cybergate | 756508ea3798cff859903929c4cca1f9e17e76d078123d5371d976c027906d65

Resubmissions

11-03-2024 21:24

240311-z89kgaeg2z 10

11-03-2024 21:12

240311-z16hvaed9s 10

Analysis

max time kernel
66s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c19cc7c41cb7460b3b2c6521f1b9daef.exe
Size

373KB
MD5

c19cc7c41cb7460b3b2c6521f1b9daef
SHA1

efdae6486a820200258740e8c1bf116955c34224
SHA256

756508ea3798cff859903929c4cca1f9e17e76d078123d5371d976c027906d65
SHA512

72ec2f151944c58437343754862df5d09d17c3829b1fc7254ae44313f6e46b9d710a43c45b19efc42fba5c031a625f89a6491cb78d69497f03d5869c00e9d426
SSDEEP

6144:d3rPltasYzp79j2zrFHEPl+xH/UdTJHVKhrEtCyWsEKTnTj5v4:Rna3NNGh6Ul/k3LfEAv5w

Score

10^/10

cybergate cyber persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

1yop.no-ip.biz:100

Mutex

7R65OQ0XHTGJ73

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wmpmetwk.exeaudiodgi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	wmpmetwk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wmpmetwk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	wmpmetwk.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wmpmetwk.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wmpmetwk.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}	wmpmetwk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	wmpmetwk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DYGP4GW8-JX24-7NXD-R84I-6UVR782X5MJI}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c19cc7c41cb7460b3b2c6521f1b9daef.exeaudiodgi.exewmpmetwk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	c19cc7c41cb7460b3b2c6521f1b9daef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	audiodgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wmpmetwk.exe

Executes dropped EXE 6 IoCs

Processes:

audiodgi.exewmpmetwk.exewmpmetwk.exewmpmetwk.exeSvchost.exeSvchost.exe

pid process

1588 audiodgi.exe
4392 wmpmetwk.exe
4040 wmpmetwk.exe
4416 wmpmetwk.exe
4256 Svchost.exe
3068 Svchost.exe

pid	process
1588	audiodgi.exe
4392	wmpmetwk.exe
4040	wmpmetwk.exe
4416	wmpmetwk.exe
4256	Svchost.exe
3068	Svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4040-33-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/4040-93-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1984-98-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/4416-175-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1984-199-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/4416-1313-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

audiodgi.exewmpmetwk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	wmpmetwk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	wmpmetwk.exe

Drops file in System32 directory 4 IoCs

Processes:

wmpmetwk.exewmpmetwk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	wmpmetwk.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	wmpmetwk.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	wmpmetwk.exe
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	wmpmetwk.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c19cc7c41cb7460b3b2c6521f1b9daef.exewmpmetwk.exeSvchost.exe

description	pid	process	target process
PID 4160 set thread context of 1980	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe	c19cc7c41cb7460b3b2c6521f1b9daef.exe
PID 4392 set thread context of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4256 set thread context of 3068	4256	Svchost.exe	Svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2568 1980 WerFault.exe c19cc7c41cb7460b3b2c6521f1b9daef.exe
2572 3068 WerFault.exe Svchost.exe
Modifies registry class 1 IoCs

Processes:

wmpmetwk.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ wmpmetwk.exe

pid	pid_target	process	target process
2568	1980	WerFault.exe	c19cc7c41cb7460b3b2c6521f1b9daef.exe
2572	3068	WerFault.exe	Svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wmpmetwk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c19cc7c41cb7460b3b2c6521f1b9daef.exeaudiodgi.exewmpmetwk.exewmpmetwk.exeSvchost.exe

pid	process
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4040	wmpmetwk.exe
4040	wmpmetwk.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
1588	audiodgi.exe
4392	wmpmetwk.exe
4256	Svchost.exe
4256	Svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

wmpmetwk.exe

pid process

4416 wmpmetwk.exe

pid	process
4416	wmpmetwk.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

c19cc7c41cb7460b3b2c6521f1b9daef.exeaudiodgi.exewmpmetwk.exeexplorer.exewmpmetwk.exeSvchost.exe

description	pid	process
Token: SeDebugPrivilege	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe
Token: SeDebugPrivilege	1588	audiodgi.exe
Token: SeDebugPrivilege	4392	wmpmetwk.exe
Token: SeBackupPrivilege	1984	explorer.exe
Token: SeRestorePrivilege	1984	explorer.exe
Token: SeBackupPrivilege	4416	wmpmetwk.exe
Token: SeRestorePrivilege	4416	wmpmetwk.exe
Token: SeDebugPrivilege	4416	wmpmetwk.exe
Token: SeDebugPrivilege	4416	wmpmetwk.exe
Token: SeDebugPrivilege	4256	Svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wmpmetwk.exe

