cybergate | 002b6cf0011267abcb989e1a062608ee606efbf1b7fde7b3c39059e42a2e1d8f

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 08:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
Size

370KB
MD5

5fd338fc77dd96a0142bb7a8d3abdd03
SHA1

f1fde4e6d6ce795446d366bee65801847e659816
SHA256

002b6cf0011267abcb989e1a062608ee606efbf1b7fde7b3c39059e42a2e1d8f
SHA512

46674427fb376d9ce42c25f1b5e5acec0cb6a2d60c10bd29fb75599eddc63ed598c944cf9165423ae1e3db11c585a8a805034abbd52a13bd0d23a6a24f101453
SSDEEP

6144:1Dm4OoU5Mq5N49/iKuGKbKMBQK+8aSuFOS3h0YdiKWI/0qN/Zg2mU/liKVQLeicM:jOzGQKMBQPSuFvyCibI/Na2jPVQLeiyM

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

scate2.no-ip.info:81

Mutex

MC66KX3IDCUM2H

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Su sistema operativo todavia no es compatible con Tuenti Vision
message_box_title
Tuenti Visor v5
password
2cacas
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe"	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe"	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DUN7DV-11I1-2NT4-658C-ALJU1WO28E32}\StubPath = "C:\\Program Files (x86)\\install\\server.exe Restart"	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DUN7DV-11I1-2NT4-658C-ALJU1WO28E32}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DUN7DV-11I1-2NT4-658C-ALJU1WO28E32}\StubPath = "C:\\Program Files (x86)\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{67DUN7DV-11I1-2NT4-658C-ALJU1WO28E32}	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2192	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
1528	server.exe
1812	server.exe
1636	server.exe
2384	server.exe

Loads dropped DLL 3 IoCs

pid	Process
2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
2192	explorer.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-27-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/2216-552-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2216-1445-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\install\\server.exe"	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\install\\server.exe"	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 1528 set thread context of 1636	1528	server.exe	35
PID 1812 set thread context of 2384	1812	server.exe	36

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\install\server.exe	server.exe
File opened for modification	C:\Program Files (x86)\install\server.exe	server.exe
File created	C:\Program Files (x86)\install\server.exe	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\install\server.exe	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\install\server.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\install\	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2216	explorer.exe
Token: SeRestorePrivilege	2216	explorer.exe
Token: SeBackupPrivilege	2192	explorer.exe
Token: SeRestorePrivilege	2192	explorer.exe
Token: SeDebugPrivilege	2192	explorer.exe
Token: SeDebugPrivilege	2192	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
2192	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2192	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
1528	server.exe
1812	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	30
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21
PID 2104 wrote to memory of 1184	2104	5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5fd338fc77dd96a0142bb7a8d3abdd03_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Deletes itself
      Loads dropped DLL
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2192
    - - C:\Program Files (x86)\install\server.exe
        
        "C:\Program Files (x86)\install\server.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1812
      - C:\Program Files (x86)\install\server.exe
        
        "C:\Program Files (x86)\install\server.exe"
        6⤵
        Executes dropped EXE
        
        PID:2384
  - - C:\Program Files (x86)\install\server.exe
      "C:\Program Files (x86)\install\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1528
    - - C:\Program Files (x86)\install\server.exe
        
        "C:\Program Files (x86)\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\install\server.exe

Filesize
370KB

MD5
5fd338fc77dd96a0142bb7a8d3abdd03

SHA1
f1fde4e6d6ce795446d366bee65801847e659816

SHA256
002b6cf0011267abcb989e1a062608ee606efbf1b7fde7b3c39059e42a2e1d8f

SHA512
46674427fb376d9ce42c25f1b5e5acec0cb6a2d60c10bd29fb75599eddc63ed598c944cf9165423ae1e3db11c585a8a805034abbd52a13bd0d23a6a24f101453

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
b57cb21a6a519dfcb5ff52dabde34f96

