Analysis Overview
SHA256
2324baf9b9e29806f6e4346c5ab351acd474b182aa138d87ca4ccdca701a75c0
Threat Level: Known bad
The file cb44cafd8070323fe108f19c9afcae10N.exe was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
UPX packed file
Checks computer location settings
Loads dropped DLL
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-03 23:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-03 23:28
Reported
2024-09-03 23:30
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
120s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q} | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Windows\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\ | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\install\server.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe
"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe"
C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
"C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE"
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
C:\Windows\install\server.exe
"C:\Windows\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1920 -ip 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 572
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
| MD5 | 2f16426a0274725cf8ff7c44ffcbd275 |
| SHA1 | fd9937938d814ab83d78983b17f941b4e0139794 |
| SHA256 | 59e0a784eb6f56e411946e86e015672786d830f69b2fc1f8886692f10f197ac7 |
| SHA512 | e6031d309b81b1ee3e88efa3eea80523098d6dda5018949b48ed63682569c776ba3956fd18151fa853b54955f0f248487bd1fff9bdd73d80cbc035229353a014 |
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
| MD5 | dde3e497c0924260d286ff11bccbb6ec |
| SHA1 | de0847cca9180e94d0d20fbdaa3e23189f9a4454 |
| SHA256 | 64e43c1240b8c762720a9e0754cc2fb27a498a444b3918e285ad0ceb598b1962 |
| SHA512 | 60b874446c4fbdfd0a3bbf05c67105a39e24033834b4af74b1e89438249cca996a073d3aa54bb5711a79300e507590554ea65eb2366ed6b069f72a55c484e364 |
memory/1548-19-0x0000000000400000-0x0000000000503000-memory.dmp
memory/4708-20-0x00000000736FE000-0x00000000736FF000-memory.dmp
memory/4708-21-0x0000000000200000-0x0000000000276000-memory.dmp
memory/4708-22-0x0000000004C40000-0x0000000004CDC000-memory.dmp
memory/4708-23-0x00000000052A0000-0x0000000005844000-memory.dmp
memory/4708-24-0x0000000004D90000-0x0000000004E22000-memory.dmp
memory/4708-26-0x00000000736F0000-0x0000000073EA0000-memory.dmp
memory/4708-25-0x0000000004D20000-0x0000000004D2A000-memory.dmp
memory/4708-27-0x0000000004F30000-0x0000000004F86000-memory.dmp
memory/4744-36-0x0000000000670000-0x0000000000671000-memory.dmp
memory/4744-35-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4744-39-0x0000000000400000-0x0000000000503000-memory.dmp
memory/4708-54-0x00000000736FE000-0x00000000736FF000-memory.dmp
memory/1548-34-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1548-30-0x0000000010410000-0x0000000010475000-memory.dmp
memory/1548-51-0x0000000000400000-0x0000000000503000-memory.dmp
