cybergate | 5b7c9908c54e8a19e8195eda40abe283682558ef5dff957d9d528dcd31552373

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Size

677KB
MD5

dfe17b2e82792547a0e726fdd4ea3c8f
SHA1

1252a93e81858d900f2b29f050f9b525d0ab64ba
SHA256

5b7c9908c54e8a19e8195eda40abe283682558ef5dff957d9d528dcd31552373
SHA512

ecee42f2c1b23aa9b6b6a805a436f1697958d242030765fe591184a38c64cc09fe7cdde216f9e2ff07d014e02d9de09d2f2e43aa28f0d221c7b38ac1a4ae2fa8
SSDEEP

12288:NGXk52Myqy2fIcpAYCOWr1jlKJoAsYQGTHEJP2bopzUWBFp4Nx34WxOB/SZTL2Wn:Nb1yqDptCOWxjCbEJrpzUWJq34WxM/k7

Score

10^/10

cybergate remote bootkit discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.03.0

Botnet

remote

13oxer.no-ip.info:81

Mutex

VRS42Q3WGKNB06

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
system.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\system.exe"	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\system.exe"	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66}	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66}\StubPath = "C:\\Windows\\install\\system.exe Restart"	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4U06G07B-HPNU-84I3-RMFF-102456OTOQ66}\StubPath = "C:\\Windows\\install\\system.exe"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2868	system.exe
2732	system.exe
2276	system.exe
1832	system.exe

Loads dropped DLL 2 IoCs

pid	Process
956	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
956	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2168-0-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2168-19-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2748-61-0x0000000024010000-0x0000000024071000-memory.dmp	upx
behavioral1/memory/2456-601-0x0000000024080000-0x00000000240E1000-memory.dmp	upx
behavioral1/files/0x0016000000018657-603.dat	upx
behavioral1/memory/2748-625-0x00000000002C0000-0x0000000000314000-memory.dmp	upx
behavioral1/memory/956-626-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2868-979-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2456-1017-0x0000000024080000-0x00000000240E1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\system.exe"	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\system.exe"	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	system.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2580 set thread context of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 1500 set thread context of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 2868 set thread context of 2732	2868	system.exe	40
PID 2732 set thread context of 2276	2732	system.exe	41
PID 2276 set thread context of 1832	2276	system.exe	42

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\install\system.exe	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
File opened for modification	C:\Windows\install\system.exe	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
File opened for modification	C:\Windows\install\system.exe	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
File opened for modification	C:\Windows\install\	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
File opened for modification	C:\Windows\install\system.exe	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
1832	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
956	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
Token: SeDebugPrivilege	956	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
2944	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
2868	system.exe
2732	system.exe
2276	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2580	2168	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	31
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 2580 wrote to memory of 1500	2580	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	32
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2748	1500	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	33
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21
PID 2748 wrote to memory of 1208	2748	dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
        
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2036
      - C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dfe17b2e82792547a0e726fdd4ea3c8f_JaffaCakes118.exe"
        6⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\install\system.exe
        
        "C:\Windows\install\system.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\install\system.exe
        
        "C:\Windows\install\system.exe"
        8⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\install\system.exe
        
        "C:\Windows\install\system.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\install\system.exe
        
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26062007(024).jpg

Filesize
240KB

MD5
f7fb8f3a46e22a8dff4d77c409fdbacd

SHA1
21fba743acdaf3d87d680e4d3b3c2025ec231347

SHA256
8ec77cc261d94fc89e4b7d2080bad1d46a600ce93a3408750b41b6e6941d8457

SHA512
77ff082837334eec1a47b6271c2d81d3f2d013a3dbd4eda7b34ca82cd3f3362f7eb97052351b5261dc62686f607e3e595bdb33797d3e9e950bb0181175adec39

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
462KB

MD5
192dd886acb7e9946b5e89d5321beb81

SHA1
74508d3abbe8f919e8e785926e0ca6c470aff73e

SHA256
023b8037797425a52a48f6f732c2bfae7ba69e748fbdb76a40ae220f8f7935ed

SHA512
9feeb3b49577c18217528824eeefef451d776dc28712d77302965aebac928899c8e759ed00777ea7bf53b27f6c0c664bbcb5529144332b9cab0c13973d307178