SHA1
7d2c4575ec91c951460a313d7bc1dd76d996b55c

SHA256
faa5c6989558d6fbc38663471aee13bc8e6302f79b321fdad56d88911a90219e

SHA512
04553e15636cfeda9354c959a23824256b31a6f79f7feb8e779b2f627c4628e7c99c94644574453c20fbed77b45ea883e147211d60f9196dad3f950169344493

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9a64085fba915daf87ef1e2202f65953

SHA1
36be3011a55c44b987eda0794da0b1da6e3eeb62

SHA256
b82d95bf84bbb55fd732dfdda9977c11b58de92b1b83402748ba30293dd1f6e8

SHA512
eaceeedc1c21f866fec5c3325512caffa16f2329fe55ada0f6a2a7c4429908a9a944992e31a4f54c67243afe6ecd704557b242658235a8593bdb064b588db2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0c1d020c29e4d597fd120931b9ef5f68

SHA1
77b07a29a1ff27b38768dd8f6132df4676c00fc5

SHA256
d013723423c5febabcc6ec83235d622fc6bc5c5893bccf3858f10dde6cf7e649

SHA512
8ff73241ef62b9a18a035ca49dd42e41c1800494ab5c4d08924cc5536274ea90320a2a23c0237b423cb22d1e56080cd82d9f78942785a94273f301f6428499af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6cce15ed1a601c79970f4e45dfc7a1eb

SHA1
9a507577a362cf13e14fe933cafb4218ba75e8b9

SHA256
a5fd3d2f20854286e09bf2bd84069ecd5e546dc9a0848477fdb27dae11fada6c

SHA512
e8a76fdb5ede13198a2443c55a45e92e9a2fe8daffc3c90dad15b3ad49725ed5bcf455d6bb90954dd6bb015d811167643ba98092e281d02941efceba8f77f62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c40bb2d70f44098d7584cede6cd949d4

SHA1
3c8bc3f2bb2e94a0a094c05154a0dbe409ee000c

SHA256
b83b06c7fd053f2113ba621604517ac48472915429b7dd099d02a379def3efc0

SHA512
dbaab413ef769cb348bf47214ff3445443915afacf2603b6c069625c1b1742ca07c3189bd45642f55e4c46dd6c924f8e6bce7cc1c5565ad38a8331698c425e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
160ee6723363082b7ea5bf68f9af4975

SHA1
cbd8cc44ce57e3ac88c06b0b5845e5e9d7fc0c04

SHA256
096a8f1a3f09298d8362d6fc33adeebbe6d7474b5d44f6194a5154715faeb64d

SHA512
f5721293fd2ee55c834dea97462744075615f16d96c624910751bc28869c5fa4362ce36733d6831d2ce889fb72a2f4f0471f2d01cdd362b343fee0bf165ba82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c7fa0ccc789cebaec8e2aaee6a78d25a

SHA1
98eb374e0c35499cc7b20b32c12671a50afa809e

SHA256
a176847b121094d92b49914958934600eaaf0709c3b84c7e367143f0f33ff345

SHA512
617e2575fd3b507b890350750841ead38679cb13eef8d142547c52faf0585efccbd91ec4cd19e10e4bfe07180cff2c2ab907ce6e70de6630077f69ffc0936a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5572d452952a626ecb93dc97e506d858

SHA1
3eb8f0b34df007ba33aba8b794f33287cecd8088

SHA256
8514110afea26c52d08466b0e0f7d6e62712f43270b77e795fe401c7e932eace

SHA512
b7fad3109b51f4df24ad15af06f554a950d4ef69f2b8ecbe1121dcb9189e192dc1fd158cc29d636e2485f992c33a62513b94e31235944208e2109d3df3dd4dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9eda95173575fea9d96c6257542ba432

