Analysis Overview
SHA256
0d29a8e6361f44ed95c6c67435635a7622e11ab2f03c6f1f5bc80d3856dbde78
Threat Level: Known bad
The file d2b20caa1cb3ad7924b69e439e7a744a was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Modifies Installed Components in the registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-18 05:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-18 05:27
Reported
2024-03-18 05:30
Platform
win7-20240220-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V}\StubPath = "C:\\Windows\\system32\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V} | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1792.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe
"C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe"
C:\Users\Admin\AppData\Local\Temp\1792.exe
C:\Users\Admin\AppData\Local\Temp\1792.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\1792.exe
"C:\Users\Admin\AppData\Local\Temp\1792.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1792.exe
| MD5 | 5a7ea4d892241c9064377d066a81a204 |
| SHA1 | c3e7d4f33d70370263ce16e5f30036c1c6380c3d |
| SHA256 | d2e43ec34ac6a0967904d442b07be36bfd75df1df77b36f4bfc764d1cbc75691 |
| SHA512 | 71287f40c8c6c73bf88845a32523fb386fbf8cd87cc0563fccbe17b570396ec7fa3e590a735ede34f1a484c45db0321b3c55bdbef77ba2d1435389b2837129cf |
memory/2908-6-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp
memory/2908-7-0x0000000000B30000-0x0000000000BB0000-memory.dmp
memory/1100-12-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1052-258-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1052-260-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/1052-537-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 675259725056e9ba1e0ef58aaec57a68 |
| SHA1 | b4b507f53f14d9dfcf24e25496efaf19b3bd9145 |
| SHA256 | b35140a93b67a9c58579a9268d5568024e2b3ae54eb73c45faadb5854e522c40 |
| SHA512 | df35bdf78bb1294bc05623cc35f65bf6e7157c77a1c302a5a7c044d140fd80efbeaef5ea6219bc3f322ac58d708eb63b7a370aaaf23ca77d3f5eb867df766279 |
memory/2908-657-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp
memory/2908-845-0x0000000000B30000-0x0000000000BB0000-memory.dmp
memory/2892-847-0x0000000024130000-0x000000002418F000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2908-874-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5c9294e28fe190b95892afd184a40aa1 |
| SHA1 | f145b366d1a83b7d0fc694e1d7d580e2b480fd06 |
| SHA256 | 44b0ad0fa037b675b4b0c42c3055ff31f04ff28fb373e9e9b257d834c1b213b8 |
| SHA512 | 8e38460644dd47113d7e7c4d6aebb6596ad1731900fd7f0407312739031793c52360ab44b2517af4c0e6b31c3ebaa39455fc84fc7fb829eecef8f51d45de9057 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 55fde51772879845727dc51bdbb46344 |
| SHA1 | 83450d22546e89e92744981c6c73fa58ed83f282 |
| SHA256 | ba2f2f6f481ae09a9ca2edd3baaea97edca8af38ad8b68b631aedf6607936e49 |
| SHA512 | 966155a3168477c3d62c37641fdad7c38fd439a7f9da3dbc650adbe47aeb1338ea5da1187c10b3f938f150bd5515df0e2ac8bccc061fc6591158b28cb835dff0 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0fdb5da48a5811a7eb5733f6290b79b9 |
| SHA1 | f9b6646b13b22d48c8ad479004865209b453fc78 |
