Malware Analysis Report

2025-01-02 13:07

Sample ID 240316-1kdnkach8t
Target cf2452c68d6d3a3f8874bff32cc5f12e
SHA256 2120a5a153d84f3a5509800ea3582e4224e8fddb6a1c878ad66719f6070f8e76
Tags
cybergate server persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2120a5a153d84f3a5509800ea3582e4224e8fddb6a1c878ad66719f6070f8e76

Threat Level: Known bad

The file cf2452c68d6d3a3f8874bff32cc5f12e was found to be: Known bad.

Malicious Activity Summary

cybergate server persistence stealer trojan upx

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 21:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 21:42

Reported

2024-03-16 21:44

Platform

win7-20240220-en

Max time kernel

146s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177RI5T2-EBI5-3P0W-1FV8-71L41ADNQG2I}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{177RI5T2-EBI5-3P0W-1FV8-71L41ADNQG2I} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177RI5T2-EBI5-3P0W-1FV8-71L41ADNQG2I}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{177RI5T2-EBI5-3P0W-1FV8-71L41ADNQG2I} C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2304 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 3056 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe

"C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe"

C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe

"C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/3056-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-7-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-9-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-11-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-13-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-17-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-18-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-19-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3056-20-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1208-24-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/1300-267-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1300-269-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1300-557-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Windows\SysWOW64\WinDir\Svchost.exe

MD5 cf2452c68d6d3a3f8874bff32cc5f12e
SHA1 470655d11928ac81960deccdc803f392804b6579
SHA256 2120a5a153d84f3a5509800ea3582e4224e8fddb6a1c878ad66719f6070f8e76
SHA512 9f97ae996d8f8f664d4c2d8b65a1e01a8463dd17fa124122c20355f3f041adf88b1e35cbacde7b8c2128118776b728e474f2479e6bb3af471a9ff0e9e58102b9

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 a8141b0534595331e77efd78ebe7a632
SHA1 34941ef4381df78046737f65fe82cf413aa065e4
SHA256 0e2dd4847066ff6f21c263461e8035694578822b594f32161d964f7580800767
SHA512 fb547ad215019be6ea634277126b7b1ea886e0c07c20bde191716b1039e0c88466d6f88d9140800a5dd805c08c434dad8f9bf8b886acc8c0041f8ade71e6eefc

memory/3056-863-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2328-864-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/600-906-0x0000000000400000-0x0000000000451000-memory.dmp

memory/600-909-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1300-910-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 7391cf6078014710e04c1594bc211963
SHA1 2c7c25ae9395c49e2a8a1b2cea88486ef3d7d42a
SHA256 4ec747af27055a04e755e266af3fef40cd532c8e2de3dc605af24c9563e907dc
SHA512 567ea62ed227c6bafcd7b38497b37cd7e4eec233dfa1c6240588e3e2d70afc7c7efccfa5cc83e334031d3a1581cefd9039deef7918b8b0f1c3019c033b91b4d9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9fa48d4f49478476ddc0c9c02e2f00eb
SHA1 e6d28df0dbaf1f660fc3f83c9a33e521a6384d7f
SHA256 db94fa15fdd120570a5b7da70535f9de97b84cfce84424cfef74ccbaf12de465
SHA512 501ad105f922469a9b80c43fb1548fef0dd136cde051d931a62f5b719211e5265ec848d1e0e140ff57f200c4f32ac0a22e59dcb8bc1eaa92c956edf2a26b4a68

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 433de8021026298dfc0d44e48a11d457
SHA1 2019ed458b1bbbc258d72bd217e48d3eb324acb1
SHA256 a7eb59b80701b43f464475b1be7f1ec2216c01cb2fef5ef2ade79f4e6859177e
SHA512 c771e8c68d6b3b70a1aea7824461c723dd49393e4d778d2bd9f6e7eb16e95f1596025491b5bb135332ab59bab56f42736efe0459e466ed92edf71bd7818aa2fa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 69685605c1c3e4ea50e775cb3029d341
SHA1 5968fabef1a0539a8867026b9ffb27d8effe1854
SHA256 d7ef12919bc6400e72b2b45a98b99fd96447712207f698fa07b03e2f14a0f66f
SHA512 9bef6ddd1c4b8eaf761b971cb3262a9275b24ae4afed532ccdbda3e726abd37e69fbc8a273a2469f8fe382799f5f987211c3630cb2ed3d0ff237833f15ddd26c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 a84eeee76dc833936c7e178ce8f5b244
SHA1 3dc23139b35e952f659262defe3f5ae35d554b2b
SHA256 9768315bfac445b141bde18abc3a952bebf662a5e1ac3168958464c612e86990
SHA512 521deefd2eda7a6b51fd8340a50239e4d67bbedd83ca587591f3b54a48dbc19615cbfea04f762e27c561d34c59c619ec2282c29b238a848a02a3062d104eeeda

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2b04e45493e3bb0d4640fb810ee0baa5
SHA1 5839b8e3270efce96f04b8a39bb26f5e4f79a0ba
SHA256 f1fe702b22391f4323a585d4409db99e6a817a9e1889eb13147172d323b9a83b
SHA512 5d7f89c11e7c330408361a12d698b13f4b0129bf34f7481a8277bc4209a8233ac73faf282551dfa23ad2f6a7b0c19c86b0c3b490671a8a1565a2656b59c6350e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5c98c07022a980414fc1e82e6523f6b2
SHA1 440a51d536f925ad81cbdc13fdff8d6dda967814
SHA256 2e443b96e9d8eb19d1f4c6c2af88dcb3f3c7d2c73945fa9ea049bc71319147c3
SHA512 e22e5276524f7d6dd0c73e681952775bedcbb5f4508318332d3ae890e4221280d066b881489fabf69afdfb4c694493e1fbdc5cc63b797373cdaa9ecde8a2bcfa

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 fe0b8d7eddb553dceb4473539968aa27
SHA1 571bf7d7a7e1ae07e914868f30d3e13be775fc03
SHA256 caee90263170f9be249bffed2ee55bcc78e92be9d310b0d4cc91c4b00a21c63b
SHA512 27fb9fff7af075771079ad573a3f57cc1357b6aa908c04690a92a07a36c0dd199c357d73aea71fd99d27a75df29d717bac0517888cf4c12840c8fe93eeaa363b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f8c68eeebcf856f23d726f5246e95686
SHA1 034b21bcd45366a46b1bc1c02b15dcc99276378a
SHA256 26a4fe5b14cf6eac3b6eab26759e38901a4635adbb2cbb7fd428e06c22f0db3a
SHA512 2e3eb1153db0d830756491aefbb57b17a7f7c8fc1ded894fdebe64f8fbe78ed94b188db2bde16486ac4d7bdf5e4f264d1eac52878c6f93de24591886d69fde0b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2617f97971625b6d854ded8c2fdb84ff
SHA1 fc415b557411f1ce53622b606e454cc982ce3f8f
SHA256 5d11cd9750b669237c4cc1c822fe69c38ac34c2b8de0a39e8f61057c2b52bfb0
SHA512 86a8e0c865cf57cc1e943ad9b81229e2f3cbeb1e59f9ae5e60420c80843b98653028793c5eefc55ab999c41db7deaca2be98e9dc8bef1886c2f803809989df7f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b43c09e8784fe8f497cdbc0c63d9e4a6
SHA1 909ce77cdfbc12279de9f092d62e36311bd7b568
SHA256 054b29456858d279baece78cd9c1bc6335dcfb8905e7b7448c88c07e904208e0
SHA512 4c7dbf8a902a0372a16429a44b880b21393b1816bc602cf0b647396acf77fb1606880bd2a5f709cce4a03628c42d78fe1231fb4b5337a85aebc29d2ebe651578

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 694a586d7746273bf15f72bd0f53ce20
SHA1 8b165887cb035c481a46a761d1fe299542ccfac0
SHA256 7110f391cb08ae1c37f986775989897b9aae46a4597b81c9fd5c72e3345f228f
SHA512 5be3c1f2755888fe0e41c05ae0403cb5aec5ede3b1c26e6d1ecae1ee1c8535a8dfd53ce05477af140f3c7e675f135437a1edaa7429d40c7e42ed1bda2909b917

memory/2328-1503-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 91228662493cfd1b6377008efdedff7a
SHA1 299334c95cf0dd1cf04254c1947dd162b6384bdd
SHA256 a3d02c7e494ad10821bb930c4513f93bf3958f792ebab1af08099f1e91115b53
SHA512 f5d934c5c14b38242c92f8af1094e4f013f9ac4b4e236cd748ccec5f0a49f0e92635a1216c9d72aea87e5aa21918370802102b6feb7b6f2e3c1b680030c163a4

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 79584a6306eca7853f8665dba809b49a
SHA1 12fe61f6693d493f6b7d389a12e0fa67a978e34a
SHA256 48b146b724be37d228290c190334c4bddedc09aecd7397a870eb6cfb51408420
SHA512 7debd7b00e43018569a1a0a9dcf0d70f8dde877cb2d68c54e6c98f4ae1fad1d49b37d44a161de330d20648c3d496468d55225792850c96e86611e7c45eb3bd29

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 8ac034d61a6e330948fd26ec1db04388
SHA1 5b028e43ecb5fa343ad100dfeac250e0f6788788
SHA256 11eb0a1151e33ba14f9fef17d44834ce0c835724a2adb0acbd2be79524100e71
SHA512 2c110ebae1626121b3683f44fc0f0e2ea399ee8250e87ed8e56f0211a0931b6b99a62c7345b947e0283dcedf480f0f03b9c11f5a205a7dc41e6bba9fc1706d7c

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4f8e23ac2fb9ee3fbd83003bccfde079
SHA1 1f9aa91d943976e491039dd308542e19c049f79c
SHA256 56814756e4cf9adfc5ff5e9c71d5876f58e16bd7aa1837e724f0e35f7f188813
SHA512 b89dd52a667eaec83f5c63820587744cd24ef9ad964f72ba9c77520af6449f34a650f0707a2e421be14cac64f5057254cb15d249862b0a9fe32069b8d2cc32da

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f19256e4ba18d47075d7ba7537fa8990
SHA1 dff3bce291da9ad2dec651904439f21790cdf017
SHA256 f71fefd41f63f78d7c2e0c8d24c5e08c404aabc3ca7ae49ecd8ad5873a3dd582
SHA512 6f4cbcc95aac903ecc44217bc24d58d5043802d73bd0a873e1e361fdcbb4af158e964f0d1fc3994f5329e13c92ad2ab57de155a82f6367acd9e9bed75be2f768

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ccb1c82c2cd8fd729d4cf00d03528fe1
SHA1 12726b7da0f0e16f5ad1b82745e68501edae318a
SHA256 980bef65df69a7697f6c2750d9b5982c5287f5627c1b6b947af94f30f7ccdea4
SHA512 98f5ebbaa2653411c790825892868cf2112ead1ad7c56fe3a6728b9b165fa4569a963a6672a3df878e4690b6f64fcd80efcc5c48b4a82be7e101ab75ab1cfa1a

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 21:42

Reported

2024-03-16 21:44

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe

"C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 668 -ip 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 192

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.175.16.69.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 88.221.135.90:80 tcp

Files

N/A