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
017abae1fc1397a0ad1ce00392019b98

SHA1
b6aeff13e0330f318346117c092197be8e7f3ad4

SHA256
45b3c9a57ac51eb1b98215da8022c924b4fbea812e5205b63a5204c632e5844a

SHA512
c8182b94b543ff90a849632d5c6aa0a448ad17d0dd068a02e3f6a7239d68cc3340ac546491e088d6ec2695978749f8d91533d7dc1aea735a49b9e73211cfe777

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1a6f048dfcd3c19cb6a9836a70f10ae3

SHA1
958ae779ee422e5bf2a30fb89c98761af9e8387d

SHA256
bbfa5314158a28a1d3ede14ad12e105a99b3623c09a9d0f41915ff844c8faf86

SHA512
851bc99ca2704d48bc1c41309e2babbcb835460073348b1831ade89d44566cfd6cad07aa812d8757ce907a9dd063d9e7829b3207578c3568ed35f0968096541b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9789c664a7e1d384b7c326fdb7d5b961

SHA1
9f4fa42e845bf9445874b306419737fde6d4d610

SHA256
3c6c04cb08bffe108208a2e589d982a83d953626093977ae84a8d3569a4b0492

SHA512
1938075017f9bd8bfe6a1f666ecb6f23f6fb4a2449deae4a0f6cdb5558457ef53a278272083bebd4918dea30bff2cc3395509da6ccbfee0febdcae62707f3417

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c7317791124a2067da6a9e6111cf0a57

SHA1
5f0e753ea4847e698a6a594b220dbaadd2adda85

SHA256
4b4057f5f2afba2b72c1b0a94d9bee5cbf7d33fb683c23431691b2f49ae44aa6

SHA512
4f4377b573c9193f21a7cd9d4fd2af0fe2ec7dec9cdde1592c7cbf44d4cf1e09493583895ea17fdb3e150d3a4e30dec8012855db5bb710ce73d37b752b18427c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4c7a9c84ea4116a28c7b34b50332a512

SHA1
5e1e6ec34bd0b92d4cd78d57f1481b99d8a01be2

SHA256
6d32d0d6c0d261021926b4c029cf86bfaf94f9226426fd3d126a96419e9c3070

SHA512
560a075f8e546051b0edd914e0988e93ecd9c80e0563e8ac5c767d782ce70296366d9299939552db9028f75330b647c03bbf26ab4684b16067fd0d0909968e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1a3ddbd6264db0402a2d823fe9e159d1

SHA1
afc48e97bcb4b089f5eb8b6b961d8e9463f99f39

SHA256
4ff6609ecd7485ba9319feb5d01cde99275b25a17b9b5e92fd93266c3b7429da

SHA512
82ac2493b3e693e704b51589e7898b6539ec86909fa09d0fb294489f45ac392b341d9f18c357e0b3eba536ae1cf6e3e9e4798a5972ac72904ddb5baf69c3eda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e86c17818e095f9cea0a3b3b4fb96a76

SHA1
386f1970227ceba40d232a1b46f12eb42b62b1e2

SHA256
facd72f6806843152cc04cf46d197a3efc9c777f8eb44d6698337b3b875e394e

SHA512
a40b7b2e86fa42a87d64456f89f6508f63c0a1e829f77bd9dfc54384004be857f09c92453069c8b155b847ef5215c5541f649571deded999ec2def773c86b876

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d617fa11ceae3c0fefdf875a1cce6c6d

SHA1
e03265f137648a27d7ad3ee898805a0738572aaa

SHA256
7c92c47d289d466fe2197b4ec2650c51b8b769f77f62d7b2bf3b396ab4f5a1be

SHA512
34b53f7c5b42191928b13bb97448a2ca50c0236d0945beb327d8c58164d004a446733fdf24215ef235a58690d77badd78fe4bcc4683e51344cb53ca88d6530fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e535e963b051abb06a90a727fa094586