pid process

4040 wmpmetwk.exe

pid	process
4040	wmpmetwk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c19cc7c41cb7460b3b2c6521f1b9daef.exeaudiodgi.exewmpmetwk.exewmpmetwk.exe

description	pid	process	target process
PID 4160 wrote to memory of 1980	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe	c19cc7c41cb7460b3b2c6521f1b9daef.exe
PID 4160 wrote to memory of 1980	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe	c19cc7c41cb7460b3b2c6521f1b9daef.exe
PID 4160 wrote to memory of 1980	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe	c19cc7c41cb7460b3b2c6521f1b9daef.exe
PID 4160 wrote to memory of 1980	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe	c19cc7c41cb7460b3b2c6521f1b9daef.exe
PID 4160 wrote to memory of 1588	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe	audiodgi.exe
PID 4160 wrote to memory of 1588	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe	audiodgi.exe
PID 4160 wrote to memory of 1588	4160	c19cc7c41cb7460b3b2c6521f1b9daef.exe	audiodgi.exe
PID 1588 wrote to memory of 4392	1588	audiodgi.exe	wmpmetwk.exe
PID 1588 wrote to memory of 4392	1588	audiodgi.exe	wmpmetwk.exe
PID 1588 wrote to memory of 4392	1588	audiodgi.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4392 wrote to memory of 4040	4392	wmpmetwk.exe	wmpmetwk.exe
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE
PID 4040 wrote to memory of 3536	4040	wmpmetwk.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\c19cc7c41cb7460b3b2c6521f1b9daef.exe
"C:\Users\Admin\AppData\Local\Temp\c19cc7c41cb7460b3b2c6521f1b9daef.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\c19cc7c41cb7460b3b2c6521f1b9daef.exe
C:\Users\Admin\AppData\Local\Temp\c19cc7c41cb7460b3b2c6521f1b9daef.exe
3⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 80
4⤵
- Program crash
PID:2568

C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
"C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
3⤵
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
5⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\explorer.exe
explorer.exe
6⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\SysWOW64\WinDir\Svchost.exe
C:\Windows\SysWOW64\WinDir\Svchost.exe
8⤵
- Executes dropped EXE
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 584
9⤵
- Program crash
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1980 -ip 1980
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3068 -ip 3068
1⤵
PID:2268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
90ff984401e7c720cf1601d51ed77eed

SHA1
9d74e2570323ecd244605675d61a5b68fa646700

SHA256
6b252cecf5b11a68509d608f4c67d8acc84a50b7a28c9a229954fc658e449b18

SHA512
01887384fdc3e4d2b4c2662c8e2bd6ca943d560f2c2300cbe4a106df7285e31d26c09039e532658ea9a7e00d2fe11fb16c12c8e47d688455f82773e0743f5b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
6b871ca1c736c98ab3da25393d7c79d3

SHA1
f28a3de670dfd7e256a16712faecc0254e9f99b5

SHA256
951e6b3150279db5c7adcc0a735b679bc039970b0114fef9ceafa56ad960242c

SHA512
1988ce009987d65b20fd137517252c3fc2e378203c4c07559953648de0838ff486bd27a9feff09fa52aa671d69c98456d2445a6ac4467620aeed9cd59322cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
05793a550adb3367fbef55b3e2cac89a

SHA1
216e04594381fbc873c2e13818023f6d4080273b

SHA256
8c2248d12c937e1cfcf4623817f6166a3f40810d593d7bff8dc9a455c9afa68e

SHA512
65825d2cfae65ad88aa6dc10cdd3e29bd0fd0be485680ace73cf82cc1db74daf855c9918e65a7f5238a2f631806c6872bf7c8213aebdc4892ff2ddcda58c6791

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
63e2a3b0f3d40446dec93f5790672184

SHA1
d7bd5e23abb4a4ffbb096e0141d5b61605cc001b

SHA256
8ed8c4f41fccfc05c8a5137bfd8fb19bf2c90ad501735c6347c64a9f2d922e34

SHA512
f034ee233d4745f6eba1f1db68fa9e8161a4b8282cd4319fa5e3cf8372b530f791b0ad5dbf421f11bff030edf92a3c8af5662bc1d9356dc850d5927da5341aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
f97b98cacf7d92a536898cd289dc67e2