SHA1
817586518a6378138945cf6229909c6216d9258a

SHA256
88f9d2086401be9060874cd51a29ddafefa1cc1511dfbaa8fbd9a34ce12f7b67

SHA512
d1f87612c6978b64037f0d772324ef44633de075cf9a4aafd4b0d4336961342e3bceea5a4021950bd691b08d1a18fb4a0ae6488dc8c46e167da81fc25261f4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
053017ecc649f4fdcaacb437bc0c06cd

SHA1
f885346bdc34239b1350aacd7790215ac00d5e06

SHA256
e601baa88a20e0a3a55a381416cb83997e3ed97081e88f42dde0b003bf9112e1

SHA512
90bd6bfaf24ce9e7cd9fcfeed9f2390f5b56657445cc4c22b3995b567b96b4ad7f97cdb34b2a5472566e028b9a720b704191ca020b3a4c4291945c8c6705c100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
09c61b562720fdf1700dc049bfdc2359

SHA1
ceca9a27380c01bd1166dbc7156b0cf98883c968

SHA256
c07e07874ee47f97b51bebe1291b4de1403d4d7e7f4990294059619622e39899

SHA512
c893d0b565d4ce34423d75866c9b070784e4a3fff22d7f4cc0b85454ff2e9a861141581ed5131941c885a30e25b0a4e25150ac054c25f231427b1fc6cf983f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ef78e68e3978d01fa79a3f0e199498b4

SHA1
28a6212d0b29621a9b3e84687fbaa91b274c9d43

SHA256
23803f03a49becd92bedc530272859a6ca9d7f2a1ef2169d4013d1da6e5529d8

SHA512
09036fd7d2e1fd53fa07db65afdda542911d1da228e6bd420e52652d3494cafd74a9f416579f7f8e93fe69c23898b9ddd0d08f1ba427de711df0f16dc6a5f4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
20776a92d8abb51af57854c6b5fb00f5

SHA1
8cb5701435601eefed92bf251144fffb72164020

SHA256
a805b0588b9cd43d5128c80512210ec8c996c6a09dd28bd3c4b77d165f21d1c5

SHA512
c328b6e09a0e929e9d84da1fe5cfa97d53849fa8214105c99fca868d3fa5d00e0eb222f94199ce09c1bacaa8f1258f8dd5b61891e342b642b5df0814346f8bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
87104f54ede3b8e44ebdf243920ea8da

SHA1
df4dcae04f30a43daa719dbc0995569934562f57

SHA256
bab75dab8b09baf471393e3d7e0bc155fada7e446cb216442a7789bef0ed9689

SHA512
7d1249586abf9931258af57a90adf0839c8191294fb413f1010929559e04b99ba5781790b09fe46fc7e49ad56f5eed103345ba903f4588690c5d3d03d05b6320

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e4af1fe001195fff32b7d1a24b9dcbe2

SHA1
a393a28e32a65d4747af0acb7e80f69709a52141

SHA256
50014d39bc0eb7a778959e284c5de2cabd0aecb183d6bf9a55d4945ccb2fcee1

SHA512
37fee1042c58f70fdc0839ee92c193f4e27bfd7d0d8570964a0e739a3105b9b958d61c203343e1284cac6860551c1f072c963a380174fafde8c6ae9e6478f0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a2086adf067329e59a986b02d43dcde5

SHA1
4609986255c74525b9ed93810c93986c009962ec

SHA256
56d70b59943edfb3ae048e8573211cad90d19a12a0476fba51b85592172fda7e

SHA512
dee6a6d1592f22a19c357b04728c386a465d1d6d85b6eceffff1d4a4760d0e295767fe162787387064a272fff2c60597b2319898c89b0b8b6a3b55ef46aa84d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1d6c6e3b51a99b375c0af2628434285f

SHA1
4d0957cdf36371ceb4a495c3b8c1b65c83c0ca1e

SHA256
41b2439ad1ea22321926ac69502be4330590b98052c20169e263da04daef9210

SHA512
734c18b1137c4cc8ee560991b118a204a019272636e6955f387f12f1e4e30d44efc21d705be21634ce9b5aea7edbd53249a809c1e13d57c436d737d139a1c43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9b267b43d316002db998e8eb5c4d7cf7

