cybergate | d305675e59ba40808fd9454482f952bec51d86c488769a6967b4223539762ead

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Size

1.3MB
MD5

3e15e8bef679bb353ca23c80f4563b19
SHA1

81c2be27dabe44ba11672a4fd8c771b107c8eeb8
SHA256

d305675e59ba40808fd9454482f952bec51d86c488769a6967b4223539762ead
SHA512

3ae9fb425752eca5499ecc91a32466c90f5203fa56bbfd54d5da9a174c996baea8526f7be720729b9ff4dd30699193288b1f47e1a76d0740e97ec07d87081faa
SSDEEP

24576:0FPwlwYBN+8DjOnez3TND9dUUbKVUkXHnv9ZZkv9ytQ9MzgO73gj8ivI:0iwUGne/bGta89ZZY9Cw5IgAi

Score

10^/10

cybergate vítima discovery persistence spyware stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

garysitopraa.zapto.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
System32
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System32\\server.exe"	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\System32\\server.exe"	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}\StubPath = "C:\\Windows\\System32\\server.exe Restart"	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}\StubPath = "C:\\Windows\\System32\\server.exe"	explorer.exe

Executes dropped EXE 2 IoCs

Processes:

CCleaner.exeserver.exe

pid process

1080 CCleaner.exe
2036 server.exe
Loads dropped DLL 2 IoCs

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

pid process

1920 3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
1920 3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1080	CCleaner.exe
2036	server.exe

pid	process
1920	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
1920	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\System32\\server.exe"	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\System32\\server.exe"	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

Processes:

CCleaner.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\AntiVir Desktop	CCleaner.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner.exe

Drops file in System32 directory 4 IoCs

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\server.exe	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\server.exe	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\server.exe	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2508-0-0x0000000000400000-0x00000000006AA000-memory.dmp	upx
behavioral1/memory/2508-3-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/2508-306-0x0000000000400000-0x00000000006AA000-memory.dmp	upx
behavioral1/memory/2412-534-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
C:\Windows\SysWOW64\server.exe	upx
behavioral1/memory/2508-598-0x0000000002270000-0x000000000251A000-memory.dmp	upx
behavioral1/memory/1920-616-0x0000000000400000-0x00000000006AA000-memory.dmp	upx
behavioral1/memory/2508-867-0x0000000000400000-0x00000000006AA000-memory.dmp	upx
behavioral1/memory/1920-897-0x0000000007920000-0x0000000007BCA000-memory.dmp	upx
behavioral1/memory/2412-900-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2036-902-0x0000000000400000-0x00000000006AA000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

description ioc process

File created C:\Windows\CCleaner.exe 3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\CCleaner.exe	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exeexplorer.exe3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exeCCleaner.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCleaner.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

pid process

2508 3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exeCCleaner.exe

pid process

1920 3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
1080 CCleaner.exe

pid	process
2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

pid	process
1920	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
1080	CCleaner.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1920	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
Token: SeDebugPrivilege	1920	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

pid process

2508 3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

pid	process
2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe

description	pid	process	target process
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE
PID 2508 wrote to memory of 1192	2508	3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:2412
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e15e8bef679bb353ca23c80f4563b19_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
  - - C:\Windows\CCleaner.exe
      "C:\Windows\CCleaner.exe"
      4⤵
      Executes dropped EXE
      Checks for any installed AV software in registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: GetForegroundWindowSpam
      PID:1080
  - - C:\Windows\SysWOW64\server.exe
      "C:\Windows\System32\server.exe"
      4⤵
      Executes dropped EXE
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
2.3MB

MD5
95d50673d4672c4f08636220d1ca6d72

SHA1
52fb7a506bdd10a9e3093d5c9615b8b4bf0c944f

SHA256
d9cede92f0ba258b805aa7e7b2be4d8f13242131ac5931e34b6291397d789e6a

SHA512
01ee7aa460b620582fd4f29b7fac40da4f20752f58b34d92f3f6c61b8e8f08719ae4d36e40ff2f5de5b2541edb79afd78b9ae2f9d8936e61b0c91e75534f150d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aefc3654d5066a267c9b13de4fbc9173

