Malware Analysis Report

2025-01-02 13:10

Sample ID 240317-hacpeagc73
Target d02b1f3b2bbd7811f856a16408181d93
SHA256 cef7fd0e894d28b258a4de8a060074233b43dd946d24c09a1a8e9e8bc5d39425
Tags
cybergate new3 persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cef7fd0e894d28b258a4de8a060074233b43dd946d24c09a1a8e9e8bc5d39425

Threat Level: Known bad

The file d02b1f3b2bbd7811f856a16408181d93 was found to be: Known bad.

Malicious Activity Summary

cybergate new3 persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 06:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 06:31

Reported

2024-03-17 06:34

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\msn\\msnplus.exe" C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\msn\\msnplus.exe" C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q55665CR-K67J-6VLI-I0CN-7MT713USDN3Y} C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q55665CR-K67J-6VLI-I0CN-7MT713USDN3Y}\StubPath = "C:\\Windows\\msn\\msnplus.exe Restart" C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q55665CR-K67J-6VLI-I0CN-7MT713USDN3Y} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q55665CR-K67J-6VLI-I0CN-7MT713USDN3Y}\StubPath = "C:\\Windows\\msn\\msnplus.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\msn\msnplus.exe N/A
N/A N/A C:\Windows\msn\msnplus.exe N/A
N/A N/A C:\Windows\msn\msnplus.exe N/A
N/A N/A C:\Windows\msn\msnplus.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2844 set thread context of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 1920 set thread context of 2008 N/A C:\Windows\msn\msnplus.exe C:\Windows\msn\msnplus.exe
PID 1644 set thread context of 1968 N/A C:\Windows\msn\msnplus.exe C:\Windows\msn\msnplus.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\msn\msnplus.exe C:\Windows\msn\msnplus.exe N/A
File opened for modification C:\Windows\msn\msnplus.exe C:\Windows\msn\msnplus.exe N/A
File created C:\Windows\msn\msnplus.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
File opened for modification C:\Windows\msn\msnplus.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe N/A
N/A N/A C:\Windows\msn\msnplus.exe N/A
N/A N/A C:\Windows\msn\msnplus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE
PID 2308 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe

"C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe"

C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe

"C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe

"C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe"

C:\Windows\msn\msnplus.exe

"C:\Windows\msn\msnplus.exe"

C:\Windows\msn\msnplus.exe

"C:\Windows\msn\msnplus.exe"

C:\Windows\msn\msnplus.exe

"C:\Windows\msn\msnplus.exe"

C:\Windows\msn\msnplus.exe

"C:\Windows\msn\msnplus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2844-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2308-4-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2844-6-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2308-5-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2308-7-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2308-8-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1276-12-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/2068-255-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2068-257-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2068-542-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 2bb9398ea1f34cf13535fd73ce6a1910
SHA1 416f3f327b6955350f98f934687364027ea2513c
SHA256 9914a7a734197b025cc793a763ea784cda1db6b05046af0dfa150e45c86396d8
SHA512 05b3349b08de86c0ad2630bdc11927056fe9e5da13ee8edb03e201fb28a9f08faaceed21113f765c75df02147250514635f131f56f69a8fb1ed943e74e0a63aa

C:\Windows\msn\msnplus.exe

MD5 d02b1f3b2bbd7811f856a16408181d93
SHA1 9ba2253e2ffd3e006c2c619c522e46e6c65929c2
SHA256 cef7fd0e894d28b258a4de8a060074233b43dd946d24c09a1a8e9e8bc5d39425
SHA512 8c83c204ae74809bc17056c6cd26da321fc288621994121c31364d518e95be31ab9def6a46735c3500a4087e0ca0f132c0feeca741ae4815b8e11c8ed7e7000d

memory/816-560-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2308-592-0x0000000000400000-0x000000000044F000-memory.dmp

memory/816-842-0x0000000010560000-0x00000000105C5000-memory.dmp

\Windows\msn\msnplus.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2068-844-0x0000000010480000-0x00000000104E5000-memory.dmp

memory/2308-852-0x0000000000520000-0x0000000000531000-memory.dmp

memory/1920-857-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2308-856-0x0000000000400000-0x000000000044F000-memory.dmp

memory/816-866-0x0000000004930000-0x0000000004941000-memory.dmp

C:\adoKit.dll

MD5 50adba6e845805947062bfb0c7321061
SHA1 9bf7efe5f3b01548a6d7e560202597af513f3cfc
SHA256 459faf2eba6769034054b25dbfa7d254d2141e10245ab9de74764f205fa3abfc
SHA512 ce84b86b4c7e9f75ea50d574a58a6df5ac699d2cb088c28087c671b2fcc3495b7bbe6afe27777a0600fff035bb8a4cf116d86a6b2ea5f7d328374a0380872007

memory/2008-880-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1920-879-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1968-881-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1644-883-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2008-886-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1968-889-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 da667ad7d56be5c47b08fe058dfea04c
SHA1 278e1074c4d21375c21f2cae0f0f2a1e3f3990da
SHA256 b8d36aed5db673cf28df03c9cefabd583ce3453831cac7d9a8511c3abbcb82c0
SHA512 16ee07ea080f6ed137b1f27e185a05ae8025f6de445c1aad6499b8bc1bd1d2225d687709fcb75b7dd5981e8067598ce9832a7ed111c4c4dbde9e8a5315445ea3