SHA1
61612d39a4f4aea4adf3662d81323822a6903ef0

SHA256
0bbaf7a426688eb58063f25a79efd34d15f2a165978a3c671eaaf8ec36fcc95b

SHA512
f780ba15b05dacd4fabfb0d301b809d91b9a3a0b8cb454782b475c2af5630d16c6b7fdf83ab47180b44dbc06729c6330b97e5bd872aeb84912a715e581a615f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a82637e6d9bc8e739be51dc162375b51

SHA1
77002ae3e5467d4025d9174c4160f120271e836d

SHA256
ce37d2c8c854000445f8bf496f537dbd78a2c7a3d4c12a62cd70073200623138

SHA512
a4dcd2d5f9548c78e0212573eb3254f6d578147979638be38e6247e7d3748796070b0a92e2deecb58cbf295471b03bde17bd25667f8de6bb7baeadc4da761bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ed6e5fbca21d4f8d016198de297d5c9a

SHA1
66f1b0f896ad33572b4ec60babaec427088a0224

SHA256
0c7207ad8ebf42d4f496eed1eec850aa216ae5e2b5b9dbc82bf47ea0dcd034e3

SHA512
8d23121346f86f388e688e00c5227f9bce223b0f406f5fe034be0a3d0747ea3198f256d89de2eb76f09189e665a9bff30164758089d41567ece60169cc601097

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dd4249da8e8c35158e23be8c9f21fbeb

SHA1
059025d3b0fa738a0f9baa82470ade37c250edd4

SHA256
8156c546c92ec51abb110d3800f54b328c175a4bab370384a3701c7230947cb0

SHA512
ccfb3984a993b93a3dcd7f579b7755725bf8695f6a92477e5b3f41564b3887a51d029fcee5b44f3b3d586d746e173ad579a86de03743126cb2ee810551ee7a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
265dc340322f92e518797cba311b44af

SHA1
2f61d27dd6838fb4a63bcae9a01f5dbd37f052d5

SHA256
18e15decb885d7a10a1930e50ed49713fede372c61eeb4a0e38c8dfeed70d876

SHA512
3826cdfac7bff17266b2913cb72e8b9c7dc42b51fda5811dc5b7bf8639e1b3defa17180b8a5ba0e714265f9abb7a07e6289a2121acc2eb918e84ec7439864929

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin8

Filesize
8B

MD5
87ea330aa43b6f0ff770de68a3b1f96d

SHA1
52e58c17ea9214647b1487f6f91c5eaef65a3301

SHA256
359ad5a45f6e29fc5f6066f83261779cba88b7772f5dcbd44220b83a42d7df89

SHA512
0bee03d4f21703958c4e99a74c05732bdf88851d7b169e45bbb5509522031320c7c86a0fb48b17944e1c784c53879e4798b5021214659479994b7c95cbef5a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwreg.dll

Filesize
83KB

MD5
17e0de7c604628294740ffff05552672

SHA1
d6d0b51c1d0547075ab0f52753df6f1f766aa393

SHA256
44754f92df69e3115bf32acc9cead3913465b2b613786f03cd828bbe0c2abfcf

SHA512
0cbfce7444d59e4e96cfd7f1c63ae74ebeb6fa73013f90d13a93464bd662db594857edb1481318b1c648ab8cb415854ed55904e3bd972168972110dac38606eb

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
memory/1184-28-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/1528-901-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1528-931-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1812-911-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1812-950-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2104-15-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-23-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-883-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-14-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-27-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2104-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-18-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-8-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-10-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2104-12-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2192-910-0x00000000041F0000-0x0000000004205000-memory.dmp

Filesize
84KB

Download
memory/2216-1445-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2216-271-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2216-320-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2216-552-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3044-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3044-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3044-20-0x00000000002C0000-0x00000000002D5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads