Analysis Overview
SHA256
52ce9cc373bec4f16a17d1c84bfda66b22e245c186d03022da08170f83552582
Threat Level: Known bad
The file cdf6aebe5de273b6f5d54ee844b3eaa8 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Modifies Installed Components in the registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-16 11:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 11:36
Reported
2024-03-16 11:38
Platform
win7-20231129-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| File created | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe
"C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe"
C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"
C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2232-2-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp
memory/2232-3-0x0000000001F90000-0x0000000002010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
| MD5 | 0548c6a94dec06ff79fa14834deca881 |
| SHA1 | 6035d95be9214b8fb5775b141a9b1156de851d9d |
| SHA256 | 433a6cc8a87a44d9ad6e789b6f9f496c2f699e2f0793314db04288ee739bd805 |
| SHA512 | 33cbbb976cd035aa1ff409018c239738f78704bd6cb3fa896d39c859aa77917e200c8e772589c30031c2750f7b1e22220191cb4a9aadf91ddb4a3c854c1e8f88 |
memory/2232-9-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp
memory/2232-10-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp
memory/1336-15-0x0000000002E20000-0x0000000002E21000-memory.dmp
memory/560-260-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/560-262-0x0000000000140000-0x0000000000141000-memory.dmp
memory/560-544-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | 288df3dc4f0a2beda544817d04404b7c |
| SHA1 | 29dd25aa1670c5664acab20b52b18d8a3c908316 |
| SHA256 | bdb1956a26d8780041f3cd374c6f3547254381295d4b4b98dfc0dff6766b04e3 |
| SHA512 | edfb32fe521c05cc0a15aa1f90c9f78392422278d0ed5a0d6372ff6f6748617813613eb564204adc46a74c4466d9582d200d3e2bb3208b88d41f6fae598828d2 |
memory/2456-843-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d74eb82d2904d64cc4e0f9ad3db51908 |
| SHA1 | c36a355a44c38729a77999be69e9b5377b091fb6 |
| SHA256 | eafbc3ed7625ec5d0989535ab1e848535046066d1749a2fd6f877e54d30ac1b1 |
| SHA512 | 8c0b03dee906911c3817628955b67072d138391546c0add358105277740e69fd5a79381e7d0f94a64b7d5562be7ecf637ac7820492e4432990a88b634fdd2092 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5df452a65a59ec43e13befeb06b3428e |
| SHA1 | cb23d6d09ccdfb3c76c672dd8a9c343d1dc9579d |
| SHA256 | d9cd0c3ec3896f7d5171ee51c706bb0daa93567c190ea80ee6cc059df53d7f23 |
| SHA512 | 4f670d754d71a2689757eb963aafe91a4599a5f7ba990ad65ba3f204de22e800d65f54068cba9e2cd6673acb2ce876e3a72f9a59366e82bc22ea61de1d0d95d7 |
memory/560-977-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6517c6a402bd64c59f7f8078aa9285ec |
| SHA1 | a6457a6ddb1dedb176df661f61ea0435b0dd994f |
| SHA256 | 3350bffab58987bb57b92fa169444fb3400a67bc01d677a138788e552fb3f887 |
| SHA512 | 8c301abfc24d14d2ea909c27e5ae577257bef03f41e39fb7d4798b66288ef4f3281c81d17e438765cf7a26debb3519f17366957c1f1759e5c1824a9d1d013d67 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3307de3b4557aab26420e6cfec874547 |
| SHA1 | 896b7d57be0469ff99bacb78edf1527581dfd2a9 |
| SHA256 | dad50264d216f7c36b7e770460d6e918ad0ccd67c2df76888f7eabd6b054708b |
| SHA512 | 309abc99907154f45146ba73778742f2f7d63bb0dc73560330848d683e67f32dd191c70af897507c9ce23bc15690fc6e47945c2f5a4d39f7d6952279ec386e2f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ace64ca058e8e76a4b26cc846901dd51 |
