Malware Analysis Report

2025-01-02 13:07

Sample ID 240318-cf29csdg49
Target cf2452c68d6d3a3f8874bff32cc5f12e.bin
SHA256 2120a5a153d84f3a5509800ea3582e4224e8fddb6a1c878ad66719f6070f8e76
Tags
cybergate server persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2120a5a153d84f3a5509800ea3582e4224e8fddb6a1c878ad66719f6070f8e76

Threat Level: Known bad

The file cf2452c68d6d3a3f8874bff32cc5f12e.bin was found to be: Known bad.

Malicious Activity Summary

cybergate server persistence stealer trojan upx

CyberGate, Rebhip

Modifies Installed Components in the registry

Adds policy Run key to start application

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 02:01

Reported

2024-03-18 02:04

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{177RI5T2-EBI5-3P0W-1FV8-71L41ADNQG2I} C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177RI5T2-EBI5-3P0W-1FV8-71L41ADNQG2I}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{177RI5T2-EBI5-3P0W-1FV8-71L41ADNQG2I} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{177RI5T2-EBI5-3P0W-1FV8-71L41ADNQG2I}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WinDir\ C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Windows\SysWOW64\WinDir\Svchost.exe N/A
File created C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe N/A
N/A N/A C:\Windows\SysWOW64\WinDir\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 1744 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE
PID 2216 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe

"C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe"

C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe

"C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

"C:\Windows\system32\WinDir\Svchost.exe"

C:\Windows\SysWOW64\WinDir\Svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.server.com udp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp
US 52.8.126.80:80 www.server.com tcp

Files

memory/2216-2-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-4-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-6-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-7-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-9-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-10-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-11-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2216-14-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-15-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-16-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-17-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1208-21-0x0000000002580000-0x0000000002581000-memory.dmp

memory/2292-266-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2292-305-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2292-556-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5 a8141b0534595331e77efd78ebe7a632
SHA1 34941ef4381df78046737f65fe82cf413aa065e4
SHA256 0e2dd4847066ff6f21c263461e8035694578822b594f32161d964f7580800767
SHA512 fb547ad215019be6ea634277126b7b1ea886e0c07c20bde191716b1039e0c88466d6f88d9140800a5dd805c08c434dad8f9bf8b886acc8c0041f8ade71e6eefc

C:\Windows\SysWOW64\WinDir\Svchost.exe

MD5 cf2452c68d6d3a3f8874bff32cc5f12e
SHA1 470655d11928ac81960deccdc803f392804b6579
SHA256 2120a5a153d84f3a5509800ea3582e4224e8fddb6a1c878ad66719f6070f8e76
SHA512 9f97ae996d8f8f664d4c2d8b65a1e01a8463dd17fa124122c20355f3f041adf88b1e35cbacde7b8c2128118776b728e474f2479e6bb3af471a9ff0e9e58102b9

memory/1032-858-0x0000000010560000-0x00000000105C5000-memory.dmp

memory/2216-857-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2216-860-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adminlog.dat

MD5 bf3dba41023802cf6d3f8c5fd683a0c7
SHA1 466530987a347b68ef28faad238d7b50db8656a5
SHA256 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512 fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

memory/1848-902-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1848-905-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c1bc3b51c376ecd9558921180fe2ed72
SHA1 3faf4547f86bc6a7262a489961457227c3f3aa67
SHA256 4395e4b5f411929da3cc2e83506a30219ab10d4ac052020603c41491338aab32
SHA512 2fc326b7f5f6566fd86e1566c81938f2bdc26a3127f7d50926bee03058a8e84c34789507c2c5fc9fcb183f0a816735c5935550f74d8cd34f59a81914309a06e3

memory/2292-920-0x0000000010480000-0x00000000104E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 9d62db231e780d99c0c8c3ff3195ec8a
SHA1 c6cf68a15d31af61c9bb8412cdc62dc1626bc386
SHA256 221ffd5f4803e69813f578059e4183dfad21be804ec6ebbb406ab679144d3635
SHA512 5a6d25dbc13b98c066f8383489372b06bf0deeb0a3986dc4f832c6bb0a9f820450ff5eb8661a4da6692e8b9007d429e25ee860b1c00481c04881b3bea8e99ed6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2ec545a62568d3a20acd9200903aed66
SHA1 70c161b2acb76ff3705413ef456b1619d1e7a1d3
SHA256 a827786a10f664b883dc849c32e3f631533bca1e503efa34f8ee7917e43bfe26
SHA512 045a7b10dc8eefa0c8267dd21d59948d582824582bfec1509a5ccbe621d4fda248ad7f9d2622fa67aa03e24174dd0da94940c3094ed054f5ef38682115de68af