SHA1
e29c92c5d831a8e22a623dc2720419bc89b0fc84

SHA256
4844b9457038e9573f02cbe14c21be3a3e24de788230d3ec7ecaa3b7a50c9507

SHA512
f8fa332c4d0a35c206c67fdfa011410822d90ce0225edc4e8d073a3f2c08d0adf24365ef3c9f8c1e80fb43cfa671894cc31aa468122ba80786182dab9e049603

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c51417780d2fdb285c5663201d2442f

SHA1
2a637d4a029273a5fd46a5ab7963d2c85e4d9759

SHA256
92642f7c643594f2155fddae7e8a032131165622484249d740ac1bd8a7bb0422

SHA512
3cf722aca7b8376521d0c799324065128456b46b31073dbeb3d0a3f059ef08e8a04fde1891423c8b3ce2d06185278f5622f9c1ca6e9e48be640f35eac1b88c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8bead7fb547784ffb9c148073795fe16

SHA1
bc06ef92212d378a2e9403a1e04d8d2f6045b88c

SHA256
9726a89ba7b839ed1d5118364b942384b9403d0f274077e9c3700cac4f8d3993

SHA512
5378af5ecaaed1dd4de85662ffacacd43465aade1a3e8b814e2284f142befa21860360080138133e1831b6014c5c3155c77a996efc69a8799babf19e4e63ff83

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a142c2eba20ca25cf5418fa8c369848f

SHA1
622f6af8e9e47d9598b2c08cf72b2809097d7790

SHA256
d2cd3dc7ec67981a5dd42e91bd8919c4ff08551d894979c678fd8f749a2d1003

SHA512
ce2329304552a3502fae9dbfc573e03ba5c61b5fed6f6b76028d60a335df03cf39137ce81bf154ec9aac461ab6f4cce3db98d11751ee4fbdaf3cea3ca0225f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
584bb25a58bfd4e66b7786ae388aa3fd

SHA1
0a9ed38be61abc5be23bf318bee936517b8408fa

SHA256
95f21670f1fbbd589be716a1b39dfe418ddcbb5fc383fcabbcaa9c1d533bc23a

SHA512
974f8612f62c83603cc6a1040f8b280e826ec2f2877df9ade9fd762afade63e493c3dcbbf25d4f639489dfecf123d924f7c5f966637f6c104b54b60c1a07ea16

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e715325efb1151249a2905ae8b6dc71

SHA1
887defe4ac3fe26de070fc0fc0bf5e38bed69c84

SHA256
8bde1b2e4cbebcf872db2f197ddc8953726f03ea01bf86da5c28b0fd7b95720b

SHA512
78283dbc317680d794bcd9c8325a351397c37ef813928eadfaeb8ddfb5ca21c8a8e656e99a97b740e526b7b851e8c8aa3bc78924209dcc3e8a2bedf257d24794

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
92dd9f90e5225696ec4235b464bb8be8

SHA1
17c95f1de60e223aa29d1b043f809a8eedc228aa

SHA256
1136ac7ff9f0c2afeaba1981e79c502e01a1adf11836644f895d83207dca35d9

SHA512
d3a85962f53c9e6cc84474aef2fa1d7eda8eb9c7ce56883b4e29ede4753180a76ab7a77dcc3292c20da7c9f628763e60fcd3cf8645cd73492d7e4395aa230f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
47e57913821ec9be3a680a2473ad67fa

SHA1
d0ffe52f8870bbb3f63df7c47af3193337520fe0

SHA256
f2f802c9448e35530fb28d6a1822bb8f2989ef5642f02a4f0021f99f774ca478

SHA512
df218304f894a31de6ab4550f764b2a2b4558cc9958eb114208f6ad7cb4bbe3ec0c2773da9b27e0eed5b60ee2ea512d58598c83838b4d5c5adad8bde91354038

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6ef8af8dfad3b0f49f5d728d1e488ffb

SHA1
1b09e35afe751a8279f53272f6a927c68d037414

SHA256
e54e40c25bb9933cc0d4a5a0dc23fcb9c80cac0edd846f5f87aa78461a1c0ce3

SHA512
7347695c67f55c5b165b58dca53568492b5b51d6b6fd183515582f7658447afbb73cbeb270c6a6f8e4ed8efb233f1595e815c95775c3bdb2cc4e32e4b80273be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1fe43b37f26413fa6b52ecfe5540ddc9

SHA1
bbe20c8e5f450112ef43ce27fd3d25409fe50408

SHA256
dfbb8317e0faadf6fc4770a06b5d6b417ca95b1df3be038425e5c50c060ee582

SHA512
78ab609a08e0d53311d26a5fbb9dd1b47dbd378968d498b0ca6ccd5641e61fa3b2917c2794e36eadbd6b0c894f33e5a62d27a79e97702a3e8b1f4059261dcb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bc54d6b568359785cae6368be1a0d29b

SHA1
7c9aa4653b5cea0953841f5def1ed3fc55967589

SHA256
0db7a9eb8c437b83ff4d40ae9fb7dd8490bf3adfc0ecbb8993c7011f6a9ab789

SHA512
5aa6b0b572d0c88eae1c2e67a3d26894fe5df25f8fb91048372a490637cf72d3c4cd32f9c956ba656addfd7fdbe91e301ef3451da5eb32f38aa778f635d88719

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9ed52770cf5125c0f01de5c4b8fa3d74

SHA1
44c4bd4a06b4a5a6533b575d680d9240e9bb4ae8

SHA256
3c75cf625a9ad9087fda18bc25a6a081c304889d0f42daccc223e4aef29a3cbf

SHA512
52507ae5168e63ebc61a6b9fc2cce488f5366edf41f56e33d96880ee1f87e1f1310a9de59156dd1e9ae6a7943383cc96424368d20527849118c2773a60c74351

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
98fde43a1599ac65f71cf08f0909fba7

SHA1
9f452a034ea26a611364ea6d95826e4f2b38b34a

SHA256
fb66e8727ccdc881ea635b287854f05e7295e4a269499bbb7a68f2900547e618

SHA512
035995cc1fbf9bef7bcfe53818d54a2b2a4ca4b0ff92463605bcb6e363ab6c85c795c3c39583ffbd2fad45a2844afdd32d432a2c7c26350bd84c506ec17553a0

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\install\system.exe

Filesize
677KB

MD5
dfe17b2e82792547a0e726fdd4ea3c8f

SHA1
1252a93e81858d900f2b29f050f9b525d0ab64ba

SHA256
5b7c9908c54e8a19e8195eda40abe283682558ef5dff957d9d528dcd31552373

SHA512
ecee42f2c1b23aa9b6b6a805a436f1697958d242030765fe591184a38c64cc09fe7cdde216f9e2ff07d014e02d9de09d2f2e43aa28f0d221c7b38ac1a4ae2fa8

Download Submit
memory/956-626-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/956-1020-0x00000000052F0000-0x0000000005344000-memory.dmp

Filesize
336KB

Download
memory/956-961-0x00000000052F0000-0x0000000005344000-memory.dmp

Filesize
336KB

Download
memory/1208-62-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1500-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1500-53-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/1500-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1500-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1500-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1500-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1500-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2168-15-0x0000000001F80000-0x0000000001FD4000-memory.dmp

Filesize
336KB

Download
memory/2168-19-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2456-601-0x0000000024080000-0x00000000240E1000-memory.dmp

Filesize
388KB

Download
memory/2456-1017-0x0000000024080000-0x00000000240E1000-memory.dmp

Filesize
388KB

Download
memory/2456-310-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2456-305-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2580-36-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2580-18-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2748-46-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-57-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-936-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-47-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-48-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-51-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-58-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-45-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-39-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-43-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-52-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-41-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-61-0x0000000024010000-0x0000000024071000-memory.dmp

Filesize
388KB

Download
memory/2748-368-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2748-625-0x00000000002C0000-0x0000000000314000-memory.dmp

Filesize
336KB

Download
memory/2868-979-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download