| SHA1 | ed7c3b6a554050067d787358b802fa279451621c |
| SHA256 | b6aa67f69bf8a78c9e9be7803878ff6a751b1ba7ce79a7145876ec58db4845e9 |
| SHA512 | 4f3131f35b0408c586b6273eadcb3c5df98be9828185c48881b83e54152de954bff30e3139dd1ae412e409a321459aefc90d4e9c76b626b799aa105d88d3733b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bf449e1f35162e3cea145b56d4a8e4bf |
| SHA1 | 716c1208e1ec57db9b97a586d1d6993e9df2010f |
| SHA256 | 2cc04dee389f694f737fd03f4dc4f5f620d00a177dbd508a4b85a1d04fa8961a |
| SHA512 | 1db44b5390ee0d9a49f6febc39bd4e2402827351e2a19ae2b6428194334c887fafff84dd51a45b32db2632628942f837e5e0e027d4c875abaf63e3b9ccd8bf7e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a0029321b93febc10661f6392c1be251 |
| SHA1 | 58448d6b952ad72886d4d72f9001690efb191676 |
| SHA256 | c3c30533266286e7401c57b440dd7ec213f607c7075135107ad6e1a696bb2a8e |
| SHA512 | 0481cff48e2c67eb07fc12b21a6956acafc57831298cba5d614d33520fe8dba352dfd6267f01e02761bc731f39ff0f3cfe89eb50b986dd7a49c51720fbad64c2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6de7a10ebf2f4fcbc344a025c1760e53 |
| SHA1 | 64ce031d30c3c714374b8170dba6bb63cb32d22f |
| SHA256 | 9a0d0a3cdeb4a8079f78335c07fd0b0d84a00f5e1147b3fc71ad5ed817af4613 |
| SHA512 | e7159861f20cbafa4a8666d333d08bd1c45f41ff8f4567a3b0867b724e693a6572749e39bed3a4c5b961cf0c047863426848608907239c1ac644f2553d9c4a19 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8a28cc76e068c8fe33eb6e1a6c2bfd12 |
| SHA1 | 5c50d12e767590c03852476842f767a4209be421 |
| SHA256 | 658564a0ac67e7723b1b9ea73b9abdb0b618b4f2e85abb155c59897b299af215 |
| SHA512 | 775033d248dbb026d8ac27a13e2a8f563ea0baa28efd0255d1e17b43fb50b0894d1dcddb08a53af97f87be0667799a71307a430b15df0ecc2c5b681e41ac9faf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 61ae0a5752e11b618991bc8fdd7d4d4d |
| SHA1 | 2d7adf2fe4ce586f6b784ab574fecd5ddf7591c6 |
| SHA256 | df1e1a8c41102c701afcc0ce64f3039327c7b521363a361ef2029d8cf76e54b1 |
| SHA512 | 19c3e2f6b660037c3079dbadd50e195a3e0d9ea97118d116b115a77be24a3f1628d9f09e0c232bb7df7c1117238ac415a3e28c3be69905e0420d3be2422930df |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f688940d0a48f0590cbdbb3b182f34ab |
| SHA1 | e8d14523b43656ed3e150db46cf7194a989d84d0 |
| SHA256 | 9220c6a9fa734bd29c32062d3f90c5c1667ab61b23cb806ed7b6f30e658b7f2a |
| SHA512 | f3cfd799b84289c67c480b411c43d9e7d89d50e15ee7763f4c123334e6aa36f5b62d2db8e23d9b6b8f08f7fdbcd4bc8d853e9295efe0fc445e893a58b75203ef |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 068c64c174066f97153d64b6f7b4486d |
| SHA1 | 097032e794f3263d8523b04b037233506988ea00 |
| SHA256 | 336f4ed09abc54ee126b539423ef2513ae9420aa7cf75ac10bb6bd11ddc95b85 |
| SHA512 | 5d992eb65d4d29d7034952595b58fb88c0239895d0c990dbecdbe0a4de7e699b547f4a738130cce9fcd49f15729675318ea3c23a358e8d092cd6f96d05e190e9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0ed8e53b4ee0f50553400a525bb44c35 |
| SHA1 | 747aa05f1a32afd74d7b0de147522c50b7c298db |
| SHA256 | 70b74c7c2bec38bb7d51762766f821df5884ed4165ef3ecbc613974ffa82a300 |
| SHA512 | 97cf04ca102b44fa922d4d7feeb80e6f3d66fa3fa9712d0d29e3ad87158813c622068ed5142da9e881b327bdfae166b86425dcfc8d58ff8922ecdb494983f0a2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d8f3563177d270d60241baa23831c38b |
| SHA1 | 8e4ee0d5e675586fb143e639b3024dc76da88ea9 |
| SHA256 | 4c627c5a600cddd46a773db7000ec001e881cc21c46ac59d978beb257b43fdd8 |