| SHA256 | 6f91628bcf2f152347d217fadd1e72d57427749e4e5d04b907c2df5bd3928161 |
| SHA512 | cf290ad15bdeb20c0b40c7d05b199d36496a186cfbcedc1fa5280b10f35de9ea0d8cb03800175a1669a0c17e50f45bcabb5d7e1cd823cfe8a3efee016f54970c |
memory/1052-989-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a98ca2350f3013a4477f5fb10fe3700e |
| SHA1 | 8ecebe5aab3617a4e9d6398bcbdf20e371a32888 |
| SHA256 | 395b61c6adf102ef85ae81d55ddb79a670c9b6c5b50a8a0a1b8da50fdc3871ff |
| SHA512 | 3d0172341e350bba4908e22ca126aaef7c6fd7fb525e7c1a91e33849af99e6f48a5ec33d19e1216fc412a5658a5cd5d646884793b8fbed613dc9d73d1f2bb24d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 5cacd6a29c463998318083632fc22274 |
| SHA1 | e42298eff5b54839bbe2e962fea682bba626bf4f |
| SHA256 | 1245db6c2c048365f5a223aee88c56fe73f1c7beda529adb97dd218214cbce76 |
| SHA512 | a8d7e237cd79b588e44f5f4c4132df4d688382b81c5453c63fb30a858670110d991f89c80bd673f5cf539f98b2602c1f18ce885db1ecbfdd7833fcee20558754 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2499bcda32b442533c8fb5aec56ea16f |
| SHA1 | 6bbbce89021cd3574bb98ce54ed7ab0cfd3b6819 |
| SHA256 | 8185bd9b5a82278d9a8bd4a048f16c4a3db8770aed5ad226c0df22934e180b82 |
| SHA512 | 87cfa2d15df0418658796bf136e3843b26a6b595b2f17110b8ec7545e655a0761c5c3e128082b92e1341e8ebbc1a236ceee45a971f480fc55a01061405347528 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fb8a4676aa754e6ea4cd3dbaa8415d81 |
| SHA1 | 560270edc533026bc522ff63aa5d42a8ae90f317 |
| SHA256 | 75a54d3cf1bf00de36466ae49a727c4c6503b32a0147c5e153c79cd177f2446c |
| SHA512 | ea663a1d19abe1ee74215c0ab1e344b5652ee5debfba79a790f10e9d1b53f0d8c894404b6057a71023ec119e8725bc9c72107d3b741c18fd1ea478df3bdba562 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c394fd26b5cf672cbeac5b1c79793304 |
| SHA1 | 6105eedb838f15483a07b8027b53d1ddc828af2c |
| SHA256 | a47ce144aeea236f6464027e9995e28ede52f19d032b665e0ee868c412ac452f |
| SHA512 | 86a0db37735022a5821fcc069b2cf2846452a389bcb1973b5466879b72114736e401ddf07ed78b141cb55ef07bab3f99760f955717cf94e54683515879fc759b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bd20312d4971993f8c5e580f514a9677 |
| SHA1 | c67a3251003b0965d49568f0852e6fae620bdc7c |
| SHA256 | 8998d3fb041052b054228ffc6c56a1c50a01a2fcb1f9c27be66b552bb1b25e51 |
| SHA512 | 1b4e7bd90b8a92b498adb4b4a9500ed07f8209fbeafd50be75f6679c8fdc7276c131e0da1f2feb258b8c1bd8bb0b37a62f30874f08433a2344d479bd70f4310c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e716fef6dc4686c8075f96b2cefe9863 |
| SHA1 | 68c798f1269d861dbd9c604e025459c472342251 |
| SHA256 | ee2e6b50b7ef9601d85718cf3a55d5fec48887924fd3b0f26173ac8c5c391f15 |
| SHA512 | 7067f44f14af315371cd6c52c82e483b78361d1834e2cf8d5c780c6645e42c28033d771a4dc887211f5353e3b987b242b32ba218e67f45e6ce8fb4160fe9a0f7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9b265f5609be9eed627410c78914f89a |
| SHA1 | e2fbe2e8fd2e5d6e571ef2e1ca397cd41c40ed46 |
| SHA256 | b6329a47143d443fec9e4a1bc23f49b73c72bf5780deec2ad3940febd80cd658 |
| SHA512 | 89a4385559d7745d0f02edda986ab69a1430bd71e23c65727c7949384d727b92ec00eb6c459506aef4961278a0a3f41ea9942516fa7cfcf339492f2a10f2d307 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f0455967d6b4c2ed6bf660abacf9d7c7 |
| SHA1 | 02c3555def0575e64d4143724a2cc4a97aba20bb |
| SHA256 | 8b255baa9f3658129c3c9e305d9392c8e31cee53b81ab1d1611c533b84f63c90 |
| SHA512 | 7cbe71927ee669642e99070258cb813afd7dc84086a54565ab2f363917c7e7b7d25735b7140cc424c5a2ebfc00c29976acf78214ed730ebc9d7007ecfd9370b6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0716e3141e1b312bf3583cb8eb964351 |
| SHA1 | a3f3c11a58073186a4de9b0a7780eae152529af4 |
| SHA256 | 3b05df34af26371b8802fe6782bd3810591cf919391835aaa205ca9f9cd6adca |
| SHA512 | 2ae528a1e91b795619030104383e2ae183ffae90afccfe9d89c91e028aa8e6cd97c38e0d907bde39ab6299a9c514e0f6129f107e55814e988e3f080308da5d8a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2d417511da9edf1885a1b517af87d4f1 |
| SHA1 | 7dedc802bf38b1e0b5552aad952774e03d649515 |
| SHA256 | 30e2ec2ab22d4895f20537a50e3f960e4d634b79e890ec5d6f4aa1a81311b0fe |
| SHA512 | 569c63748671847ab1c118796ee60fa31259e18e33d89340e28abc7c60b7c7757419d1a0a94e06794f0abced3d605fe7057d62be0141ff9518b30e6b3af99b6b |
memory/2892-1763-0x0000000024130000-0x000000002418F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2ffa3ed504e1c67cc9cb02294ac8b919 |
| SHA1 | 2e34709402cb430d79b1e14447b335acaf07ba55 |
| SHA256 | 05a595416e79e678545454077272742872e3120c293ad1f9c525028b7212fe8e |
| SHA512 | 94108fe90c34b4cf90392d0eb560549a85c22af2a57db920e2fc61d4088b897458bc14fd4408f981462088f511b9122b799c8cd32acea191aeea85aba0750f7f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2456ae3fa108651124a12a4c8b3088e9 |
| SHA1 | 2e268c8b596fe4fe44981246eed40eb2eb07f7a3 |
| SHA256 | c2cae8d70a29896f2588d9622fc93d86eaf755de28e7966b71c356f01a70a9cc |
| SHA512 | 6bd36334ad6abbcc496852d01cad3e919517b53e04f97374006fbca9a1a4a0434418d664921facc7f46f50be0bc51301b2d3351e21ad41863663cedde4efeced |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 72a98ca4cd39518d8a103f3c6f3054be |
| SHA1 | cd7c9115ab61bfff7252f9f3ba4813cb6712e5e4 |
| SHA256 | 5261501b698fda3414c8de5a5edb50227aa916be3376bf204e66597c418c865d |
| SHA512 | 732252eeb2c361fddaca7e38a1158c3bcca1ba68be926472454afebf79793a314e1b12c323fae0ee5e70cfa92150b0cb454bc56054fa997e362966d5a4e55d84 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cb617bf82e65fd1d1a85ccb788009cb2 |
| SHA1 | 9f5a3d8eebcf04a0b6e3522f10c1321da173d955 |
| SHA256 | f66793a80bc8ef35d737dceba12dfb079a237dea61a3291a8bb10ff7e3244a3e |
| SHA512 | 8ecb0933a8e7d2e1097ab770482ba59772d1cba3553538fb3aecf88cb6d659ab33a8cd6f4cf945570f255e8b6316f1efda6b6a4361ab76ffa5ae7c6493429407 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 731f58cc006c0a40c649a75780d0b700 |
| SHA1 | b501106fa90eda5a0a307cc1c365cc5605f3611d |
| SHA256 | be6cd5ce60483892370b11df6b0ee03982143b7db794d875c74b52589d3a5988 |
| SHA512 | e96b4df4204fb784a8df216f78b6fb02b6c66b494a4182f84b5da93d54ff3efd7be589d6643fcc938674b3e7994611ce192238d214de98998c7faf72269f50a2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-18 05:27
Reported
2024-03-18 05:30
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V} | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{057FKY0J-QIXE-ME20-A8JP-428UYD4PTS7V}\StubPath = "C:\\Windows\\system32\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\server.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\server.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\210.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe
"C:\Users\Admin\AppData\Local\Temp\d2b20caa1cb3ad7924b69e439e7a744a.exe"
C:\Users\Admin\AppData\Local\Temp\210.exe
C:\Users\Admin\AppData\Local\Temp\210.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\210.exe
"C:\Users\Admin\AppData\Local\Temp\210.exe"
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1848 -ip 1848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 568
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3936 -ip 3936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 532
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/2900-0-0x000000001B680000-0x000000001B726000-memory.dmp
memory/2900-1-0x00007FFDF92F0000-0x00007FFDF9C91000-memory.dmp
memory/2900-2-0x0000000000ED0000-0x0000000000EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\210.exe
| MD5 | 5a7ea4d892241c9064377d066a81a204 |
| SHA1 | c3e7d4f33d70370263ce16e5f30036c1c6380c3d |
| SHA256 | d2e43ec34ac6a0967904d442b07be36bfd75df1df77b36f4bfc764d1cbc75691 |
| SHA512 | 71287f40c8c6c73bf88845a32523fb386fbf8cd87cc0563fccbe17b570396ec7fa3e590a735ede34f1a484c45db0321b3c55bdbef77ba2d1435389b2837129cf |
memory/2900-5-0x00007FFDF92F0000-0x00007FFDF9C91000-memory.dmp
memory/3680-11-0x0000000024010000-0x000000002406F000-memory.dmp
memory/744-15-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/744-16-0x0000000000490000-0x0000000000491000-memory.dmp
memory/3680-71-0x0000000024070000-0x00000000240CF000-memory.dmp
memory/744-74-0x00000000033C0000-0x00000000033C1000-memory.dmp
memory/744-75-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | f1c92c8cada7c0b0c0e51cbcb519e8b6 |
| SHA1 | e012cc64c26f3cd1728bfa943b06448f7ec7a45e |
| SHA256 | 69561d11acc9a32cb9e6f66a4b6e0b9d6e3af12961e30c89d468842f009b28e3 |
| SHA512 | cdda812d010e3240c724ec285dc2d1cba54eb929621ee9c9fbb297ec925dbc7d5b11fe5bc199cc9efb7850981efc4d0ec61e84b7a392e6681ef59fa51e18ee05 |
memory/2900-102-0x00007FFDF92F0000-0x00007FFDF9C91000-memory.dmp
memory/2900-105-0x0000000000ED0000-0x0000000000EE0000-memory.dmp
memory/1472-147-0x0000000024130000-0x000000002418F000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2900-166-0x00007FFDF92F0000-0x00007FFDF9C91000-memory.dmp
memory/744-175-0x0000000024070000-0x00000000240CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | fb8a4676aa754e6ea4cd3dbaa8415d81 |
| SHA1 | 560270edc533026bc522ff63aa5d42a8ae90f317 |
| SHA256 | 75a54d3cf1bf00de36466ae49a727c4c6503b32a0147c5e153c79cd177f2446c |
| SHA512 | ea663a1d19abe1ee74215c0ab1e344b5652ee5debfba79a790f10e9d1b53f0d8c894404b6057a71023ec119e8725bc9c72107d3b741c18fd1ea478df3bdba562 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c394fd26b5cf672cbeac5b1c79793304 |
| SHA1 | 6105eedb838f15483a07b8027b53d1ddc828af2c |
| SHA256 | a47ce144aeea236f6464027e9995e28ede52f19d032b665e0ee868c412ac452f |