SHA1
b74350395ce3d4eaa3aa692bf15e9d07570aa41f

SHA256
2427171ee7d530f09881936c1b1140dbe8d43e704ec6e932629db43d8c5cadbb

SHA512
c0f13a037b977022b79a298c2a8df8bb7ce2c43f3e5dfe527d1fe9bc5ad29eaf889745d352c692d291845b230dc48ab3f034657f356568edded343925af4f2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e9a8e243ed583b6d170b01228ac06450

SHA1
b5aa79d35566d20131821ed7ea44c8df9d1db20c

SHA256
3bb1a9b9b982cb0e117e197e47afceefbc6c4f7310e68d0de2056bc8c10a337f

SHA512
1eada6fa78ea9c601937e722e9057095b5a63d4fc29d34e613898f366611023772bcc1049f290bc32a91c1e166624c3be75e2905fe361d2e531644e7ca936b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d2d2c8924c6422f4d00bcb13a28ecf70

SHA1
623ba26320d1f5185efc9424d53918628d546cb5

SHA256
6449613e87bf34a58a17cefab3a06a98998ff86eb2249015d27bbe81fab7c59a

SHA512
9a6a10eb76c423fbfb49a70fcaac4c1f5512f6c0990f9cc2c9354ecc717f2a73b9963943073819eb71c7595fd03c4b0618c6927c1f5b7f05a88470de47744be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b20902bc8624af31b943ebc3bce3101f

SHA1
230c0a13eb9ad07864bc330475cb7cda961a09d9

SHA256
aada6de3e770feba967b6029498c6b11c648f1b3dbfae8ba1fabbe81c48756b3

SHA512
315f3e6372392cfea28f0867775de32a2808160b57840222465604e29e3af8ce6277f90b3b4a9001ac5fc71c54302e06999cff1f8c428ecb52d4a51eb344fac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
19f9e901190aeab4295af9b8c0557f4d

SHA1
120340549fa60e838e6ededdf3be2413a80c424a

SHA256
936545667c280261f43646d7c728c8624af6758b3fed43f43fff9a6eb90960ec

SHA512
41a767dadc652d85980063078c36d7dd0296aef5c224b1c23d8897d91aa524d7b3161f0c5daab1b07fbbbd67e28c3ab64e0113d5d94bdf07e3311535629a1771

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
989670390acaaf086cb4eb126e103a05

SHA1
d051ab2a7592093cff5c34624ebe1c1f91f4abe9

SHA256
aa6b6ae89526cbb7c38a85fdc751ed32ac8da475209dd7f525d6e49d4631cbd9

SHA512
99ed2daf0cc64288be5885c4a0a3c662d9fd6b90010180770d46e2c703bc6675e8953998f268c01aa3e6fbbf5792e2b7cb775f235e1bcd01c0fa39a69d26cda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e938d9cf33dc29547090bd8fee8d4194

SHA1
adcbaef07be7226900e6848ad629cc90a54037dd

SHA256
8b3832dfbbe857387c1b6c889df1164a6b98f4a3ad390fe4e024734f9b156bfc

SHA512
ce263c4b9552628eeac05d4f89fb1e56968ce8227847629fedc3169961f90f1708fc2122a891be31b2fb17db4cfddddb4e4168e51135ad40a2645dd832985c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
aa715d77e6c032591ff9f63a95dfd2da

SHA1
06cb886479e59e7ad5380f4eb6fc54824f12ff29

SHA256
565e1b98a0b398407a6d080b18e52211c50e73b62dbdfc5bd9be092eee3ab68b

SHA512
03394be9c4db2de51edb6c85f0f092ba5a842d6f6779e5efa0c6109ce3b0a0851f763a629ce4494125777c05bd0ee6be369fdc023402dba31b65c563d3e55896

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cbb2cda83315a15e33ae107d4102c1ab

SHA1
11a42c3b6ff16dcf346da7b412b167b72cb24d52

SHA256
421bf508bbb7ca13aad1e5f9a53ce65acd9afd1ef661b91fbf2a652ef3f2d350

SHA512
0fd2fa627644096be701cfc39a429c4a0a66dffb3555f89333d5c4ebf367f8125749b2f6a6ae9c21f5feede8c1037b95a42eb07ddf11f550faf6c4ed911b86ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
99a5353ce766dd7ac3d7357d1bafe1c6

SHA1
bc3024cbc14c9fcea5b77fdbf761676fb8997cb3

SHA256
9b954a94985b4e7d31f8fb4b45aa2d41656017b4298ac5ff304dab580bdcf4ad

SHA512
412de62a105725e68b2f85e263fd5270a5790e439a4ddd0211ab0979281dbe53b33b76a4d777826375ed249042d1886b3978b8b364d4687faf513dc4446a0ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
794cd57d87f96b910a3705fec9a3a152

SHA1
0b274bb2aae7b4399ade3ed8a01810bf7ccc9df0

SHA256
1fcc539985909ad89581e7c2b03fd07e9474b2853a2095a91a084bf4065ddd46

SHA512
4a05f1c930662056d960fb19e6072b0a79370503a94bd9524bf8b4980a57c1cfd550354eed34fdcba90ac235866e29b1dfbe10b9e555ac77ff1d4102efda8dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cc033c602a5f87df5099d73ea8b05645

SHA1
88771f68b723b8f132d8e054afbc8cb23d319328

SHA256
1fcadf58f2b99b381a9d86fb518c57460c72f6b66b22f4aa6dd8b0059f2ae4e2

SHA512
d41807bc5f6bbe464c0aca25137c43b8d737e1b376fd84991e51b4f3a7a89cec23f65ad7206b646a09c7c83a725fa0e2d45deb7bec5cef49699bee5bf1819b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2ac7e6e0e337b9e643876ffc8ab0be19

SHA1
6b8fd4d5bbeb47166aa2b5fbc93f9776df2a9ef0

SHA256
e83a055811070ba6d462e960608062f2a02a28f297b2f55993d93a48ab64b4c8

SHA512
8b07531ff94663133e62d080f2f993e8c7fa169b923625e1d8bc515b2d260744e9114cf1b1480d6ea3cd4d10f6a688802736a4c0efffe5419a02da705cc7b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f01ed667b59a2d5b38992629d40285e2

SHA1
02a3761f2e815905b1adda9b7219e179ccbf7af5

SHA256
b2235760210836bca4cfe2a71a14a1f2a874aee29c812f2a0fc732da4220200f

SHA512
aa031330a03326633b0e8d02737b2c80e87e56369d1783b96f93ed926f9a779aac326b06af2cbb5b83997d497b2421471a81df29bb242aa50ae0892215a1628c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c2a836611b8fe2a69f4d8ad69020d5e0

SHA1
27d0ec48f4445a97db6411c2699d0dba5d5d4cd9

SHA256
c2dc830bbbabb88332c4f5dcfa7f0d9835ff79a4589d2123657ec5c697bd2641

SHA512
448e9e06d610e1d97d9661c3cf4aed38696579a747bd6d6069832ffbdadb48115ba0f3cfef84d7dc03f5f822fbcb5d70c4af5c58c9580d9fdf5a188ae180e31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bf4678e2de81f457944d37195c02b8cb

SHA1
2f2d5ec844b2c28a2369be66785344b214039553

SHA256
925e6224f3b972577a6ae92d93d8fa6e7ca98d448fa6ec128e6e31c8ec7e04bd

SHA512
bc844693bcd85db3a1641c34ba7a3ea7cd6cda1ad7427741034937c9b57215b6515e9527b36835e16a76e2d823c1ffcf0e97d5338d35557ea46e97eaf0c93163

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6aa510d57f4d93d9fa3559faa8e0702e

SHA1
70042f25afa58d7bc3eb8b4e09eda48c958a8cf9

SHA256
2b35f7118e2ae8f1be7226c3ed2517a3c28468ac16804c7d0283f758d13e4b0c

SHA512
58f56dcef3bc7ca4fdda4dae158228ff5938c8598d4fc61edc7be19aa12470dd661f61eece360965883d14aa19b5fda3c6c404ac3585eca2b5fdeb315c1fc8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
233ae3f7af5667081fb109e3a3da679f

SHA1
7c5e4725f7c76722651e6b3e2b3cce8352a7c117

SHA256
8b2f9c8467a39cbe4ebe63f2e1470de125361417332c4d276d1d55ab7151e6ab

SHA512
5b2cbd5e27a9f7153873f01ed5ad448ce654dcd5b09d29bcb7e929b106ff8685a065ea1ec9b848b48c988b8004f7f0e7431f46849737eb0e5699ea338f58ceee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7df3b170359bc8924cd773123fb490b3

SHA1
9a3d7a192fcb0d3abdfd8770ff78f5184e835079

SHA256
f91b703893e7950dd37dab30c38867d9a8cc41958d55758a35d9a947e271b1bb

SHA512
fbe07c8291ecab6dd04a309cec7f1c3d424e08d68bd6e8ade3fb9d417ec7fcc27d28dbbec4a4f199e43e8e2e0fde9609e6bf2a73e33821bbdbfe81346137d701

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
68ae0d8bb97e888f473608283ab547a1

SHA1
119648cb90c2e79edb0563b5dacab0a77f6619af

SHA256
224126ef423470c193d7f65153d968b5673abebca6039616cd072451362ed2a2

SHA512
53b22d5f9c0e6bb6143209b39a29813029679ce9e213d11c28f98465d4e1f4627d4032c5c54f7bb0b02acb95b4c30c2f6a4f790366944afd85fe3625d786f882

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\CCleaner.exe

Filesize
2.1MB

MD5
91b18eb2762c9e0ba41e644cfa8d4eb8

SHA1
7cd608ce362ba6f495299fa716cdf6631e73b8bc

SHA256
7228b89165240436d16c2ac66ca0dc00aad10923af20a4bde93f2eea63cbb8a2

SHA512
916090971a2e8d13ffb102fcd44ee28011080dd4c7824dafa8d5c774e6dcd20dfcf48329652ba51c60d9ed2d846ebbb981b52dbb7bb51d170a1f9e8406ab6214

Download Submit
C:\Windows\SysWOW64\server.exe

Filesize
1.3MB

MD5
3e15e8bef679bb353ca23c80f4563b19

SHA1
81c2be27dabe44ba11672a4fd8c771b107c8eeb8

SHA256
d305675e59ba40808fd9454482f952bec51d86c488769a6967b4223539762ead

SHA512
3ae9fb425752eca5499ecc91a32466c90f5203fa56bbfd54d5da9a174c996baea8526f7be720729b9ff4dd30699193288b1f47e1a76d0740e97ec07d87081faa

Download Submit
memory/1192-4-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1920-903-0x0000000007920000-0x0000000007BCA000-memory.dmp

Filesize
2.7MB

Download
memory/1920-616-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/1920-897-0x0000000007920000-0x0000000007BCA000-memory.dmp

Filesize
2.7MB

Download
memory/2036-902-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2412-249-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2412-251-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2412-534-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2412-900-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/2508-3-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2508-0-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2508-306-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2508-598-0x0000000002270000-0x000000000251A000-memory.dmp

Filesize
2.7MB

Download
memory/2508-867-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download