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 263d45536fb7e5538b652d62947be8cf
SHA1 5f8521cbed703a1208ff8e0c509183846ccf5a20
SHA256 36732f5f3b2a9d56b61ddca37be1b7faefcd362072eb76e0412b896274529d95
SHA512 5cd2f4977503e3beed3ea3e9e624332da9e4621afbe4686573fe52a31a5bc6b2472a86f37fe4a87bc6e406af4de71836f76ab93928e87115fcc8b93f2bb3e380

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 32affa9d8abeb222b1e7975633c64566
SHA1 edc4c7b937cc59c213968857191bed9ec1d87a9b
SHA256 b039034a1df2b179d044ff405869071cad87ec2196b65d74769139ef28de456a
SHA512 285bd9dc411f5b4b91771d44c65876617ec0be40eb21eee1cbf73206106c470df887f2a2076d899e54e06932c868de815a859977a8e0267e1010e136b7f22e72

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c2152d893761cc62244fd21b74d04325
SHA1 4a9a1fec2738e79b30271ee4d898678477664f57
SHA256 8dd0d6419fc96e908981c0fc23e6df831b61cae06ba88e181836f6c6c1fb1714
SHA512 9c1ea11b4741ddade19383c27600746c80b78922ae236d44d171db78de00c7a039425b528549d7999b96c19151b09dcdd5a838242cdf7b7c6f4ba49ecbaf7e0e

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 eb8c522bf21f3cf9d027bf0041104343
SHA1 cd42b2c4c987dc2ad41283cc0bcb377830377170
SHA256 8ef825453c229b3fb219717af40120aa7f6cba874b3f3a756839eeb5b65a7594
SHA512 7b5089ec3e944f4ac93f9841d316344a1882377eea04725a2e16c5eafa43b1fc188e717ba560b5b63fee986bb1b175c6c9de50db9c620933afb7bdfa5dedd552

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 d71e83a25b0259ae7eeed1331aca0186
SHA1 a5f4430c479ac244f33d1b7c484b84c5203c6351
SHA256 6841aafd95908fc590e68f98c25b5b26869db6d773910487efecb27dfa2f9858
SHA512 8877938c7febed2de9152b9593827b4cacacdb52228a91b302e8200eea441e857fb1d97a8ac308450346c426d5e87f8149bc58370c25dd326e4ca1cc6c02b641

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 4ced55c2ccb2fa297add947976f9f2de
SHA1 ca39c924c7ed87db3062f68a9821154540819e1a
SHA256 0295b4d25eff9834b869b0cd66a43224b37fddb7a2f096e10bae6332e6ca098e
SHA512 f6331f5c8ac8453cca7f0ca1734a3404c60d30179b7195e4ce9926a69e10e4aa6079569299befeae7107b532d4f62871afe0ef07e9d6c7f89cfe31d078e014e6

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 dcb160303135792247bb6616e7bcef98
SHA1 7a4a94224a718229588f5440db0618f057d5294d
SHA256 5d67f4aa1e2a0006baee10a6bb483a24f4b1b37d293c9428da1460f1c8087590
SHA512 407f220a5bb42283e893d8e5cba68be91f171d5f1470e5f164225426b2d4ea2b0379adc685b016c13481d1bfc0c5acbfa0dc83f8e70b8c3cd21f2ef25bb25d02

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2801a6dd48f2269b99f181f08cc4ce71
SHA1 33574a9a66e388c1a83fdb15cb61de7f3f759670
SHA256 95525072a2a5eed17026e3efeaba35920be29f58a9bc03503fc9ffde5644a47d
SHA512 67b4cbc84d50e1bd75d20005b787b85bf1cae5112a7ad74230c5af7d1e84e839a91cd1a6c2635c055de0403e937d3acd308564cca1c4701e6dac18cfe30501e7