memory/4708-58-0x00000000736F0000-0x0000000073EA0000-memory.dmp
memory/1548-96-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/4744-103-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/1548-102-0x0000000000400000-0x0000000000503000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | b87bf5a04d6f0aa4ead70d655c0af299 |
| SHA1 | 52160184112c0bec6c539d939d71d6dcef6a07a3 |
| SHA256 | 9052750374fc200907798ff1b08216b54f0ffc0eaeb56c1f4b609264b9eb6668 |
| SHA512 | 415fee417e51c8ed741a10130f809e4e83e4c12d70deaa7291418bedc562ed14da800ce66952d9616e76ecbcc7bc2ef3357d231372e47325700c6accafcd5d59 |
memory/1920-125-0x0000000000400000-0x0000000000503000-memory.dmp
memory/4744-127-0x0000000010480000-0x00000000104E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 426016363a3d4b88efe85229b805de8f |
| SHA1 | 0f04407a0c56573ae302863083ac8f8176dbe34f |
| SHA256 | f9415d0fb2dda7ba6f791046e1df86e1d2c1e2f053ce64d91f9673c56bee268f |
| SHA512 | c7e4ab8acbbaa28b6b571b4056303f920a4ee97375dca517cdda100c4ef872dfea55479be3121f9a5a8e33d6a15497d90d29b8056bd9ae4830008de666fff3f0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | addd656a883a2d7f9012bc4f6ee4955b |
| SHA1 | 480859402ed10ff7f09cb9a73f2506ddd91cd573 |
| SHA256 | 14cc6f2806b6c5d3ca960ef718495de179d3b8cf30bd9dbc9044b697fe4ccc01 |
| SHA512 | 01fac61ba8ebfeb853d92f23f7e064e6806c618d51bbc841de8755845639dd4fe0eb532bb2d68fec4ca7526885bf663618f9b55dfb66896c325c30f34f6e535f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 75e48b9b260f8eb417229128177a347e |
| SHA1 | 336dd9fa39d8cc9886de62ebd7a09eb8a596844a |
| SHA256 | 64810f6f66884990d74e43123659374da8913276a8c4e177238868f595a61d0b |
| SHA512 | ebd0186e8338f8a54b6ef9aad0507f898d46eb6f834a8a36dcfe7e6e4c72c877b21d99d209d83f84b7dc316c005c06044957e63cd5925f3698e3fdf51e2175a8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa80d6993f410933ec8b4253bb68da36 |
| SHA1 | f8614e3a0d6e4a3f0bd2a98eb93ceadc985b1b35 |
| SHA256 | fb4e89ac830719c0e40cea3041509a7bf78045b169b682c1f5a735a6c389e1ac |
| SHA512 | a32c5bb1d350849618c649df70f11d85efd467af5716c6d214a44eeaeaa5b1255025b351bfb66f435aa3cb5fef9c04a5f6de02284770ccf0f5389fa85b714a25 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4c42b2a03722b5e207b34ad74384a562 |
| SHA1 | 35d9ceb2a79c59c1a926f64fba24e7742ff991f9 |
| SHA256 | 70aaf7bd5f99aecd75046098d7ac698a236cb9ccc17ccea652abc0884e1619b0 |
| SHA512 | 345b76c055719818e302ec2187699095199e69dfa632986370ffc8cacf0df40ec4749a2498c389f7f9942a485e765b62818d21a4ab8ab6873f3915d632f5a7ab |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b0d50f9792487e0d6523e9c3c8e5373f |
| SHA1 | 025a1cf5e7f37b1e121d07ca04c044551687bbdc |
| SHA256 | 86376ee210438b923c97f63d168a182daf3ce31b31ce0db323bd61d2090ef51b |
| SHA512 | 1921a3dc3231b20a13e8a33781a5d599af5626391da6087bd8c9b31880eb78d8537c9ba11d847a651863afb0d1befdfba2bb294212cc0f4a2b33dec56673d03b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | aeefe99518c7e3e39380be66947a7988 |
