cybergate | e3b766f5ab7bea8f390719fdb235069bf2bc4f5ff35ae2baa0363536a4ee87db

Analysis

max time kernel
31s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 09:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Size

464KB
MD5

c88647eb640503ad2655f28aabe3d6c8
SHA1

e231ed465464e24b602634b7bc3c2dc98f58d128
SHA256

e3b766f5ab7bea8f390719fdb235069bf2bc4f5ff35ae2baa0363536a4ee87db
SHA512

333b466addd12c3689a3ace37ff3e9b723e0d388fd345989b5b68b214ff4bf188bf5bdcbb0565b42de4ab3dcd89b7db93a707c045e6e8fe5444c4b2d147d170d
SSDEEP

6144:ujO7YucMwDfMjsDEh6BKhV8SO55lo4AFJw8CZvEEYVYSNH2LYEjAk+oTYy:u6UBnf8orQcSOZxAF9C+9LWL7X

Score

10^/10

cybergate latentbot remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

flaboyserver.zapto.org:1453

flaboyserver.zapto.org:3460

scriptevillestylak.no-ip.org:15987

Mutex

DS188U8R14HW2D

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
You do not have permission to vew the current permission settings for Properties, but you can make permission changes.
message_box_title
Windows Security
password
vauban
regkey_hkcu
HKCU
regkey_hklm
HKLM

Extracted

Family

latentbot

flaboyserver.zapto.org

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\svchost.exe"	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\svchost.exe"	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0G50F7CO-23NB-78QY-01EE-23411BW3526Q}	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0G50F7CO-23NB-78QY-01EE-23411BW3526Q}\StubPath = "C:\\Windows\\system32\\system32\\svchost.exe Restart"	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0G50F7CO-23NB-78QY-01EE-23411BW3526Q}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0G50F7CO-23NB-78QY-01EE-23411BW3526Q}\StubPath = "C:\\Windows\\system32\\system32\\svchost.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	svchost.exe
3556	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1636-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1636-2-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1636-4-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1636-3-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1636-7-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/1636-28-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1496-74-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1636-141-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4544-142-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/1496-176-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3556-179-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4544-183-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\system32\\svchost.exe"	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\system32\\svchost.exe"	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system32\svchost.exe	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\system32\svchost.exe	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 2988 set thread context of 3556	2988	svchost.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4544	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1496	explorer.exe
Token: SeRestorePrivilege	1496	explorer.exe
Token: SeBackupPrivilege	4544	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Token: SeRestorePrivilege	4544	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Token: SeDebugPrivilege	4544	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
Token: SeDebugPrivilege	4544	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 1872 wrote to memory of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 1872 wrote to memory of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 1872 wrote to memory of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 1872 wrote to memory of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 1872 wrote to memory of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 1872 wrote to memory of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 1872 wrote to memory of 1636	1872	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	87
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56
PID 1636 wrote to memory of 3448	1636	c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\c88647eb640503ad2655f28aabe3d6c8_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4544
    - - C:\Windows\SysWOW64\system32\svchost.exe
        
        "C:\Windows\system32\system32\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2988
      - C:\Windows\SysWOW64\system32\svchost.exe
        
        "C:\Windows\system32\system32\svchost.exe"
        6⤵
        Executes dropped EXE
        
        PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240618515.tmp

Filesize
857B

MD5
84bb910fb96619c26b961768fa0c1de5

SHA1
d1bea7789be0ea012b0d24b7b4e305bafb219e6a

SHA256
dff59d1db7681cc8cabd9d2b6272a5b589684da192157cc5f90a4cc6d7225096

SHA512
06abe36fc12da1d7693106964dd0d8cec08335adc89d7572d822aa2f5c18e570c55b80a3da300522a2d634a915d07621923250e4953b877bf6815bff16fe53b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
5812c62d73cbe295521a7a54d7f7d336

SHA1
6a3d5179412a75ba404589678ec631201ac1ba97

SHA256
9a0b74c722c6f1631956a1153971f27b5dd3bd361a19c897f2e3e9d105a44211

SHA512
8e20095222b41be8bb5215af82fce0f2b67b85d2d9649dcf4667161316e99322d60535e11732165a9a7c52d8483b991327c8afaac89f72b4196184255bcb3c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
050f3b3e03df990e0ca62120dc260213