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 b8e23f57ccdfb01413fed551fa8d215b
SHA1 518dcc5328702df8bf21790ed70ae4ee83f6264a
SHA256 a9bee663106438ed1b4fc6cb465179f34aba82472d643d1586872cf61f1c8fad
SHA512 5c829b7cbdb9946fff18b5ba6a9716101f9f3a2d6aa12245a6fe5975d0a81d4c83c45899e2f85a2a7321e14326131b79c2bb9b374974030d3a259d2d22a62303

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 1f0a76bb1e55dc2e58cf338cb93a27d7
SHA1 cc2ac6945d876f66806f9dd77678cf3b90131f82
SHA256 789b88f79cc1f4935253583c543c3a72a26ee404bca014aed371c70792990a12
SHA512 8a858d8578272a787b98932ff81eebbf1ac498aa957474b2528f7a87442997c9a87128db6190fe4bf8f290d1031e9b6e102c3ea76d97bb3037ee5cabf5347368

memory/1032-1623-0x0000000010560000-0x00000000105C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 2e347fe7e7210a6efd5125391920c4d2
SHA1 1d0b70e11ac85f304007517f2b4e9432e2cb8f98
SHA256 7a950ba8906f976651705b8b8b3c497bf436c193d26c915b715cb93768061a65
SHA512 e30cbfa52f213dd349172dff227785f287281a29c8bac17022e0a59b48a6667e938179af7efe4ece3da45c24563e85ab918120b46146cb6e5642f9543e5a513f

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 3b51ca31ff89beb37848d84ac48258bb
SHA1 389e821bc74b30a73783c780168b3f3df3555773
SHA256 7838a88474821439b0e226cc4e2719ebacc91ab2d3dce9f7906cdf489ef51890
SHA512 49e104ac8df24d0604cde2cae21111c01ca8a1337af3e2ab8452c6e200fa893b7694dc83f3e0e96207ba104b28203037ba68febab97e1b8924c82222eea63ff2

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 c8e5404d0a7ce71bb8661084ad5c5c8f
SHA1 a54aec782759b9d3ba42b182dee7c83c1ef40cac
SHA256 190f4059f3883603e888bc29f4fc520477383f53133940bfe13ae1cfcdaaf191
SHA512 89b07c9b03f93bce04f191fa991bad8792d8d5970721d49ee560a6bbce32e99771632d494a025bef4c5d4ad29d03db1622fc3555d5b19896aee24ea857e5cb1b

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 5be642d69ff3abf9baef8a5f6b5ae71b
SHA1 79786bec2122e85a6b26dca2580bf8afbd4e4ea9
SHA256 fbca41a922dc6f945f514da971283ef8a5eae543e1e86f54b05dee2f3cffbde7
SHA512 9928b4509cd5e59e7afffbae65b850b9b855c3fc060660ef497ac551c2b5bdb7036f3fd781f92dce5a7d05eeca390f4916fa9b9e39f1bfc35670bcb54d4da935

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 e695d4b11cdd03649ec576d4b5c40c36
SHA1 7f1211aa2a997948c706fcf21d2f87ec20d6809e
SHA256 df002b9a5b222fbfbad305c563cb713536f4179ef33bdfb9e0f57e8b8fafba0f
SHA512 f4beecbc11a0f7b8ea1c0194ad8610150f8c9178e729628d5de735fc096d71b5e947a8d0957ca2f40633c3d318667324b1f34f23037d5f1acb2f9a0153903548

C:\Users\Admin\AppData\Local\Temp\Admin7

MD5 aec512f343a230f0526025efd54b9794
SHA1 9d1f6918bcac961c05c98e23e86969565412d97f
SHA256 4529fd307bd2a0789ab8eb7d5d84767553aac2a719ddcec944d12f5a412c77f5
SHA512 4e3980e89101660a3b2ec725bdd9add20596bed0c802a913157b30ae1777b988ad6c3b492ff7c65f7290ead0dda0248dda5d253d92933ca0d0031246bee031aa

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 02:01

Reported

2024-03-18 02:04

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe

"C:\Users\Admin\AppData\Local\Temp\cf2452c68d6d3a3f8874bff32cc5f12e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 216

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

N/A