| SHA1 | 490d5a11838f3bc009153214d8794937c6772d0e |
| SHA256 | 4adc10fd77d69b0fc61f63bf8de0fa887a544c7ddc6504eaf192d68ae7d5f7e0 |
| SHA512 | 399e2991c9e7affc2955ce620a4f9e6e23d79eb23c90ad13cb35d68e73f15446ee79a1314f2110c27f7060c2eb32ed2e2022d2326349ee9c93b0c936686fef37 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5b3b177366edabdecd84690131f816f5 |
| SHA1 | fe3054ca69df8ee6d24de8cf3cfd5f41923c2ee8 |
| SHA256 | 53da0acd0189ffae929da254f8d83110fb5f8777deb0c0d1f7c1a144ed6a9aa1 |
| SHA512 | c8553c6577ee35eb53e83aad1260353c45cedfeef1430d8517b4a3838012c82bd17fb56bc6096120f7d6bb219e061fb49220bd00fe8e196e5c2fb7ed1904a019 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e49fb63b4cf3f8a8719039acd3deaa94 |
| SHA1 | 3954e832b31a0b6c0a541ebd1fe3eaf829577bff |
| SHA256 | 3fd47994ab496fd8a7d3dddda800aa8f05be82ae415d4f396b98694d3089d962 |
| SHA512 | f1d40b2ec5829273abf75544e5ad92ed5b3d527649a0ba6d37653b45f39ffbbefc34742db11d5f97f3e9c5edaf4e18bc6eacd7d1a217979def87a665ca24ce1e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3e26676390fa3627351d0fbb8f46e353 |
| SHA1 | 7c94c27000ef7a92b53c76f72acf0ee2d08fd8d4 |
| SHA256 | 23a81b5374f7b1802014ba3482f26c0812adb074c65f695d3f3934dd779712b0 |
| SHA512 | 274952506df1eb39e75a229956e57fc815b3b045af08de31cd5aa0328b7f2f2520b4d97c10082922e49e1dc7aff385ce9eedba569eca8263a219cf0c694fe76c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 81ecf1fbddba77d670c2c9488179d97b |
| SHA1 | a50d2e0fa34547e20efc24eed3081e7d3dab8536 |
| SHA256 | 6a1f741ed3b0a5c6026aaddfe7c1b96e5eef590b9f3ff247ded6127710bd2f36 |
| SHA512 | 0d5625117d7df25de40521cd6ad528a0d1d3fe91e58a1216b2fd7e1d0043ff5a91930b571447597974ea31ae02a19969529affa4d5c612a604ce2a234c224db0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 45d6e25432fea1dc303213f2fd56b5ff |
| SHA1 | 8a54ab4996434ca8f7007adfa7d717e9688c8ed1 |
| SHA256 | 82430f18c39612cb1eb8400aab1f5ba7daba6e63fd356f02e3076e7be71acb4a |
| SHA512 | 2901c690c540526197ddd6a0027431f4c65ae9f84a17e001eee9bc71376d1e13d5c38a63c92a976875c01394ca532f95716ae68b25d7a9405ea3dabed4a68cb3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a6b92ddeea7dbbe2c4929222c59ca0b7 |
| SHA1 | f52d3d261539873de2a69f2ea757471d2c845dde |
| SHA256 | 66bb2965bafe8870369ecd9ad35b6d293705179ae1bf2d70a3b708eecc67cbd5 |
| SHA512 | 557b3b983f465c95ab0e77a51b8b338618cc7846ae21d7ddee922d6a4ae92861fb60bd30e0b0f8d822a81771da5f34240eb84bf2eb56359ebf00aec28e6ae2c3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ed5cc0f535bcd22dd0f0f699d9607709 |
| SHA1 | a31d0da4fa8ef776e0c1b4a5dd6431f801310254 |
| SHA256 | 7c20395808c8b0563378dd971a318e7c4c2acf59a9cda8b003ebb672e397d362 |
| SHA512 | 00714ea1893fcfcf4a7e915ce108afc235de2fdec76e31295949b679f8c7d1cf1f4b32344b4e14ae4e3fe1f59cb8f4cdf8d3c116981c2c79cee78c1a4fe70c39 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 434c56917d33209423c40b45c04ea53c |
| SHA1 | a34e10f8baeea55509b64da9054f14ec8c476413 |
| SHA256 | 65c54d890d894cb7f646e35a5eff190ccc6c2b188e4e85132ca96179f0627c75 |
| SHA512 | b9b2812c0da459c49bdf5e2a43901076d6d4cc4823082514032a0cb35ae902026bb93f2082b91163bc7af6d3d1b5bdf8303708957e6f6dac9f3dc2c598b87089 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1207613b3b2d72882f992a520617d077 |
| SHA1 | 23e3705a2101498153129a3da8e5ed31b13e5195 |
| SHA256 | 030ea9facac03b4c9040bc227aadcc9ca3ac64f6446dbd8cc1b4ff3ee5d874d8 |
| SHA512 | de9c3dd8653851516dcf66407b52bf2a8a5a0ef84597d9534b581212e5cc357936dbae851b6914b2c12a60ea779795e7638223ff859550bd9cd7cbceed2ad44b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5dd9da9f06e47883bfdbb9f182fb6b45 |
| SHA1 | 7e91f8731ac53e00284dc88ab6e24089c8ddd6da |
| SHA256 | 7988279d24384911525f3aa8b819f106bad2b4f72b5b2e8607716a46074fd327 |
| SHA512 | 7bbc687f40f385d5e56e1576c1c929ca51bb9ca7dd807c4d86055f06599bd2519bb1d34b303e35fb59ab8e1bd595d20bdd35d62ab0143da632cb2f475e5dc18b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | d5be616a4b413220ddbd7003f76d48e5 |
| SHA1 | 794759ae6c10d1a97f6afec7b9f459c7b80d0d40 |
| SHA256 | 0ae63d59b92d09138e3499dfb52c1cdf9813195197616849a09b9b568592a9d0 |
| SHA512 | b7cb3233b78cc9ff0ab2a21cadbff784ded921ef6667b0a4faba36988229b177120a297812dd0bfd7cee6422d6db7c9491d0c886a852c623739df1d1d3f80a7c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-03 23:28
Reported
2024-09-03 23:30
Platform
win7-20240903-en
Max time kernel
116s
Max time network
120s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q} | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{080HG8HU-6D81-827G-3O41-0J8367C6261Q}\StubPath = "C:\\Windows\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Windows\install\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\server.exe | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| File opened for modification | C:\Windows\install\ | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SERVER.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe
"C:\Users\Admin\AppData\Local\Temp\cb44cafd8070323fe108f19c9afcae10N.exe"
C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
"C:\Users\Admin\AppData\Local\Temp\RESOLVER.EXE"
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
C:\Windows\install\server.exe
"C:\Windows\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\RESOLVER.EXE
| MD5 | 2f16426a0274725cf8ff7c44ffcbd275 |
| SHA1 | fd9937938d814ab83d78983b17f941b4e0139794 |
| SHA256 | 59e0a784eb6f56e411946e86e015672786d830f69b2fc1f8886692f10f197ac7 |
| SHA512 | e6031d309b81b1ee3e88efa3eea80523098d6dda5018949b48ed63682569c776ba3956fd18151fa853b54955f0f248487bd1fff9bdd73d80cbc035229353a014 |
\Users\Admin\AppData\Local\Temp\SERVER.EXE
| MD5 | dde3e497c0924260d286ff11bccbb6ec |
| SHA1 | de0847cca9180e94d0d20fbdaa3e23189f9a4454 |
| SHA256 | 64e43c1240b8c762720a9e0754cc2fb27a498a444b3918e285ad0ceb598b1962 |
| SHA512 | 60b874446c4fbdfd0a3bbf05c67105a39e24033834b4af74b1e89438249cca996a073d3aa54bb5711a79300e507590554ea65eb2366ed6b069f72a55c484e364 |
memory/2448-11-0x0000000002C80000-0x0000000002D83000-memory.dmp
memory/316-17-0x000000007405E000-0x000000007405F000-memory.dmp
memory/316-18-0x0000000000880000-0x00000000008F6000-memory.dmp
memory/2072-23-0x0000000010410000-0x0000000010475000-memory.dmp
memory/2792-43-0x0000000000350000-0x0000000000351000-memory.dmp
memory/2792-46-0x0000000000400000-0x0000000000503000-memory.dmp
memory/2072-44-0x0000000001E20000-0x0000000001F23000-memory.dmp
memory/2792-34-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2792-28-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2072-27-0x0000000010480000-0x00000000104E5000-memory.dmp
memory/2072-355-0x0000000000400000-0x0000000000503000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | b87bf5a04d6f0aa4ead70d655c0af299 |
| SHA1 | 52160184112c0bec6c539d939d71d6dcef6a07a3 |
| SHA256 | 9052750374fc200907798ff1b08216b54f0ffc0eaeb56c1f4b609264b9eb6668 |
| SHA512 | 415fee417e51c8ed741a10130f809e4e83e4c12d70deaa7291418bedc562ed14da800ce66952d9616e76ecbcc7bc2ef3357d231372e47325700c6accafcd5d59 |
C:\Users\Admin\AppData\Roaming\Adminlog.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2792-376-0x0000000006140000-0x0000000006243000-memory.dmp
memory/2792-378-0x0000000006140000-0x0000000006243000-memory.dmp
memory/2088-380-0x0000000000400000-0x0000000000503000-memory.dmp
memory/316-381-0x000000007405E000-0x000000007405F000-memory.dmp
memory/2088-383-0x0000000000400000-0x0000000000503000-memory.dmp
memory/2792-384-0x0000000006140000-0x0000000006243000-memory.dmp
memory/2792-385-0x0000000006140000-0x0000000006243000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 955cfa12aa30999581c48866132b1da0 |
| SHA1 | 1502b04dfbcefd10f0a65ba59df3c88ddb65d7be |
| SHA256 | 3836674fa62207b05ed20b0a775fbd29564972c035254b81f63b8afefcaeb743 |
| SHA512 | f130978b3badf6be040cb5a8a7ad0f92d013e2ba0ce2283fb5c5cde7185d9fa343fd663ff48731835004cd37e544be74c9e57abd308d6b6512fb7c8ed7e77720 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3fab5a31d90ca41ec04baffc86fdc1fe |
| SHA1 | 28875954cf7991b6e3c66528f18a618d67dbdbe1 |
| SHA256 | 394bf5fc879cc91179561e1dcd453694058f5b0a2ab138b6020c6c58170eba27 |
| SHA512 | 6041d2e112f7367fdf7af904f0eff00fd66dbdc2deb5bfa96ffde1d9fd09f56d239b062a361b1e1c72b74535ba9a1026d7a30b599cd6b00bc7388bf4a8c455f5 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fb4e0cf48aabb84d0bf2ec23638e633f |
| SHA1 | d942c7a0f81007e2692fcc217a6c70ff035e7036 |
| SHA256 | a9605b91bddae9d495059f71a324a27956eacf68a65ed204320398b46123e6ec |
| SHA512 | 7d85d0d21e1fe87a05ad08bc3f6b60d73c45530ab72a75fbc8217c5c1b411e35aedc2ddd2afa37288c75a9a6b1bef20ec3dd81540da250eb84f93f53b8324d86 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 426016363a3d4b88efe85229b805de8f |
| SHA1 | 0f04407a0c56573ae302863083ac8f8176dbe34f |
| SHA256 | f9415d0fb2dda7ba6f791046e1df86e1d2c1e2f053ce64d91f9673c56bee268f |
