cybergate | b7d066b9aa4a2485b2216460e5f785603ad5900ec7803cf9efc61e52152c674f

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe
Size

649KB
MD5

55a81acdaa133044ed0e252a09ef8cc5
SHA1

c2710746f833e9b4c44ef196914b88292d4a32f9
SHA256

b7d066b9aa4a2485b2216460e5f785603ad5900ec7803cf9efc61e52152c674f
SHA512

26d8a4d560a666f1cb6eacbabdc14d5f83ba59bbfc4640a016d0f12635c7d59104e763c8d6a987bd1ca8eb302f042fff3b476fafbb4a1417605994948d77fc69
SSDEEP

12288:5UOMWLUBEoQeiXIHjPgrmGC/judwMjoL9m/CgJK:qOMWzoQXIHjIrmPSKMkLoA

Score

10^/10

cybergate vítima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

lemark.no-ip.biz:80

Mutex

dfzeiojfgerg

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
win32
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

twunk_32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\win32\\server.exe"	twunk_32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\win32\\server.exe"	twunk_32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

twunk_32.exetwunk_32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4LU77L-55X4-R277-6NDQ-WQ03KALC486V}	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4LU77L-55X4-R277-6NDQ-WQ03KALC486V}\StubPath = "C:\\Windows\\win32\\server.exe Restart"	twunk_32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4LU77L-55X4-R277-6NDQ-WQ03KALC486V}	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B4LU77L-55X4-R277-6NDQ-WQ03KALC486V}\StubPath = "C:\\Windows\\win32\\server.exe"	twunk_32.exe

Executes dropped EXE 29 IoCs

Processes:

protected_01.03.2011_021400.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

pid	process
2832	protected_01.03.2011_021400.exe
3704	server.exe
3748	server.exe
3792	server.exe
3844	server.exe
3884	server.exe
3984	server.exe
4032	server.exe
4080	server.exe
4132	server.exe
4172	server.exe
4216	server.exe
4260	server.exe
4308	server.exe
4352	server.exe
4400	server.exe
4444	server.exe
4488	server.exe
4536	server.exe
4604	server.exe
4652	server.exe
4696	server.exe
4768	server.exe
4812	server.exe
4856	server.exe
4900	server.exe
4944	server.exe
4996	server.exe
5044	server.exe

Loads dropped DLL 1 IoCs

Processes:

twunk_32.exe

pid process

11728 twunk_32.exe

pid	process
11728	twunk_32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

twunk_32.exe55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\win32\\server.exe"	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\win32\\server.exe"	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kjhgf = "C:\\Windows\\protected_01.03.2011_021400.exe"	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kjhgf = "C:\\Windows\\fond-ecran-jeune-fille-qui-prend-la-pose.jpg"	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

protected_01.03.2011_021400.exe

description pid process target process

PID 2832 set thread context of 2972 2832 protected_01.03.2011_021400.exe twunk_32.exe

description	pid	process	target process
PID 2832 set thread context of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2972-20-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2972-17-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2972-14-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2972-26-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2972-29-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2972-28-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2972-27-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral1/memory/2972-8812-0x0000000000400000-0x00000000004AD000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

Processes:

twunk_32.exe55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exeDllHost.exe

description	ioc	process
File created	C:\Windows\win32\server.exe	twunk_32.exe
File opened for modification	C:\Windows\win32\server.exe	twunk_32.exe
File created	C:\Windows\protected_01.03.2011_021400.exe	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe
File created	C:\Windows\fond-ecran-jeune-fille-qui-prend-la-pose.jpg	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe
File opened for modification	C:\Windows\fond-ecran-jeune-fille-qui-prend-la-pose.jpg	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeprotected_01.03.2011_021400.exeDllHost.exetwunk_32.exe55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exeserver.exeserver.exeserver.exeserver.exetwunk_32.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	protected_01.03.2011_021400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twunk_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twunk_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

twunk_32.exe

pid process

2972 twunk_32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exetwunk_32.exe

pid process

2844 DllHost.exe
2972 twunk_32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DllHost.exe

pid process

2844 DllHost.exe
2844 DllHost.exe

pid	process
2972	twunk_32.exe

pid	process
2844	DllHost.exe
2972	twunk_32.exe

pid	process
2844	DllHost.exe
2844	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exeprotected_01.03.2011_021400.exetwunk_32.exe

description	pid	process	target process
PID 2372 wrote to memory of 2832	2372	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe	protected_01.03.2011_021400.exe
PID 2372 wrote to memory of 2832	2372	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe	protected_01.03.2011_021400.exe
PID 2372 wrote to memory of 2832	2372	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe	protected_01.03.2011_021400.exe
PID 2372 wrote to memory of 2832	2372	55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe	protected_01.03.2011_021400.exe
PID 2832 wrote to memory of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe
PID 2832 wrote to memory of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe
PID 2832 wrote to memory of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe
PID 2832 wrote to memory of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe
PID 2832 wrote to memory of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe
PID 2832 wrote to memory of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe
PID 2832 wrote to memory of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe
PID 2832 wrote to memory of 2972	2832	protected_01.03.2011_021400.exe	twunk_32.exe
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE
PID 2972 wrote to memory of 1196	2972	twunk_32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\55a81acdaa133044ed0e252a09ef8cc5_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\protected_01.03.2011_021400.exe
    "C:\Windows\protected_01.03.2011_021400.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\twunk_32.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12500
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:11692
    - - C:\Windows\twunk_32.exe
        
        "C:\Windows\twunk_32.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:11728
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3704
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3748
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3792
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3844
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3884
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3984
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4080
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4132
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4216
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4444
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4652
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4900
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4944
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4996
      - C:\Windows\win32\server.exe
        
        "C:\Windows\win32\server.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5044

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
306B

MD5
c9451f1a985779871eac0e11265c9864

SHA1
4fd3ec1451511c138c8c1a613a975985bda4c9aa

SHA256
2a85ff51baf829f5bd53f8c07eed2dacf346228c6a095bb46b0712ce7509c0bb

SHA512
d871cef9215f90946d60dbde378dd917e2ac37a2a1824b700ef9b6e1a7db0da2bed8514239d643c47d1f69f2e641ef2469c8f177d980c5dc6b476596fe17c63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
459B

MD5
8d36fddd581b4f2d9f217c7ae2ea6828

SHA1
729713bea7fc014ce2ecb265f371d24a6ac1d767

SHA256
5e782eef079219543190baba814ec6b601bff11a6ade44c7a83be3da9f5bd97f

SHA512
73e94bf0d26fd60b3c0db054c391b06dcd3d9f5dc16262fb60682896878436212fc4014faa09e3c80afe0c35be8231052685205c2b8543dd363844820dae041e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
612B

MD5
9c82cd594d30455c114ed29d95cfd3c3

SHA1
8b08b3e852ba90a4d4b6879e9b70bb62a69ac4b5

SHA256
5e1a4aaf0b3b84a255018796679bd101589ef0b1c4cb4476762fb1cd85a506e1

SHA512
77a9e5229f87f446735f6df7e27a842ef6120222d00a24ec63e12842f6747fcf182b7fdb59a652ba281a73d40c74eedcfd86815d6e3e14cf118f1421202d2132

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
765B

MD5
c3210b5e7a546e37bb086707d1cb8fde

SHA1
ad684a796a4e7e3972db6647b7b00986ff4733c2

SHA256
84cc857706a65b374b713f5db348305e521c43e4a5d50904e241bdb939b6fcc4

SHA512
fcf92bb1a594c33562e004275220e445f4767f305046776582dea246407951c1fa8d1766646565f08c47e1bd1117a23570937b9eaaa99801d8d9eb31cd89d299

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
fe164e8c0f5d0f4252be5b25fcc6dc88

SHA1
fa160614f22d7bd84bfa7df938141b7659b74158

SHA256
2c2e518de03fbaaa08323bf60880c4ae2d5417b42e856c96e79bcc7a4bf3c8f8

SHA512
578288a54ba54ec5a1c65c68662f6363b8631603afcd1441070a8951824fe8a826479da57e4681b974adb820a42cbd4f6c78ea94f9e7b401c392b624528d84f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
7eab8efa3d126a69c1a92f99095f1c86

SHA1
f165a11de2785e237ab66d9aae0aa591948adfd1

SHA256
af98407c9882ae501ec7f5c9eac47033e39a493783cde16dbdf1e706dcb49971

SHA512
d6dda1bbfb9137fa174eb8f9f4331202732d90c46b61d15317ee1383fecb9adfa7248757fa29a1bf637ea3eb0975adf873eaf8c7abb66435934721f932645904

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
5159f6471ada101363e8c27cd34fb3c7

SHA1
5de7f5c12912ce40c93a8ac3ac0932029b74de6e

SHA256
1c0be058a28e0cc66e0e2f77961a0adee50b2d1228e64970bb4260161139c106

SHA512
fd21f49d9ff4a2dea820d9525f7d0e1774f3ac23f9b855d5b269accbfbb4fe9d02075992d011bba8ad247dd47928417a202ba767f2c7aa2098bcc3eb5bd4d214

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
89e81697185fb7468962c2da3a54fd48

SHA1
024f51206c7eb7d80dd6784de12acb60011ec8f2

SHA256
aad76303b1bfb1ebc3e37d31f2b3f725da7f0b2a5bab7c764de62a7d44d2d15b

SHA512
763c9be6d94a8cd3914821e9c7a6510e5a2d10084bad4be36791463ce2255d403a8253464195d6d4ec0cc62d69e4d061db027d71214afb7e7b630d965aa2ca40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
99eadc93f96f25439810b1db169f59e7

SHA1
f84cb581593ef59e0550e536e26a3cb28f43a680

SHA256
ca6a42c1b76318d800dc3ae14389d57fee7d4cdcc229ab0dd24b560e9b0c0732

SHA512
5b9ccfd6a3a69a19f97e3afa61ed0edaf3ab5d9602a656de79dcab7e86c94e3754ee73a03daae4a96857b4b5b5b2b8e279773cc4f73d749c8ea027c9ce0d8f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
fa15e89f5c87a10cdaea30d48b5a0e60

SHA1
7183723158d193d560f104d0d3df66476f3683da

SHA256
b577de42d9e155860b01cfeea174ef623ae70138e1959cbda91d58d4f9634fa5

SHA512
e03349a65bf6c020baa2895b51cffffbcf3c1f911ffb4e376d1a916ae599e88b22db2ab5152e3331b14ed7f3cf908ea5c9d7e301ec4ff356da9a69189f109b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
3a414fc75f82c120786052ef256da93d

SHA1
43b0cc037bc9a71b699aef160c9c4d6189882a41

SHA256
f48cff52d299403f541836aba4f4ded6fc36d9241840c16cb5bdad0db4841b92

SHA512
cf1a2ef6947af25f1f5ee3ae8af96f612429402d7d502a9a32e040a148a6e69d457720c47612ac4f5ccd6c5bf75ded75f8885053ea6c82859ffb51abbd186093

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
c526883e07f3023e2ef1eb9c8f4d07a9

SHA1
043bb78d511b5a501491f7c6af249f0f14498ce3

SHA256
e69e5c8ca2b99f504b2cf2b96ba801ec6297b04a9f30d9c4af1a1c6d97bca1de

SHA512
48198e28ac089ceacb8728bf9a6136becdd297e53bd1418c275cdda6f5dc177942ef8036b0141fb1c0be4a13dbb82690064c68caf4631fefb7e5eb726eb41455

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
3KB

MD5
57c856b8128555f85e6341f430edf065

SHA1
e86d2e11c5dc7653f996865631de0f903a897613

SHA256
cf78b4923a12e6c56e394a63afe5b49529210d819a30ff43caee0662a83a63ab

SHA512
0ee8e2ffb975c893df610885dff703ebb253b29e341a002c684d3478e0a6c4163a5b74c075d0df96b4fb81e8f871b416351facc5a5a9e118f367a8ac405e1761

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
3KB

MD5
ba80a732718eb3235abb29a52c1d88c6

SHA1
1a2a3d36a110b4c352135d64430beaceecf0ae1d

SHA256
3847bfb7c5740a94ab3a41c374cd6c458dd8cb7175e8137e321e1aa44f66bc18

SHA512
3ddc008dd317f91954a3b757341a48f0d9664584b5cac0067a2b39594911526eed0aa61663b75c3217cf29540f68cb9b9c6651bff985fb56b25cdfb39b02af65

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
3KB

MD5
2c377297c356d8f23ae48c1bbfc26f45

SHA1
b7e01dc24345004caf599fa668a1ecb27541c7d9

SHA256
c2710c3455506fd8ceaa60d41fb558d1ebc00a916eda4be10e500429bb26d7e8

SHA512
fa8a723af7f65e18df45352a1129de925cd90f1ea4447f716a24f0eabfaac5e06f002cdeb15af12796104df4d99e6d0379e26e51e4c2ec3edb6599ec96442f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
4KB

MD5
fe3473979a000beb8840c9080f656b4c

SHA1
f002663374043421f9b66018de7e456b74d54654

SHA256
ede3e9757cf121818eb42903d21e229b0ec570dbf9fb996c5dd8da29297d622b

SHA512
a61fbede0dc7f66ce4a0e2ee5f7ca1914487f95de519606b1123b536ccdd63185f2e249b94dbb9d3a63fa21001cf2028a30fcf6682113f94ca2a3a8f71adfedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
4KB

MD5
9afb93327e70df2c8387f8f6e96f8468

SHA1
0a7aee6198deeeda18d3782bc39f36fcef2c5601

SHA256
48a924896d36796e12dca27e2d98ec0706985f41b8c11726017f9078cfc57999

SHA512
1c709fd890acef19a3c8ed62223de61de4a61dc8aebe5965638801db319a609f85b22d423bdb58fecbcdc085354510b8b0ad34431f3e0ba2461d4b30f69cbddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
8fea4abda7f4781ce9f9be6cda427b88

SHA1
5d86c4da537ccb5a805cea2f41c2dc00c1b02372

SHA256
9e2868f260b5b14c139a2a658ac2768a6a3ec6b80b30f194052acbd68dcdd56d

SHA512
ee865d1a037e7b23e867bdb72a3f3e0cfc2ed2fe58c67451a0285953a13154acaceb2c8b3ac83169c88b0c8a794d9c488443680e3a2a02ced4484294299d95d4

Download Submit
C:\Windows\fond-ecran-jeune-fille-qui-prend-la-pose.jpg

Filesize
41KB

MD5
09aa5fc7ff84a5461e32a38cd47261f9

SHA1
61d825499d73779dacf9510be57b5885d97fd7bd

SHA256
59383c28103e9999faf32d5eade842783152d85fbd8bec31576ecea72fe9f9e7

SHA512
06a4c3094d7aaa48c29a68a6ca2beb2b852182edab9c90e2ed0c3fde7e3879749d6f11445a4d897c0c17e945aa1197c272a9f6b51ab932a5e921b3b6423b78c6

Download Submit
C:\Windows\protected_01.03.2011_021400.exe

Filesize
586KB

MD5
b32bfa058a01d01f968074f7ac59158f

SHA1
faf26cf80abec3cab959c21055e16ea196b3940f

SHA256
d7d48932e6211151a97ed2e1e2218cc4527f27f58e8b4399900bef10bad6738d

SHA512
13272a021e4cbd1ccddd309a43147f9cc9e66c38ade624a1eec67a067022b2d15ef531d68d58c9a0503c66e5b0df780497203b0bbc15a5d48e6d6a4e0c7844d3

Download Submit
C:\Windows\win32\server.exe

Filesize
30KB

MD5
0bd6e68f3ea0dd62cd86283d86895381

SHA1
e207de5c580279ad40c89bf6f2c2d47c77efd626

SHA256
a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b

SHA512
26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4

Download Submit
memory/1196-35-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/2372-25-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2372-8-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

Filesize
8KB

Download
memory/2832-10-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-7-0x0000000074C41000-0x0000000074C42000-memory.dmp

Filesize
4KB

Download
memory/2832-11-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-30-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-9-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2972-26-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2972-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-12-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2972-14-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2972-17-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2972-20-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2972-34-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2972-29-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2972-28-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2972-27-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2972-8812-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download