SHA1
e7f6c888e1587aa6b2ef727b7a154b62969a3761

SHA256
95f22031c236e026955f7615e9fd86dd07e6e74cdc7f4fd0993986c88df9f411

SHA512
e818dcd5d55ab790913b2f963d92df113b05f539a7738c09e95457adefaf56f683816f8a6ba2c330173399bc5dc018fa2947183a021b26c19911251cf96a5f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
54ec9e08612dca6c3a627c30f487af0b

SHA1
81cb711c906251ce3657e0fff1456efe0d1131ff

SHA256
930c5f80e422d20a4f9b16d0dc6b391c32e884699b8a4ff599512040cd96a8f2

SHA512
29a2694a558a6bfca68940aa0c447a020885891548cd42544594a3b4670a85ef57e75b5823256f904037a1ab41075a4deefdb613aeae811df9e51f86cd60beb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a79ae27d503072fe9adb60b166fdc431

SHA1
4a208dae2721a6bf2e8739d2447c274857a75bc6

SHA256
7944c07e3e271be1c4ab4aa68802d79e9bf25817e747f264ee47562d8712ea28

SHA512
4fcf120daea915181c9d5ffe58f40fe02b323c1fcf66603ad887bead0a0ed4b501f851ea2c1168d07e1d467d26d391272bdb903bb2e6778410ebcfba5a853cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1f88f0ba7695621f350ebce509a1124b

SHA1
15942cb6ed2fe13653de69ec83c25c4386ef6284

SHA256
03a712d0f6ba360a96183f1befd7d0036dcd0480c366289bfd9728adacb0c21e

SHA512
78ea89952da743270365ea042717ef6e3ec48094f5572bad386324a197ef0b379ebbf2b778b0c29324e3f99cfeee3354167afaf05cc6c6dcde9cfd90c4e76b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
93ef46df20693f57946ef829073a3017

SHA1
7727938f2ff6eda96dbf7fdf0157b89eb5a05f09

SHA256
b01a4e59111182790a2ea8152e57f959d0804f7782bfd18fdaf66d519e30106b

SHA512
7726c08ca5911ddf047063cd40a932ae251cb1dc26a3a4a61e9af49657afde31e5176d2e5061f113cad8397e7ab5e7414d47447ba9c6fd0587220a46c92e7ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cf388920b8fad31b6ef34df2e34a478c

SHA1
e78d90369add06051ca800f7a3a6a1f01a481142

SHA256
29588ea76a76ebabb215b01af47534ba7bc1f830c800110f6e6a60cbf4f73ff9

SHA512
4af0e3e68deb577d80d87a55e2186860f693c79bb6f1900241d73f41b2ae72917c1ce9cae8a8473f73edd89e6decbb19e0d5d48a1d29639056bbc58b2c802e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7071b1f382ca3b1fdcd1f8614fa7285c

SHA1
fa9f7621d64b80d0aa5755b36c8bf2cf0e7cc13e

SHA256
394b882242d96e5379325f15e07c93e46031370ef609856e0f3699f80973270d

SHA512
af51fc1aa70f956780063a28e6e91dd2f9bf2a2740fde72002d1b9243f7786bf5afc23c1ffa8f29f613869acc8738b9f2f78e11647d9d25876606b849adc040b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fd74f43d36aeaddf0100af32ecf580d5

SHA1
7ab3d64e5f80fe8787cec8646058a207f417f8e9

SHA256
aaf21129bb17018558ffeabfacdfc8de0ed674946c3025d3ccd01e44ab9895ac

SHA512
56cd4a087f46a56fb551ef57f0aaf6675c53bfaac0ae6d75b5c9aee8bd65a6048aa553340dc636387307b42692805ca4354d59785a6e8610d04b0aeff51deb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f441865a68d1df1b0610bd9bf15bac3f

SHA1
8059d91f22d98e425c5af3a5791968dfba2ba6c3

SHA256
f40f80556a2184b13afa295537ea7184f0701d122c5fdc73a952001b898dd14f

SHA512
ad892863601a26fa8fc94fed0dfa064b6c4aa7afabedd9a13cb0d56cdf2b0579448f68f873c1b055424eb37c96aedd8acfb3efd473a00f003b4db87327b9af07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
368b51a5da5523ef3addd59ef036788c

SHA1
ea213f27b8632f3c4e4580800104d1ecf20832cf

SHA256
aa7da682ac4cf6946b4e4445a713c7416e3ca9b63402449c092a3a070e44f559

SHA512
139a87799f147f14f40cbe694e32f663731c84ba1e7472203c076fb465af6d4ecb241110a946dc54bacdf2a6557409d1cc3243636b122ab96cd96d5fd586bb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1c206f164739811bd2460a9bdc2438ea