| SHA512 | ea307479ce06af32d47dbc95e1538bb4646819c4c50257a6fa84fe4eb037528ec0c7046b7578c4a6891c20a9b8a8e730e08327c5940780d679b62c30a3d55aaf |
memory/2456-1776-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1f0af7ce9dc9c58728f7edc71c58c5d9 |
| SHA1 | 3ec4c448e5328c468adef3568e7196b3a6d04b42 |
| SHA256 | 949ce0435efb7afccad9212cf0f6f5e5711980a1c1f812b3e822a8eede725f79 |
| SHA512 | 7eac2e6e13eab2a07fa65be3659af2243ac954fb5b64fb3e04629cc4e993f7f5143f29f47007520ad854293f72bf98d11306b7d0bbd327d22f23a5ad3ea51282 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3a9677dc6164c19892cb8a5085957a0e |
| SHA1 | 2c5cb806fb47d4705dee1df4dc1428e58f697686 |
| SHA256 | cefb049202c9db8cc62cc02bb20039d0d79afbf05df756712d5279286d8630cc |
| SHA512 | 7711fffade1a72ae3e9c32ac99e31c3b6b88b145eceb905f3a1cfaf9fd344dcd821cf52cdb126451316f311f64ec7bf2d8dbe7f2e5119970f164714c007dfbaf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ce0e0e8d6ddbdfe4167f49bd76f00bcc |
| SHA1 | 19b9746b0539e0f8e2f8f3d347548dc58ed3eb82 |
| SHA256 | c477bb46236e1798d5d01a20c6d8da438c43688d5b1727cfeb661beeb254f72c |
| SHA512 | 9fa5373f66b5f418ec2d245dd0e678b51de7e63fe14db48354ad42ecbed5cb99f59356a8705145b584fa6ef2760f0dce0cdb526567b8fbbd1b7223f872d370b0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e6acd364066ff0de85a1e51d92ff688e |
| SHA1 | 4ceb0ea474f5e5f963e8c3469a4d1420a9160a5c |
| SHA256 | 5d6b4087b13e19fce33e079c63c8f4ce447c12509fec120c8109d7f8fe655e1b |
| SHA512 | f82f6f661f55b822bf7791b5c29e62459e7611ca0e0abe927ed48b26ba775b7a9a49b8ce50c9a389e5fbe017c248dd2f84e1f4172d403b7a9572448bb5066746 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 11:36
Reported
2024-03-16 11:39
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinDir\Svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\Svchost.exe | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WinDir\ | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WinDir\Svchost.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe
"C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe"
C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe"
C:\Windows\SysWOW64\WinDir\Svchost.exe
"C:\Windows\system32\WinDir\Svchost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3244 -ip 3244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 584
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/4472-0-0x000000001BC30000-0x000000001BCD6000-memory.dmp
memory/4472-1-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp
memory/4472-2-0x0000000001460000-0x0000000001470000-memory.dmp
memory/4472-4-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3548.tmp.exe
| MD5 | 0548c6a94dec06ff79fa14834deca881 |
| SHA1 | 6035d95be9214b8fb5775b141a9b1156de851d9d |
| SHA256 | 433a6cc8a87a44d9ad6e789b6f9f496c2f699e2f0793314db04288ee739bd805 |
| SHA512 | 33cbbb976cd035aa1ff409018c239738f78704bd6cb3fa896d39c859aa77917e200c8e772589c30031c2750f7b1e22220191cb4a9aadf91ddb4a3c854c1e8f88 |
memory/4472-13-0x00007FF9C7D20000-0x00007FF9C86C1000-memory.dmp
memory/4804-17-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1996-21-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/1996-22-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
memory/4804-77-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1996-80-0x0000000003AB0000-0x0000000003AB1000-memory.dmp
memory/1996-81-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1996-82-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | d2a8d47bc857439cfecd0ca8d4a1ff7e |