| SHA512 | c7e4ab8acbbaa28b6b571b4056303f920a4ee97375dca517cdda100c4ef872dfea55479be3121f9a5a8e33d6a15497d90d29b8056bd9ae4830008de666fff3f0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | addd656a883a2d7f9012bc4f6ee4955b |
| SHA1 | 480859402ed10ff7f09cb9a73f2506ddd91cd573 |
| SHA256 | 14cc6f2806b6c5d3ca960ef718495de179d3b8cf30bd9dbc9044b697fe4ccc01 |
| SHA512 | 01fac61ba8ebfeb853d92f23f7e064e6806c618d51bbc841de8755845639dd4fe0eb532bb2d68fec4ca7526885bf663618f9b55dfb66896c325c30f34f6e535f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 75e48b9b260f8eb417229128177a347e |
| SHA1 | 336dd9fa39d8cc9886de62ebd7a09eb8a596844a |
| SHA256 | 64810f6f66884990d74e43123659374da8913276a8c4e177238868f595a61d0b |
| SHA512 | ebd0186e8338f8a54b6ef9aad0507f898d46eb6f834a8a36dcfe7e6e4c72c877b21d99d209d83f84b7dc316c005c06044957e63cd5925f3698e3fdf51e2175a8 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | fa80d6993f410933ec8b4253bb68da36 |
| SHA1 | f8614e3a0d6e4a3f0bd2a98eb93ceadc985b1b35 |
| SHA256 | fb4e89ac830719c0e40cea3041509a7bf78045b169b682c1f5a735a6c389e1ac |
| SHA512 | a32c5bb1d350849618c649df70f11d85efd467af5716c6d214a44eeaeaa5b1255025b351bfb66f435aa3cb5fef9c04a5f6de02284770ccf0f5389fa85b714a25 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 4c42b2a03722b5e207b34ad74384a562 |
| SHA1 | 35d9ceb2a79c59c1a926f64fba24e7742ff991f9 |
| SHA256 | 70aaf7bd5f99aecd75046098d7ac698a236cb9ccc17ccea652abc0884e1619b0 |
| SHA512 | 345b76c055719818e302ec2187699095199e69dfa632986370ffc8cacf0df40ec4749a2498c389f7f9942a485e765b62818d21a4ab8ab6873f3915d632f5a7ab |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | b0d50f9792487e0d6523e9c3c8e5373f |
| SHA1 | 025a1cf5e7f37b1e121d07ca04c044551687bbdc |
| SHA256 | 86376ee210438b923c97f63d168a182daf3ce31b31ce0db323bd61d2090ef51b |
| SHA512 | 1921a3dc3231b20a13e8a33781a5d599af5626391da6087bd8c9b31880eb78d8537c9ba11d847a651863afb0d1befdfba2bb294212cc0f4a2b33dec56673d03b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | aeefe99518c7e3e39380be66947a7988 |
| SHA1 | 490d5a11838f3bc009153214d8794937c6772d0e |
| SHA256 | 4adc10fd77d69b0fc61f63bf8de0fa887a544c7ddc6504eaf192d68ae7d5f7e0 |
| SHA512 | 399e2991c9e7affc2955ce620a4f9e6e23d79eb23c90ad13cb35d68e73f15446ee79a1314f2110c27f7060c2eb32ed2e2022d2326349ee9c93b0c936686fef37 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5b3b177366edabdecd84690131f816f5 |
| SHA1 | fe3054ca69df8ee6d24de8cf3cfd5f41923c2ee8 |
| SHA256 | 53da0acd0189ffae929da254f8d83110fb5f8777deb0c0d1f7c1a144ed6a9aa1 |
| SHA512 | c8553c6577ee35eb53e83aad1260353c45cedfeef1430d8517b4a3838012c82bd17fb56bc6096120f7d6bb219e061fb49220bd00fe8e196e5c2fb7ed1904a019 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | e49fb63b4cf3f8a8719039acd3deaa94 |
| SHA1 | 3954e832b31a0b6c0a541ebd1fe3eaf829577bff |
| SHA256 | 3fd47994ab496fd8a7d3dddda800aa8f05be82ae415d4f396b98694d3089d962 |