SHA1
5267fc81d83858b2607f90522a9235eb57614a11

SHA256
9808280871b21e252022100f7fdf5958a77300f5306e6d0a1be8e747343b32d4

SHA512
dc14f5a7a05d0773c237511f948c4f2957530e024eb5de457b58b25a0847a8acdd5dff0480cf7d17ca2b17405ba213e5caf48ffd6def4f5db310656d90f5639f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2cce4c93ac737e15c08c60fef53136a2

SHA1
d87eb7349997863b82bb3b80d3694144d9c8434a

SHA256
22955501d28a4412c02d30674722a218573453d89e2790bc78d3c7a36a1b5ccf

SHA512
fcb7fdc02bf24c50947507ee37a8d43aad7199a08b6593256c6aa0d29fb32510245d7aef4d7faee040d62510411a17cd7fb2b8f88439e663bcb0510bbf4fae48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
6e183223624fd124ded27d40db238148

SHA1
c589cef1cb888604ea5be75dbcff32b4aba76dd6

SHA256
4db015dd1d6bce137b22b6a717e0cbaf9122364562b31f3d1593d7acdad3b0f9

SHA512
fe67d4bf786b35ec4e0fa65c060c5c4d7a31891b72d6015b31d7e010c9151decd7a93ae650a94f13f0647db2f9b795426631cdf1839d95e2af102b3e451582ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
97f9abfea47e77bae4965ba4276cf0fb

SHA1
3e6b0f3f42f90592e18c0e6a19cc1c1badbcf35d

SHA256
dd6dd6e7ed95c8ac654ea3e66bd5548c4ce4db1838bacb6a17f547b5498a6c1d

SHA512
330c2c621784c11f0d55fdbb728b4d67ef60ce0aef7d720c13047b6735343fe2c94b1d07ec52c0fb1159b982fb329a5b8841d4e4c34d73b1768a89b957256ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
746ceb28688c0ef0b0beb1b78451e008

SHA1
4df86e40d1db95ed2e56d92a8659543e42cbf167

SHA256
5b5b313923a28ed986327f108cad5a15a1a52034c4d66725f66aeb4057e00b5e

SHA512
d92e0425408b3e368ff23f54e947714120da008d581aa9f1aad5dceaaa8e358c4f670cb5879ceb4751af0ad4e48c733e65a9d2260707f0600e5d2cc0648e0603

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
f8b85b19b3a0419e88f58cdd88e34ccd

SHA1
5effa3060cddd808b992daf3b1ff81a2a1322150

SHA256
03a7a44c5cd89ccca3b5800824e55c41785b62a5866c43f885b77bf28069dc04

SHA512
010ad856d2ef18e28ed5b90eace6d235ac4e2ef46c249c9d99a8f40d3ad3bbb3bf191994fff44e7e3ecb1e445ce9f7d29f8216de34f21131cb02ee97b8ecea56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
34ed325aacab6887f9573a1714478510

SHA1
10a26b780e87e9d5900e736bdd0d2661522d16ef

SHA256
60993ffbcde794f05a451d5c4d18f3a52f7ead1e72a0a547dffd3533ab731295

SHA512
34b7dd38da09edf1d145c29d75053fed93ef19e0df105b8bb70effa8361b867d34b30baecd2f721e6a796b0ced31c9c94032790997de3e9debf22f7ceb316551

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
022085331cc5dec24d26769b9fa6ab16

SHA1
06c538c50db49991d92f8605bb40fb112b144f4a

SHA256
b5d0d87b8e1c03a07a791121f0f72b81e06d6543110e37f0677054190ba6c0dd

SHA512
0d9bec78f53da22f120ebc8afe14f8ce4e343a8291366293fecfd4b12a3aa60094c69c2d61f7b0e5749b5f06f6ff9c5968fcd111f4bebc9fe7e7d5c70fcee18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
5c6ad0505fc235d528bf9fb098987800

SHA1
361bc37d6a941f737d1e88bd25409a704d4481c1

SHA256
3222f152532a596da244b7ebf77295548cfce4e6add0827ebc77d71f44e99d5a

SHA512
865aa13e7bdf4baac9f9630f6e72bc70426ec8a80b0ed6af1be0af65ad9753aaf3cdf68d963dd3e53119db10254e04fe2cf4798cb4a7526cf9f817459cfcba3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2dbcb4aa00c51993daa2497f47ef24cf

SHA1
6cb9bb71114b9f752d4c2af192d6670974bae3f6

SHA256
e163cf49770e72c0fd1d5a79bd3c692ba5c94d1142b976e7d7f366edaae59097

SHA512
56d0cc822fc087d551380ac4c06a1e47d32065e50f9909a7d5c2b8f6a417dd164e1a5705fbb21324c0e4f0d5a3fb0028edfebcd7a1e38ba0d2d9acfe6ee62072

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
2660597e3c732e2169b1f13e9b4675ab

SHA1
d6ea40a64e0b4cc45012f4e5b549623ab527cd80

SHA256
558f5ba4572a0b0dd8e3960cf684dd76c0ccb19c7e56dd077e27b3a8303e9a80

SHA512
8c901cc3c8272ccec7d99b88530dfe78a6f56a851c9007196ba0a2325206f9b05166466db2671a163fea595662953d5dd5fa8641a3bac0b5c2a22e752282d7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
da448309a204521e062e768b8ae85dd4

SHA1
c123e0554a9c220581c87384a2424f3ac4446e8e

SHA256
b25eb5920e19f30bb3c13151424f85653f1bffa36fa4c68804c906ca9e3fabc9

SHA512
c063f5a9fe647b1acdac35bb80e0822790a1fe167d75fe3c8cd4bf295a1d290d9a5a9aa61261ca217b8e4a3f59e420b039b6c144088ae257278a59ca882bcc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
7260925ff834de46e31fd9582dfeb567

SHA1
010832d6f7c0372897a4f70c23697187991aef34

SHA256
9553aa1529ece6eebd71da727115428aaa4491de47af50c501499aec1018e2c6

SHA512
b1dc448bfd110ece9ea7dd385f50c45bc9453e32cdd64a3b53e4d4abf4a7d0d81de86a924938a7384843dab8924e9a678ef9b26b98aea8a1ced9d36cf18adf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
16e7768359b668bc499d3f397bb612c3

SHA1
f7cf6e09b06c8683e18617477501b292015bbe3a

SHA256
610a7c87de5ab693983632f55c95a03e8b97236042bad492861a624172adee5a

SHA512
9a177c000703b6e56b6afc10826fdb8c2f9e70d68ea51bd130822d053833e6f658faa0d20df60199b20049a4010da801f6aa673733d568f8f0ecf929a7546bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7
Filesize
8B

MD5
5a0d9c8aca7c9477143eaabbc4aa301b

SHA1
d53bf77a593c978c568d027c4108ab2ee7271540

SHA256
a309af575b5068880df05873465a67748ca863efcd9aa3eb0b1785866f0d55f4

SHA512
07c819a03f90a4cca0168d0db1b1145fa55119d5505b9df5f28fad37ef3e33e96a2db22da7c4bfb3834de372c4bf105d4d5acf866083bbc04a98775ccec15c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
Filesize
8KB

MD5
13da1958462e33bd431ed429fbf0da06

SHA1
90699d7b1e43c53b3ed31acc19f3daf758bd4262

SHA256
9fd3a80e2e961f13a35d5637d2401b914d41a32662135c1fded655c73d5b1264

SHA512
84403df4cd56cdae97372b2b63201713d000588c2a7d135eabf65bd85ef70b0b70f30bd30742b0fe0aa0e30fbca1df95755c4c64e24599269b277d7bde9e7263

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
Filesize
373KB

MD5
c19cc7c41cb7460b3b2c6521f1b9daef

SHA1
efdae6486a820200258740e8c1bf116955c34224

SHA256
756508ea3798cff859903929c4cca1f9e17e76d078123d5371d976c027906d65

SHA512
72ec2f151944c58437343754862df5d09d17c3829b1fc7254ae44313f6e46b9d710a43c45b19efc42fba5c031a625f89a6491cb78d69497f03d5869c00e9d426

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat
Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1588-127-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/1588-134-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1588-20-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/1588-19-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1588-18-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/1984-38-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1984-98-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1984-37-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1984-199-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4040-29-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4040-25-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4040-93-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4040-33-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4040-28-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4160-1-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4160-3-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/4160-125-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/4160-110-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4160-0-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4256-193-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4256-195-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4256-1542-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4392-136-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4392-24-0x0000000001A20000-0x0000000001A30000-memory.dmp

Filesize
64KB

Download
memory/4392-26-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4392-23-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4392-173-0x0000000001A20000-0x0000000001A30000-memory.dmp

Filesize
64KB

Download
memory/4416-1313-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4416-175-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download