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 63a1b91f4617a20253fa2a1ade92bf5d
SHA1 6129d401798cdf8edb268f34fc08663e5725fa48
SHA256 3aa9f96f1a517cead06c9c432262dca24f302c6396b71b36b45d17f2dda15608
SHA512 35eb8d4aed13bb6ff4b80232779de9fc8d28eec0005003e84750b913096211bae608b7539d5a87e53233d14ba33c97cf41106197f9e1f037e5525fde40a60e11

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 56271e2a91f0b367dc5e98e6e34b23fb
SHA1 ab3fad274a1e601e38d3d9b28e6f0c7eb2afa2a4
SHA256 ec829bca579807706b3229486e553a7981be1386f489fc183cb57ee41a4b8580
SHA512 b1199b74d10af5676d02febd3fe5be8bb874133c05594a3197a5d1378d8dc48119781d6af48335f88c5e21c27ea5e2bc99ff32704b77a67f218d42af12d43816

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ae021f5ce4e245e061477362a82d50ed
SHA1 89171b7d42f63fa94bf3ba850ab121fa97d868c6
SHA256 c070b615f5e3dfc114c2d6eb01c6598c94e0a39a069a8d45186375f547ed8dd5
SHA512 185bbeaf9367b964d132a21901554201912d513742cc82068a062e79e9af5147fda8faab53939589b7321bc77859b6ad86c7aa529bd5240b10bbd50971bf0465

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f69b8dd05d01d71a924032193ba8c2f7
SHA1 70c404b4cf74e6bced6f12574ec30894a1b74252
SHA256 9b165db52f18207183c6982f8576fab5146532b33eaa1a417762df3359320c64
SHA512 69da4b34e0024a4fc67135a85e7f9c006c486e452d7fbc61b3f78faec5440671cfda1d15afd4e005e9cb465ffbebb5a9630cb29ddaf088648d62b13296fc1a15

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dd8c3d570e97b4c47da8b06739e583a0
SHA1 12aa8f8b022bbcd0410bdae4c6f4e5f32890713d
SHA256 7b071992c25121f4af2ae4b82b1f319750a556c65b8ed8a423410417415fa54e
SHA512 927ded7d1d62729d543a4d7b2d4da3c16237b804f7d2f5d72e46881566c7bd2290e3d296f0d12f86522fa577d2c811c10258e5f280e1608634d0ff1d85ec0a3a

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5d8b4b5de8149328b7923e2c731e8c74
SHA1 e5967670c3e513206dc22cb4e82bcffd8f6e7efa
SHA256 a18aea21dc2bd56191eb3c1c475c877938a17f8e1bb952f148747881d01efd61
SHA512 f9c9d8742f76511ad7b8d01b9645db7d8598cae40262271d58ae010a1a59b15b65edf5f049e1bbe67aab6042e088b191e6bd50a6e48251b2e5b83d0c30121c77

memory/816-1302-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 f1c008edec31001cbd56c369f30e621f
SHA1 64a88da41ddf391c836a08a741fb205bf3d1636a
SHA256 156ed6c9c5ba4fef76b9ae6758f086f669a06f6f2513ab161e60999e24a1cec0
SHA512 19dde7d2c556cc0dc198f2aeccb408df8ec4c2ff3a35e95f9b305084e31e88879b2caa9773d6e707ce8cbfe4475bb4c3365bae1441d206bf08e847bab06f29d5

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0c82a4d5a080f4d726e4f5665f1b1f2a
SHA1 30d3acfd3551c4e01f1996ee852ead1698b111a2
SHA256 561ce0d4931f00acdb5813853be3b9ba895ef4a245b2b3be4340f8df9769dd9c
SHA512 703741651c293ea206b80a6db31fc6fea241c857023c46ba96cd8c8b80ff43c0ffc660d883baef3c9aa468bbbcd2b0ab00fbcdf7987e2a465d741b6b0bbf11ad

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ddc985c19e26489e5dd2dbed9f7981b4
SHA1 0bab6ebd68b90e87f12308d2ee0a542b20a044ce
SHA256 d05e42f9354373e9eafe5590eb11f17a2d081dedfe113d481080480368152058
SHA512 82ffb6b80f04c80f97701746dbcecd796d6db8c1dd98d5e90f5b7176253865acecd47d1a8da6acb27145113b906d09e3bf03791710ffb7c946e8ca5676122db6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 937cc74f62e01788dc69f9daf3304869
SHA1 d01513ff95eaee87b628622a70af1ea3ce159c9b
SHA256 6de11cd768df9c834ee4bd7efdb7eac7ad2a5d81da53011a9a1c47fcffc79b09
SHA512 dab6174b7fdc63eeb2fa7494604473657029e734851966d75b092a9ef47c4c8467e2cc92e332327cd9168eb232ff58bb85ed4dbc2aab04b8ed56cc38ade49c28

