9.6MB

Download
memory/3680-43-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3680-44-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3680-979-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3680-105-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4356-147-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4356-158-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5048-39-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/5048-31-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5048-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5048-35-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5048-34-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5048-100-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5048-134-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download