| SHA512 | 86a0db37735022a5821fcc069b2cf2846452a389bcb1973b5466879b72114736e401ddf07ed78b141cb55ef07bab3f99760f955717cf94e54683515879fc759b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | bd20312d4971993f8c5e580f514a9677 |
| SHA1 | c67a3251003b0965d49568f0852e6fae620bdc7c |
| SHA256 | 8998d3fb041052b054228ffc6c56a1c50a01a2fcb1f9c27be66b552bb1b25e51 |
| SHA512 | 1b4e7bd90b8a92b498adb4b4a9500ed07f8209fbeafd50be75f6679c8fdc7276c131e0da1f2feb258b8c1bd8bb0b37a62f30874f08433a2344d479bd70f4310c |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e716fef6dc4686c8075f96b2cefe9863 |
| SHA1 | 68c798f1269d861dbd9c604e025459c472342251 |
| SHA256 | ee2e6b50b7ef9601d85718cf3a55d5fec48887924fd3b0f26173ac8c5c391f15 |
| SHA512 | 7067f44f14af315371cd6c52c82e483b78361d1834e2cf8d5c780c6645e42c28033d771a4dc887211f5353e3b987b242b32ba218e67f45e6ce8fb4160fe9a0f7 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9b265f5609be9eed627410c78914f89a |
| SHA1 | e2fbe2e8fd2e5d6e571ef2e1ca397cd41c40ed46 |
| SHA256 | b6329a47143d443fec9e4a1bc23f49b73c72bf5780deec2ad3940febd80cd658 |
| SHA512 | 89a4385559d7745d0f02edda986ab69a1430bd71e23c65727c7949384d727b92ec00eb6c459506aef4961278a0a3f41ea9942516fa7cfcf339492f2a10f2d307 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | f0455967d6b4c2ed6bf660abacf9d7c7 |
| SHA1 | 02c3555def0575e64d4143724a2cc4a97aba20bb |
| SHA256 | 8b255baa9f3658129c3c9e305d9392c8e31cee53b81ab1d1611c533b84f63c90 |
| SHA512 | 7cbe71927ee669642e99070258cb813afd7dc84086a54565ab2f363917c7e7b7d25735b7140cc424c5a2ebfc00c29976acf78214ed730ebc9d7007ecfd9370b6 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0716e3141e1b312bf3583cb8eb964351 |
| SHA1 | a3f3c11a58073186a4de9b0a7780eae152529af4 |
| SHA256 | 3b05df34af26371b8802fe6782bd3810591cf919391835aaa205ca9f9cd6adca |
| SHA512 | 2ae528a1e91b795619030104383e2ae183ffae90afccfe9d89c91e028aa8e6cd97c38e0d907bde39ab6299a9c514e0f6129f107e55814e988e3f080308da5d8a |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2d417511da9edf1885a1b517af87d4f1 |
| SHA1 | 7dedc802bf38b1e0b5552aad952774e03d649515 |
| SHA256 | 30e2ec2ab22d4895f20537a50e3f960e4d634b79e890ec5d6f4aa1a81311b0fe |
| SHA512 | 569c63748671847ab1c118796ee60fa31259e18e33d89340e28abc7c60b7c7757419d1a0a94e06794f0abced3d605fe7057d62be0141ff9518b30e6b3af99b6b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2ffa3ed504e1c67cc9cb02294ac8b919 |
| SHA1 | 2e34709402cb430d79b1e14447b335acaf07ba55 |
| SHA256 | 05a595416e79e678545454077272742872e3120c293ad1f9c525028b7212fe8e |
| SHA512 | 94108fe90c34b4cf90392d0eb560549a85c22af2a57db920e2fc61d4088b897458bc14fd4408f981462088f511b9122b799c8cd32acea191aeea85aba0750f7f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 2456ae3fa108651124a12a4c8b3088e9 |
| SHA1 | 2e268c8b596fe4fe44981246eed40eb2eb07f7a3 |
| SHA256 | c2cae8d70a29896f2588d9622fc93d86eaf755de28e7966b71c356f01a70a9cc |
| SHA512 | 6bd36334ad6abbcc496852d01cad3e919517b53e04f97374006fbca9a1a4a0434418d664921facc7f46f50be0bc51301b2d3351e21ad41863663cedde4efeced |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 72a98ca4cd39518d8a103f3c6f3054be |
| SHA1 | cd7c9115ab61bfff7252f9f3ba4813cb6712e5e4 |