| SHA512 | f1d40b2ec5829273abf75544e5ad92ed5b3d527649a0ba6d37653b45f39ffbbefc34742db11d5f97f3e9c5edaf4e18bc6eacd7d1a217979def87a665ca24ce1e |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 3e26676390fa3627351d0fbb8f46e353 |
| SHA1 | 7c94c27000ef7a92b53c76f72acf0ee2d08fd8d4 |
| SHA256 | 23a81b5374f7b1802014ba3482f26c0812adb074c65f695d3f3934dd779712b0 |
| SHA512 | 274952506df1eb39e75a229956e57fc815b3b045af08de31cd5aa0328b7f2f2520b4d97c10082922e49e1dc7aff385ce9eedba569eca8263a219cf0c694fe76c |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 81ecf1fbddba77d670c2c9488179d97b |
| SHA1 | a50d2e0fa34547e20efc24eed3081e7d3dab8536 |
| SHA256 | 6a1f741ed3b0a5c6026aaddfe7c1b96e5eef590b9f3ff247ded6127710bd2f36 |
| SHA512 | 0d5625117d7df25de40521cd6ad528a0d1d3fe91e58a1216b2fd7e1d0043ff5a91930b571447597974ea31ae02a19969529affa4d5c612a604ce2a234c224db0 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 45d6e25432fea1dc303213f2fd56b5ff |
| SHA1 | 8a54ab4996434ca8f7007adfa7d717e9688c8ed1 |
| SHA256 | 82430f18c39612cb1eb8400aab1f5ba7daba6e63fd356f02e3076e7be71acb4a |
| SHA512 | 2901c690c540526197ddd6a0027431f4c65ae9f84a17e001eee9bc71376d1e13d5c38a63c92a976875c01394ca532f95716ae68b25d7a9405ea3dabed4a68cb3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | a6b92ddeea7dbbe2c4929222c59ca0b7 |
| SHA1 | f52d3d261539873de2a69f2ea757471d2c845dde |
| SHA256 | 66bb2965bafe8870369ecd9ad35b6d293705179ae1bf2d70a3b708eecc67cbd5 |
| SHA512 | 557b3b983f465c95ab0e77a51b8b338618cc7846ae21d7ddee922d6a4ae92861fb60bd30e0b0f8d822a81771da5f34240eb84bf2eb56359ebf00aec28e6ae2c3 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | ed5cc0f535bcd22dd0f0f699d9607709 |
| SHA1 | a31d0da4fa8ef776e0c1b4a5dd6431f801310254 |
| SHA256 | 7c20395808c8b0563378dd971a318e7c4c2acf59a9cda8b003ebb672e397d362 |
| SHA512 | 00714ea1893fcfcf4a7e915ce108afc235de2fdec76e31295949b679f8c7d1cf1f4b32344b4e14ae4e3fe1f59cb8f4cdf8d3c116981c2c79cee78c1a4fe70c39 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 434c56917d33209423c40b45c04ea53c |
| SHA1 | a34e10f8baeea55509b64da9054f14ec8c476413 |
| SHA256 | 65c54d890d894cb7f646e35a5eff190ccc6c2b188e4e85132ca96179f0627c75 |
| SHA512 | b9b2812c0da459c49bdf5e2a43901076d6d4cc4823082514032a0cb35ae902026bb93f2082b91163bc7af6d3d1b5bdf8303708957e6f6dac9f3dc2c598b87089 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 1207613b3b2d72882f992a520617d077 |
| SHA1 | 23e3705a2101498153129a3da8e5ed31b13e5195 |
| SHA256 | 030ea9facac03b4c9040bc227aadcc9ca3ac64f6446dbd8cc1b4ff3ee5d874d8 |
| SHA512 | de9c3dd8653851516dcf66407b52bf2a8a5a0ef84597d9534b581212e5cc357936dbae851b6914b2c12a60ea779795e7638223ff859550bd9cd7cbceed2ad44b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 5dd9da9f06e47883bfdbb9f182fb6b45 |
| SHA1 | 7e91f8731ac53e00284dc88ab6e24089c8ddd6da |
| SHA256 | 7988279d24384911525f3aa8b819f106bad2b4f72b5b2e8607716a46074fd327 |
| SHA512 | 7bbc687f40f385d5e56e1576c1c929ca51bb9ca7dd807c4d86055f06599bd2519bb1d34b303e35fb59ab8e1bd595d20bdd35d62ab0143da632cb2f475e5dc18b |