cybergate | 1f1c4a1c68c30e8376d647f68671e53942933809b97c42ec5de3dd68eb9a4032

Analysis

max time kernel
21s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0a5a7fe64828973524bb8c013a16a73.exe
Size

440KB
MD5

e0a5a7fe64828973524bb8c013a16a73
SHA1

65f06c75b3c425025f3279ba71d3a5b5e4ca49ec
SHA256

1f1c4a1c68c30e8376d647f68671e53942933809b97c42ec5de3dd68eb9a4032
SHA512

d71982a577e9d07d4512dd507a6547a833c027737ebee272811ced55f249adb02d2543bbf2bff3f203f475d8d0fb6859700f27f47ae01baf6061c16b57624375
SSDEEP

6144:EC2/Olw8fiPzV5YII/ZylFBpx5Ga5+0GSziZblBnDBIgI1h:xUzTYII2HGa5PGZblBn2gI1h

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

bikini.no-ip.info:888

Mutex

VX05B48LM7K3MV

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
sex
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e0a5a7fe64828973524bb8c013a16a73.exeexplorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	e0a5a7fe64828973524bb8c013a16a73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e0a5a7fe64828973524bb8c013a16a73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	e0a5a7fe64828973524bb8c013a16a73.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e0a5a7fe64828973524bb8c013a16a73.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exee0a5a7fe64828973524bb8c013a16a73.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe Restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}	e0a5a7fe64828973524bb8c013a16a73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart"	e0a5a7fe64828973524bb8c013a16a73.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13G8OTB2-16S0-2FFC-F862-RC5MXDA743XX}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

2324 svchost.exe
1984 svchost.exe
2244 svchost.exe
2112 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

explorer.exe

pid process

2544 explorer.exe
2544 explorer.exe

pid	process
2324	svchost.exe
1984	svchost.exe
2244	svchost.exe
2112	svchost.exe

pid	process
2544	explorer.exe
2544	explorer.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2544-539-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2544-627-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e0a5a7fe64828973524bb8c013a16a73.exesvchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe"	e0a5a7fe64828973524bb8c013a16a73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe"	e0a5a7fe64828973524bb8c013a16a73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe

Drops file in System32 directory 5 IoCs

Processes:

e0a5a7fe64828973524bb8c013a16a73.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\install\svchost.exe	e0a5a7fe64828973524bb8c013a16a73.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	e0a5a7fe64828973524bb8c013a16a73.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\install\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

e0a5a7fe64828973524bb8c013a16a73.exee0a5a7fe64828973524bb8c013a16a73.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2768 set thread context of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 set thread context of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2324 set thread context of 1984	2324	svchost.exe	svchost.exe
PID 1984 set thread context of 2244	1984	svchost.exe	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3384 2500 WerFault.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e0a5a7fe64828973524bb8c013a16a73.exesvchost.exe

pid process

2472 e0a5a7fe64828973524bb8c013a16a73.exe
2244 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeBackupPrivilege 2544 explorer.exe
Token: SeRestorePrivilege 2544 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e0a5a7fe64828973524bb8c013a16a73.exe

pid process

2472 e0a5a7fe64828973524bb8c013a16a73.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

e0a5a7fe64828973524bb8c013a16a73.exee0a5a7fe64828973524bb8c013a16a73.exesvchost.exesvchost.exe

pid process

2768 e0a5a7fe64828973524bb8c013a16a73.exe
1688 e0a5a7fe64828973524bb8c013a16a73.exe
2324 svchost.exe
1984 svchost.exe

pid	pid_target	process	target process
3384	2500	WerFault.exe	svchost.exe

pid	process
2472	e0a5a7fe64828973524bb8c013a16a73.exe
2244	svchost.exe

description	pid	process
Token: SeBackupPrivilege	2544	explorer.exe
Token: SeRestorePrivilege	2544	explorer.exe

pid	process
2472	e0a5a7fe64828973524bb8c013a16a73.exe

pid	process
2768	e0a5a7fe64828973524bb8c013a16a73.exe
1688	e0a5a7fe64828973524bb8c013a16a73.exe
2324	svchost.exe
1984	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e0a5a7fe64828973524bb8c013a16a73.exee0a5a7fe64828973524bb8c013a16a73.exee0a5a7fe64828973524bb8c013a16a73.exe

description	pid	process	target process
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2768 wrote to memory of 1688	2768	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 1688 wrote to memory of 2472	1688	e0a5a7fe64828973524bb8c013a16a73.exe	e0a5a7fe64828973524bb8c013a16a73.exe
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE
PID 2472 wrote to memory of 1248	2472	e0a5a7fe64828973524bb8c013a16a73.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
"C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
"C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1944

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
- Executes dropped EXE
PID:2112

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:1920

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:320

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:2204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2604

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2640

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:1604

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:1880

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:1740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2168

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2236

C:\Users\Admin\AppData\Roaming\install\svchost.exe
"C:\Users\Admin\AppData\Roaming\install\svchost.exe"
9⤵
PID:1804

C:\Users\Admin\AppData\Roaming\install\svchost.exe
C:\Users\Admin\AppData\Roaming\install\svchost.exe
10⤵
PID:1520

C:\Users\Admin\AppData\Roaming\install\svchost.exe
"C:\Users\Admin\AppData\Roaming\install\svchost.exe"
11⤵
PID:1000

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:3040

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:964

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1616

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2700

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2796

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:2364

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:2620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1044

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2756

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:1872

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:960

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2328

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 544
10⤵
- Program crash
PID:3384

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2664

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:2264

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:2136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1660

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:1412

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:1504

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:560

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:2680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1844

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2100

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2076

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:1668

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:1860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1460

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2008

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2652

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:580

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:2864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1648

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:916

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2300

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:2824

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:1636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1148

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2572

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2116

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:1016

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:1568

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2696

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2284

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:1680

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:1916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:872

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2020

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:1080

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:2324

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:1216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:3052

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2584

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2796

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:2012

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:2080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:692

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2024

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:1592

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:2180

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:2288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
9⤵
PID:2968

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
9⤵
PID:2296

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:1376

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:1592

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:1672

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\system32\install\svchost.exe"
6⤵
PID:2096

C:\Windows\SysWOW64\install\svchost.exe
C:\Windows\SysWOW64\install\svchost.exe
7⤵
PID:2876

C:\Windows\SysWOW64\install\svchost.exe
"C:\Windows\SysWOW64\install\svchost.exe"
8⤵
PID:2072

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe
"C:\Users\Admin\AppData\Local\Temp\e0a5a7fe64828973524bb8c013a16a73.exe"
5⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
4ad4767ff511a1a756146c9e0928d1b3

SHA1
862365b80d60fde615d6ff843f58913062868295

SHA256
73d12892d2b037b979b0f46bea5f054f074e1f75f47fa7809b02fb737b0d5d37

SHA512
63ebd371647a6ce6dadefe5921de8d454f622c9b835385cdf01edb8ffb2498bcb9f744dad3a0b1680585a07a1c5becf71c3ab80300c4dd12a9e01cbdc68b4d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
321c01a78d9d62aef7aee53579d8f930

SHA1
bf0f90b9e23299432b63864009b3d3b58857f4af

SHA256
6fd4e94c771bd438dffafa6e6446b91d54e16ef7e1c101dcb06a2c699d60b5b7

SHA512
2e2074f52a51c3d4ae96f8bd8987428aec5ad550162776239babd3c1e303af66692f6f0c153b448dc502a5d425beafef28e2e40034d98d87ece32cb69ffc2598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
0a39d636d26553ef3662a0e046167a9d

SHA1
5e0b1d3d1baf16d7fd6cb2d7494ccdfade16fd97

SHA256
4b196193f1ebfb7b0229e136b67f21c011a065e50e2681e00b86d2cc612b8dae

SHA512
507dbb40061fd80b20bbf0c439ec5c2d82833ef25b76c8cda3434c845435b75f751903f341f8bf0ebd1f2e40509283c4877d1d75d89328642ac578acba09c7bd

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat
Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
384KB

MD5
d7b2ae95b026cee6cffa049e95a5c83d

SHA1
060578b2c62f155f6b8e58ffda0a075135fbccc6

SHA256
0994d08abb3c7d10e9f173ef56c42cae9a6ea68fe7635bbb9612c345e557a89c

SHA512
a6140e57ade2f6f05b19958d19306fdba13b6d36623d3806a43f5ca7f2a062f38dd26d45b2e9e2e3feda666f0631b39ef41db88ee818f61b1d4606cd30d4af28

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
440KB

MD5
e0a5a7fe64828973524bb8c013a16a73

SHA1
65f06c75b3c425025f3279ba71d3a5b5e4ca49ec

SHA256
1f1c4a1c68c30e8376d647f68671e53942933809b97c42ec5de3dd68eb9a4032

SHA512
d71982a577e9d07d4512dd507a6547a833c027737ebee272811ced55f249adb02d2543bbf2bff3f203f475d8d0fb6859700f27f47ae01baf6061c16b57624375

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
192KB

MD5
e88da70dc3de03d66fc2067d1c4ad475

SHA1
8eadf460f78de050b0c11b6741b506f5b85f4094

SHA256
eb329585394a8165b8ff7a601929d5ad0c798df1e8d6b618df475547e940fb72

SHA512
4a72a8ee5f6b4efe4297b9c9b9866a90537626130119d1cdb11391785f262654ae2557c39d58837489e122fd645a64630a9a29e14d144ed174413a08c339b443

Download Submit
C:\Windows\SysWOW64\install\svchost.exe
Filesize
128KB

MD5
bbbe9da50ddbb3b02edfa68ba73e3314

SHA1
650f9990fff843efb50f09a1d1fb4231b6a44929

SHA256
2294588818d608f4a34aaa7a69ac3d76bd221283801adca2a46d036436f879fc

SHA512
76bad68ea4d79071c68631168f7d8488689da9d6b79c9679785e09e6e4dddf902c0cb53f5ff02c78cadba7e8e41bb4a8f3f996cb0316cc0f3ae37d7638624134

Download Submit
\Windows\SysWOW64\install\svchost.exe
Filesize
320KB

MD5
917d2722aca9df883722ed4c1194df6b

SHA1
6fda8adbdfd7c35dde5919056e5ae28ef57debdc

SHA256
aba126c9fb0eed3f52e967ca26c0d55421b0cbac16f79b79f4b32a2415d3ccd5

SHA512
49234d7a49c8e950a08a9dac52fdce3507b44280ca7270c6ff9bab766e88dedbb341d737e22c1410fb0b13a2d2a8f8f4feceeebe212286edb6680dfc70d46a45

Download Submit
\Windows\SysWOW64\install\svchost.exe
Filesize
256KB

MD5
1d90aaad89b80a8a40c48afb944d6527

SHA1
d0ca8d4494a4116f60ba47c64ea4bd7cdf9aad4c

SHA256
3610577109dd492bcaca56739179a3c485e4a28b530a2048511c1629c5df590d

SHA512
99e32aaecc5e237dbb0e395cf6f879435350e88076fbcc71e305d3ae9bf7b92ed90dbce63843a1dd6abf6ab130fefa1c94f636d6d04cbfb43eb98502331698d7

Download Submit
memory/320-659-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/552-1180-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/552-2913-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/560-1446-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/748-924-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/748-1059-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/960-1189-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/960-1164-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/964-925-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1000-2520-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1248-16-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1520-2518-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1668-1608-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1672-2453-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1680-1961-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1688-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1688-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1688-2-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1740-2263-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1740-826-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1740-962-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1880-833-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1984-574-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2012-2141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2072-2528-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2204-808-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2204-658-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2244-575-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2244-661-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2264-1301-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2324-2049-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2364-1056-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2472-12-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2472-555-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2472-8-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2472-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2472-11-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2544-627-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2544-262-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2544-264-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2544-539-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2620-1050-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download