| SHA256 | 5261501b698fda3414c8de5a5edb50227aa916be3376bf204e66597c418c865d |
| SHA512 | 732252eeb2c361fddaca7e38a1158c3bcca1ba68be926472454afebf79793a314e1b12c323fae0ee5e70cfa92150b0cb454bc56054fa997e362966d5a4e55d84 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | cb617bf82e65fd1d1a85ccb788009cb2 |
| SHA1 | 9f5a3d8eebcf04a0b6e3522f10c1321da173d955 |
| SHA256 | f66793a80bc8ef35d737dceba12dfb079a237dea61a3291a8bb10ff7e3244a3e |
| SHA512 | 8ecb0933a8e7d2e1097ab770482ba59772d1cba3553538fb3aecf88cb6d659ab33a8cd6f4cf945570f255e8b6316f1efda6b6a4361ab76ffa5ae7c6493429407 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 731f58cc006c0a40c649a75780d0b700 |
| SHA1 | b501106fa90eda5a0a307cc1c365cc5605f3611d |
| SHA256 | be6cd5ce60483892370b11df6b0ee03982143b7db794d875c74b52589d3a5988 |
| SHA512 | e96b4df4204fb784a8df216f78b6fb02b6c66b494a4182f84b5da93d54ff3efd7be589d6643fcc938674b3e7994611ce192238d214de98998c7faf72269f50a2 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e2b6e1d6453d76cbdf46b8862283a1fa |
| SHA1 | 66e0cf669b0f1190496e6fa24075ed04d4130c8b |
| SHA256 | d9e385be1286cfbd15ad7cbb0aeb4fa4d165a59e12cea0bf190886530fb51812 |
| SHA512 | a5f59b3f04c0092933166fe92aad21e6af2dd985f9253c7322c522f1d5da6756a9e0fca5da4711d2b4abfe9033ec350240ed3b29525e90ae48bbd2ebe16b0385 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 44634653644314d3712eb6a038e0d288 |
| SHA1 | 9604bca9679d3413db614aa4b10b920ae85da057 |
| SHA256 | b7668288fa06de7a648555a38d5ba01f6a922bda44960061ab45fb3db012fcf0 |
| SHA512 | daa1e93afc81b51a1d3d3af89d33fb6303aa81ded406caa1f53c9143e69fa890bc7dc6c43334d0e749ae0105ed8646a282147552b794e7a92202c6cff2d7ae83 |
memory/1472-1482-0x0000000024130000-0x000000002418F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 7a4d8a297a534930607777103b8f6e1a |
| SHA1 | 3bf3d46c234e270314df21874e34e2235eff815e |
| SHA256 | d42beccc1caf21aedbced9c02bfe32ecc9dff6eca1430b56d477ada4ae27fa4b |
| SHA512 | 2193cd184539d4c7cd132c53147b8d4e93229c13b4a126303188592c4da2b23cb715b4d56f107dc3a49c7d24b4e727da0e6884d011b706a510ba6714c4918bb8 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 544c7b2677563fca743eb6ca4c36a953 |
| SHA1 | c77b5db2b3a1d45d5a759576cb74d0828e32ee1c |
| SHA256 | 40f23207741c3c4f9cde9b44808541df5ee11768150a254a813329b99f3bbedb |
| SHA512 | 95c81d6df50e1fdd32d74410d243e4bd7c8118eec6bb94fddd60e23ccfcbb552724f1d945de0ff79d94ace639fd733c3ef89d21545c0c165715deb565a815d0b |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 21620052e746d14f6c64e7984461ec37 |
| SHA1 | ed08aa9d120e53d7dadb36be4e00d1c3de0eff63 |
| SHA256 | 83d61e7ad09fa32899470e353fed29cd12240aa4e997e5fee6fc4426f7d47b4b |
| SHA512 | f42edd9dbb625ae0e481b7e0c3a8d3a1a29ce75217d07fd5344c1bd3676fe76536f496b708c21daa8e37f4e15afd51c37d0190d8a21b389437a4f795ec882d37 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c27a7c4fdd15760aa04f92e517d0d7f0 |
| SHA1 | 131a9b086ed8b8111617b6157a070ae252ff0521 |
| SHA256 | afe77c9e4b4135dbbebccdace217b6961e0da774123b7e4afa65e22028961b3c |
| SHA512 | 2cae05885a60f1bb7b800f6f087452e1fa0cf48426db1a0ee9c1dc69f8591bc1981013d947e6724fcd3a1743d29100e9250153d457efe59be130c6031c9ac5cd |