| SHA1 | 8076776b9354069adf5e6df834cdd08381555b19 |
| SHA256 | ee58257e1971df5c18732acf8f44c4bfce43ba987ed94a02ef30c2d56d2078ff |
| SHA512 | ec9cef5ba0f9a977e6e9327c5dbad0f974047f18a6f99adf3479356399ad5e4d84f0f53273b0aa510696dad687c2fb2af38294f187ae1da20cbfd73854c0201f |
memory/708-153-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6517c6a402bd64c59f7f8078aa9285ec |
| SHA1 | a6457a6ddb1dedb176df661f61ea0435b0dd994f |
| SHA256 | 3350bffab58987bb57b92fa169444fb3400a67bc01d677a138788e552fb3f887 |
| SHA512 | 8c301abfc24d14d2ea909c27e5ae577257bef03f41e39fb7d4798b66288ef4f3281c81d17e438765cf7a26debb3519f17366957c1f1759e5c1824a9d1d013d67 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3307de3b4557aab26420e6cfec874547 |
| SHA1 | 896b7d57be0469ff99bacb78edf1527581dfd2a9 |
| SHA256 | dad50264d216f7c36b7e770460d6e918ad0ccd67c2df76888f7eabd6b054708b |
| SHA512 | 309abc99907154f45146ba73778742f2f7d63bb0dc73560330848d683e67f32dd191c70af897507c9ce23bc15690fc6e47945c2f5a4d39f7d6952279ec386e2f |
memory/1996-312-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ace64ca058e8e76a4b26cc846901dd51 |
| SHA1 | ed7c3b6a554050067d787358b802fa279451621c |
| SHA256 | b6aa67f69bf8a78c9e9be7803878ff6a751b1ba7ce79a7145876ec58db4845e9 |
| SHA512 | 4f3131f35b0408c586b6273eadcb3c5df98be9828185c48881b83e54152de954bff30e3139dd1ae412e409a321459aefc90d4e9c76b626b799aa105d88d3733b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | bf449e1f35162e3cea145b56d4a8e4bf |
| SHA1 | 716c1208e1ec57db9b97a586d1d6993e9df2010f |
| SHA256 | 2cc04dee389f694f737fd03f4dc4f5f620d00a177dbd508a4b85a1d04fa8961a |
| SHA512 | 1db44b5390ee0d9a49f6febc39bd4e2402827351e2a19ae2b6428194334c887fafff84dd51a45b32db2632628942f837e5e0e027d4c875abaf63e3b9ccd8bf7e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a0029321b93febc10661f6392c1be251 |
| SHA1 | 58448d6b952ad72886d4d72f9001690efb191676 |
| SHA256 | c3c30533266286e7401c57b440dd7ec213f607c7075135107ad6e1a696bb2a8e |
| SHA512 | 0481cff48e2c67eb07fc12b21a6956acafc57831298cba5d614d33520fe8dba352dfd6267f01e02761bc731f39ff0f3cfe89eb50b986dd7a49c51720fbad64c2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 6de7a10ebf2f4fcbc344a025c1760e53 |
| SHA1 | 64ce031d30c3c714374b8170dba6bb63cb32d22f |
| SHA256 | 9a0d0a3cdeb4a8079f78335c07fd0b0d84a00f5e1147b3fc71ad5ed817af4613 |
| SHA512 | e7159861f20cbafa4a8666d333d08bd1c45f41ff8f4567a3b0867b724e693a6572749e39bed3a4c5b961cf0c047863426848608907239c1ac644f2553d9c4a19 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 8a28cc76e068c8fe33eb6e1a6c2bfd12 |
| SHA1 | 5c50d12e767590c03852476842f767a4209be421 |
| SHA256 | 658564a0ac67e7723b1b9ea73b9abdb0b618b4f2e85abb155c59897b299af215 |
| SHA512 | 775033d248dbb026d8ac27a13e2a8f563ea0baa28efd0255d1e17b43fb50b0894d1dcddb08a53af97f87be0667799a71307a430b15df0ecc2c5b681e41ac9faf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 61ae0a5752e11b618991bc8fdd7d4d4d |
| SHA1 | 2d7adf2fe4ce586f6b784ab574fecd5ddf7591c6 |
| SHA256 | df1e1a8c41102c701afcc0ce64f3039327c7b521363a361ef2029d8cf76e54b1 |
| SHA512 | 19c3e2f6b660037c3079dbadd50e195a3e0d9ea97118d116b115a77be24a3f1628d9f09e0c232bb7df7c1117238ac415a3e28c3be69905e0420d3be2422930df |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f688940d0a48f0590cbdbb3b182f34ab |
| SHA1 | e8d14523b43656ed3e150db46cf7194a989d84d0 |
| SHA256 | 9220c6a9fa734bd29c32062d3f90c5c1667ab61b23cb806ed7b6f30e658b7f2a |
| SHA512 | f3cfd799b84289c67c480b411c43d9e7d89d50e15ee7763f4c123334e6aa36f5b62d2db8e23d9b6b8f08f7fdbcd4bc8d853e9295efe0fc445e893a58b75203ef |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 068c64c174066f97153d64b6f7b4486d |
| SHA1 | 097032e794f3263d8523b04b037233506988ea00 |
| SHA256 | 336f4ed09abc54ee126b539423ef2513ae9420aa7cf75ac10bb6bd11ddc95b85 |
| SHA512 | 5d992eb65d4d29d7034952595b58fb88c0239895d0c990dbecdbe0a4de7e699b547f4a738130cce9fcd49f15729675318ea3c23a358e8d092cd6f96d05e190e9 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 0ed8e53b4ee0f50553400a525bb44c35 |
| SHA1 | 747aa05f1a32afd74d7b0de147522c50b7c298db |
| SHA256 | 70b74c7c2bec38bb7d51762766f821df5884ed4165ef3ecbc613974ffa82a300 |
| SHA512 | 97cf04ca102b44fa922d4d7feeb80e6f3d66fa3fa9712d0d29e3ad87158813c622068ed5142da9e881b327bdfae166b86425dcfc8d58ff8922ecdb494983f0a2 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d8f3563177d270d60241baa23831c38b |
| SHA1 | 8e4ee0d5e675586fb143e639b3024dc76da88ea9 |
| SHA256 | 4c627c5a600cddd46a773db7000ec001e881cc21c46ac59d978beb257b43fdd8 |
| SHA512 | ea307479ce06af32d47dbc95e1538bb4646819c4c50257a6fa84fe4eb037528ec0c7046b7578c4a6891c20a9b8a8e730e08327c5940780d679b62c30a3d55aaf |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1f0af7ce9dc9c58728f7edc71c58c5d9 |
| SHA1 | 3ec4c448e5328c468adef3568e7196b3a6d04b42 |
| SHA256 | 949ce0435efb7afccad9212cf0f6f5e5711980a1c1f812b3e822a8eede725f79 |
| SHA512 | 7eac2e6e13eab2a07fa65be3659af2243ac954fb5b64fb3e04629cc4e993f7f5143f29f47007520ad854293f72bf98d11306b7d0bbd327d22f23a5ad3ea51282 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3a9677dc6164c19892cb8a5085957a0e |
| SHA1 | 2c5cb806fb47d4705dee1df4dc1428e58f697686 |
| SHA256 | cefb049202c9db8cc62cc02bb20039d0d79afbf05df756712d5279286d8630cc |
| SHA512 | 7711fffade1a72ae3e9c32ac99e31c3b6b88b145eceb905f3a1cfaf9fd344dcd821cf52cdb126451316f311f64ec7bf2d8dbe7f2e5119970f164714c007dfbaf |
memory/708-1445-0x0000000010560000-0x00000000105C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ce0e0e8d6ddbdfe4167f49bd76f00bcc |
| SHA1 | 19b9746b0539e0f8e2f8f3d347548dc58ed3eb82 |
| SHA256 | c477bb46236e1798d5d01a20c6d8da438c43688d5b1727cfeb661beeb254f72c |
| SHA512 | 9fa5373f66b5f418ec2d245dd0e678b51de7e63fe14db48354ad42ecbed5cb99f59356a8705145b584fa6ef2760f0dce0cdb526567b8fbbd1b7223f872d370b0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e6acd364066ff0de85a1e51d92ff688e |
| SHA1 | 4ceb0ea474f5e5f963e8c3469a4d1420a9160a5c |
| SHA256 | 5d6b4087b13e19fce33e079c63c8f4ce447c12509fec120c8109d7f8fe655e1b |
| SHA512 | f82f6f661f55b822bf7791b5c29e62459e7611ca0e0abe927ed48b26ba775b7a9a49b8ce50c9a389e5fbe017c248dd2f84e1f4172d403b7a9572448bb5066746 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d3180481ad45b72c9bc1ac3a9ffe0878 |
| SHA1 | 04223fe56ece927212c4f268c806add0c18efb7d |
| SHA256 | 76188a41b79e9f4edd46c661f0c5077cd3f3a4eac17b11e060be0a9144126b26 |
| SHA512 | bea6cc1199a5ba3f9560a8910438f20ecb1faaed30bd4887a094d14cda75f3359c615d897e72c95e56abadee7d759f3a1aecdba83a55d83573de75675e80e977 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ae6c60d0c54b40d7051d883be9feeee8 |
| SHA1 | 658dc5fdbb1f131561e54af8d328c0b82318d2d0 |
| SHA256 | 197cff60242c3d1b03add1313ec0ea4e661500b8ec8d3fcd88b10f308767ea8a |
| SHA512 | 3e044e1ae98444f1b54149e0465c836c307d863ce7e862829aba1046d19789b9f22bf130ac925244ad21ab5cdb468263f6b89509f820d7979ada096eabfc326c |