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b6490ee0c537e97b510c0b3e7b572b0a
SHA1 71589806814de840d1ccdd53d66e465d4864074a
SHA256 8a554fceeea5d5e539332c9a8dea6db3ecb8b5e2f029c59d9d3ab2b6085b2aa4
SHA512 cb02d30fbe8769071e4dbacebdd6b54858431b8f3a0df1fd62646cb68f1fcdf3a799310e4bf76546933eed5c336f4aab9a0485ddd095eba91f40de7ab544b837

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4dc8a9a36915314405fc2bb199ef5a9b
SHA1 750cabb6a4a7535ebd749436b8f08bc8783f563c
SHA256 fd5128d12fa2343c61ecdf0abda361e9310ba3c0dd1cca6501dcc31dc3c31420
SHA512 46b94e9853ca55f715d1a9be7d5882d9314471da2719b16d51e891aa9cb0136772073db9389399a2ddf1f9fdf840a7a7479c15a7f52202dcdc1efef8ec5acbad

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e0c3957ed384b077115278961eaf8cdf
SHA1 2521d47614537b23c9b138c825541fbfaf4da66d
SHA256 25437a6988b2afe11a03658d1f3a1803c95cf3bfe3ee28953ea6fb464bbf25c2
SHA512 e6adb57488fa8cc38da0a43cb4a46d2215d20e1b3dff008a388b18eac4539e852b1ff89f1cf61b49d65b93232df977b623e7074895dc57b35ef01992c996438e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 63deb94c9ce1ce007081e2e807cf7ecf
SHA1 6956f635509c3d4832204c6e8e7f0e65dc54bce2
SHA256 bdeff11beb285cce26f92f66213f32094182487724c84ed0389db9d2656e4522
SHA512 6f6c3a4c944a706e90f200cb18ef28ac38d72fbbee800471649c6b435c4e23d4c10f895be43b1d9b0978c5035ab011fd9b39ccbec8dd341fcd41d272883725c9

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 ac9168226cf2bbed047c4bd4dffe23f5
SHA1 2e1a57404b8ba4acbdff45e813e4d7a571336686
SHA256 cd76319d036e30fd37decf157da0ba605606baf334968b94196f068ecaee2ad3
SHA512 d1acf62547ef699b74ebfa7100db95836192f2987857923460eec95404ec348b5e07728fd2411957e68aba12ad3960f9fa6e5d05ec3824d3a9d24593fadef0f7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d4ad1d8754ecf20a1d621c30cf2d9d40
SHA1 d0ddee02724b2aff1e4ef5229064804f0790b915
SHA256 025cc68fd9beef4e6621e3bd4e76b0c17010815223bf55f076362f93d3149222
SHA512 30b748b8704e7526e7544abc41cb33a9ee34718dd9a1dc4225c7c0b2971fccb8e5682b3c0d9ca16e1e6fddfd0c4632e91cf3ee2930a423a120a8dc0a3b2fbdab

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 0b99bbdc2d55125f0befecae1731435d
SHA1 c5544ddc25d08e5e0e7d42b55acc7bf6b9674da4
SHA256 04c34d0d27dffbf588b40841e4fa29c94c98fa6dff69b6f8a9340e5873624150
SHA512 5a9dbe0df588f6e27dcbd0c56042543c095128f94e8706b16b1f13597294974f0ec8bb6f205b4bf46783536878952c01daf1451fffab94960c2b21940a5fb480

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 054efcfa89176499a2b6fe73ab1871fc
SHA1 09d6ff3984795b82e6ee262668b8680b051aad66
SHA256 40450a94a99020a54b9f4d68434b2ad3492bf73c9132851443fe34e7a5bbd06b
SHA512 b6a89eda4a68e78dab7349ba7772af0132e714a3a3de5ae51c389b273cef5a9b7451a8cc8ef6a1d8a6ac9a6f3d005ece7935845e7ade298d3b2a30d516577c14

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2a77101a73bbc421107c28ec1c533c99
SHA1 031b2c0424ca0404a4a2a611eabcbbff78a7d840
SHA256 19cb0e9af55c124c1d86f8cac6194a8b34758f4830a732cf6bf0304901e3ef57
SHA512 f1fca4dc2434f5e96ee2218b07d488c7fda3ad5293f3586168cd65745ff6352c4defdeaeb05c9232ac68b0d6eef9560a7f670c4147d15a674cb9a664d53b5e52

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 259e201ad750145a91a01bf97e6e2bdb
SHA1 5cd789fdb86e0750ba733f35041fa67f35cfbc38
SHA256 a36e46979809fc6b02d61b29de9bad04beda0c23af052bc748c48216efa22892
SHA512 bb9cd83655b3c0b148769dd2e0ab6569de0953c4ebbd79d128804594dd779293333ed20a7324511c8b2d7423c9aeb3c6d29cd501978c9b297b431a67a9c332f2

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 06:31

Reported

2024-03-17 06:34

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe

"C:\Users\Admin\AppData\Local\Temp\d02b1f3b2bbd7811f856a16408181d93.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1300 -ip 1300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 228

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/1300-0-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1300-1-0x0000000000400000-0x0000000000411000-memory.dmp