SHA1
830ec34eb1ddd21b74c906042de63c04a1962985

SHA256
0076596f7750a15bcd690a4a1317cc76cbcecbafd929e342dd5bf1b0bbf10d94

SHA512
a4d4e5155fabcbef3a236b7c05824287b9869b7b3c98a157b1cdd99ab945915bf7db7f91ccf12ff7d4db1f32f20f905f8a3aef1ceb517d6411d672f5f83ab5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e81417bf97fca9c3ea08c36449223fc2

SHA1
d68a23be82b119a5129f456a02f130afa3e8401a

SHA256
711dddbe23cfec7d96ad86981b81e24c8a8c60e8068d97d77df5a068bb52a111

SHA512
f9a09fb6671dc0d56d74104d76b7b091806de3a863928ecead4be3fc04afc0db4303d1efc715d1b160684b4a4b61fe27666f8c570d227ad73ad426a392175fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
af74ba219d33c1ebb14401729750e1b2

SHA1
82dce410182b0b6cb54226811ba0a73348fb3c5b

SHA256
beef55e1e7de61c777344b3aacec386b0a66965ef3e773ccc308d045fded8084

SHA512
145b7cf7da26943aa5842a063aecdc5cec8f00f221c3f3c4c549ce2710f205d19c1f01d08768c22acaaff1c0820b791799da821cc9b0819b28ac2dca922312fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
17e7071bae6e5846234cdb9d81ad8592

SHA1
7b53a3a896cfab4aa080fe66298e01a663f2e70b

SHA256
9b7fb297a4dfe869e3153ec104cb2cf4010bc2cb41f6da0e47301d52e3c480cc

SHA512
4991aaf53b82027a3c787f2cb4a42b07386f768ee2bb8cb0d3a2bad21c5c5d10906010d66ee31c48936360ce8083a254afc18fb23129f97d3f7cba041940e99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
55974086ad01361fdb47b293a71cee56

SHA1
1460ce1920edf50e1b283a55540581013ecd7031

SHA256
855fc23c0b58c3e5c6276f90fa66096028f0b927d65bee481e38108bcde3d2c7

SHA512
37b81746e5b524434ee2152b71e27a3c6136dda7af1f9841c8050025b9edabceb8a9492add00bdce1853240ca4e117866ddff1af883a8d038a80c78ddd83ba5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b8574e8075ffdd789c3bc7e43e20de88

SHA1
9b0999170db112d5f1f2293042dce4885c64085c

SHA256
308a1c9b2761dc0185d018355118809a21ea80ec4618d171deeb721f3290f8d7

SHA512
e6f79a58bd1be7dc0cff4c6b2df2a868149e9f31f5a20a3bf3486ac485ab1bcf7650eb69feba24aa8ca9f0e17a38069fc55ba613431f73df57c240648211411f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4412967b967bc407a4cef76bb2a58ff4

SHA1
46f04bb6c136f6761a3c2ee2a1c743dbec76de2a

SHA256
84cc62849cd4288caed2b531f81de396ca0d739d7d0a915bc4f4f761593a3af8

SHA512
695edf26a56ccdec74b83a5769ef8904fd77e10357e7d86886d8a3b4ec3e693e87ca598bf042ff7c70f71fe581a516329a0958d38d0e2820a11850ac82bb19e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f130f638644cdf095e7d060e3070d0d9

SHA1
94afa5146a231a3486ccb415dee7a78ec3fcca56

SHA256
472845f6a099a343ea75a659036e7c7a491d81b0f6c7bb2eb41f03a0b4233eba

SHA512
6fb6cd30236eafa177dad10860d10e1d346ea6772e98b804845b7b4b67beef116eac63e2cdd8d7e68da6a6e73515aee980a61528d4ec8b5d0bf986e606f9d62e

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\system32\svchost.exe

Filesize
464KB

MD5
c88647eb640503ad2655f28aabe3d6c8

SHA1
e231ed465464e24b602634b7bc3c2dc98f58d128

SHA256
e3b766f5ab7bea8f390719fdb235069bf2bc4f5ff35ae2baa0363536a4ee87db

SHA512
333b466addd12c3689a3ace37ff3e9b723e0d388fd345989b5b68b214ff4bf188bf5bdcbb0565b42de4ab3dcd89b7db93a707c045e6e8fe5444c4b2d147d170d

Download Submit
memory/1496-74-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1496-12-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1496-13-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1496-176-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1636-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1636-3-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1636-141-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1636-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1636-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1636-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1636-7-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3556-179-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4544-142-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4544-183-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads