cybergate | ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5

Analysis

max time kernel
98s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Size

4.1MB
MD5

5c2dd6e4760729c4e6ccba57e5c53dd0
SHA1

8b4f76990354a9fe16b4e8c4fe459dc9aa67b9d2
SHA256

ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5
SHA512

e479c858bb27281567ae79c9d3f7e505db72c7af49c5675fd2980d39696a82d59bcbc2c260a27f830992644f53384698e0e06bff149bd991d8f014157b98e05d
SSDEEP

98304:xUS+UpfIpZtN9DwAefvGsXjqD7+IG7Jyxz/xM3+A6nswaXzVJvV3m3:xAUWpPNBefvM7+/Org+FnGXzVJG

Score

10^/10

cybergate vítima discovery evasion persistence stealer themida trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

vítima

trufyhack.no-ip.biz:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{I8O55I41-0LQM-E6E6-0KHY-65FER04UGD02}\StubPath = "c:\\dir\\install\\install\\server.exe"	explorer.exe

Executes dropped EXE 15 IoCs

pid	Process
1948	server.exe
3224	server.exe
3624	server.exe
3728	server.exe
3896	server.exe
3696	server.exe
4552	server.exe
4196	server.exe
4956	server.exe
4656	server.exe
4532	server.exe
4736	server.exe
2968	server.exe
4244	server.exe
5720	server.exe

Identifies Wine through registry keys 2 TTPs 15 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	server.exe

Loads dropped DLL 15 IoCs

pid	Process
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe
956	explorer.exe

Themida packer 40 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-2-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-3-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-5-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-4-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-6-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-7-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-8-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-9-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-10-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-11-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-12-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-13-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-14-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-31-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-43-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-66-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-125-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-548-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-581-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-665-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-1682-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-1997-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-2365-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-2348-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-2715-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/2212-2724-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/files/0x0008000000017079-6059.dat	themida
behavioral1/memory/956-6065-0x00000000097E0000-0x000000000A089000-memory.dmp	themida
behavioral1/memory/1948-6066-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3224-6072-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/1948-6090-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3392-6109-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3624-6145-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3224-6303-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/memory/3624-6634-0x0000000000400000-0x0000000000CA9000-memory.dmp	themida
behavioral1/files/0x0008000000017079-7718.dat	themida
behavioral1/files/0x0008000000017079-7866.dat	themida
behavioral1/files/0x0008000000017079-8198.dat	themida
behavioral1/files/0x0008000000017079-8208.dat	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\server.exe"	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\server.exe"	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
1948	server.exe
3224	server.exe
3624	server.exe
3728	server.exe
3896	server.exe
3696	server.exe
4552	server.exe
4196	server.exe
4956	server.exe
4956	server.exe
4656	server.exe
4656	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21
PID 2212 wrote to memory of 1208	2212	ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
  "C:\Users\Admin\AppData\Local\Temp\ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:956
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1948
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3368
    - - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:2968
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3224
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3668
    - - C:\dir\install\install\server.exe
        
        "C:\dir\install\install\server.exe"
        5⤵
        
        PID:6040
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3624
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4052
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3728
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4680
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5036
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3696
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4720
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4552
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4756
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4196
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5364
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4956
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5764
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4656
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5232
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:4532
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:4616
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:4736
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:4244
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      PID:5720
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:5508
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:5592
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:5420
  - - C:\dir\install\install\server.exe
      "C:\dir\install\install\server.exe"
      4⤵
      PID:5792
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe
    "C:\Users\Admin\AppData\Local\Temp\ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5N.exe"
    3⤵
    PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
ae53bc02f1bf2fdf42ca9f3a98458618

SHA1
dab590d8c8a46690d3ea964d689bb85e0d556e5f

SHA256
e91595fdf46191fdf48328541739fa6637bd9bb71561ab27dc45555750e5bd06

SHA512
6af08c23ed33d3e8dc6d7cca15237121886c80c8b6cbba9f82f3667ba5595965f1403325479cb9b7bce9beffca94b79c7ce0b11b49cb4cd7b37bc5b461850407

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
7babfd6a39337edc25e0c88694f9fdd2

SHA1
8b341add4cbd722cf793a4d877ef271d0f0cd1af

SHA256
b2f74185ce0229f892d69297303bcfd3f0e653e257724c277edd0c2e3f13bb7a

SHA512
a61c8475b9c99b038d8edbc6deeb31102a8af401a1a51114f075dd9fb692298c8f4a549ccd6718a7286efd119ebcb4fb1e45c5e0566bd2a15775594d9c55f4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
448KB

MD5
97ea3c7ec5e04964423f3d9e27f53ab2

SHA1
a2d752798178cfd6d08d73e56b7a08420f3c5b26

SHA256
77464c03c966fa4bf575db15339cef628930f085c2b0b4068f19396682f1cd79

SHA512
8139180b2431d20f14b16f540d9205a76fc65696294e77ba6d0cfe996b1f5322ef606c539f038a36ee93eafc543189e566912bc4d35fbdd9d41416b1a5d4b0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
64KB

MD5
fea2cefb5ff0497eae4dede2922d7696

SHA1
21b3cc81b2bb669bb30f5c9c8d55980d17f4f165

SHA256
4565f63d3d96a2d037356e224d59ab686043352219712e98b909d6bf5481c1c5

SHA512
17e5927ae0085f7103976b7f9d01cf07ade2cae6ec75076245d3320afe72f531e15506239f3e42bf727901bb0b0e56e69bcd91defc0fbed81ee6c6069bd3e5cf

Download Submit
C:\dir\install\install\server.exe

Filesize
2.9MB

MD5
bc2658f4369a74faada294fe297da054

SHA1
2bf055d93f1671443ab21e2f9858f049f779992c

SHA256
65fb792f54b33ff0be97f0eab678bb2a6452a0e935b63fd24b9d32b842155afa

SHA512
7652bbeb8802ff1ce9c195644d5c781338722e0fb3b0c27a77d1aa1aee4798a0575a1f1fd69e3f8966c5abdf74dd562f397a9761512609b97ac6c95a7755b353

Download Submit
C:\dir\install\install\server.exe

Filesize
704KB

MD5
3c6c04e824510b48c37fd3a7c753ce84

SHA1
3110235fe52adcd704706e4969c6694de08e6c80

SHA256
818d06535685026628da984d9d20973a0684275e9127cd02bde1f037fc4dd331

SHA512
9632f51888b10d5365ded7a90e1aafe4f0d31dfbe1419960b70f88109ba2f08c0c4046c3a4cb81a4251938323d7f7fd6b401e28d34b03dcc0f7dfb2f017c3885

Download Submit
\??\c:\dir\install\install\server.exe

Filesize
4.1MB

MD5
5c2dd6e4760729c4e6ccba57e5c53dd0

SHA1
8b4f76990354a9fe16b4e8c4fe459dc9aa67b9d2

SHA256
ebb9d7e696ce8693ddeceba00f377d0d668010eee4755f71771027c21c4af6f5

SHA512
e479c858bb27281567ae79c9d3f7e505db72c7af49c5675fd2980d39696a82d59bcbc2c260a27f830992644f53384698e0e06bff149bd991d8f014157b98e05d

Download Submit
\dir\install\install\server.exe

Filesize
3.9MB

MD5
702802cd07a1033045f39bb4268364f1

SHA1
4422bbe4fbaaf03099271ffff87c6f5408f86605

SHA256
49620775677e345f277fc8610abe2266aee1798bd7300d76c3236b2cb11182ff

SHA512
b9e876669f14c3c93faacde2f4f11e45f7df5dc9751c126ba345038e40c5921266123d1f54ae55b6e96be9f1af4b63779dc840de50b93f1972c935dcfd6814bc

Download Submit
\dir\install\install\server.exe

Filesize
768KB

MD5
f6b98fb941dbc21539d0e091a94ad340

SHA1
d7b034315912fa5d0aea7e8bb5d0ee16d59bca9a

SHA256
f38ba291714b29ea3b28e47c47dd76bed794213da04193c53a3c66ae93b32278

SHA512
6be3cc3703ef2f825b9335c9aa40371d5c463290fe58d496dde3cb5302b329bffb04f486263f0353ad63c00894ed73850cf6c9bea31166094dc8b7ad6b9f794b

Download Submit
memory/956-6073-0x00000000097E0000-0x000000000A089000-memory.dmp

Filesize
8.7MB

Download
memory/956-6099-0x00000000097E0000-0x000000000A089000-memory.dmp

Filesize
8.7MB

Download
memory/956-6436-0x00000000097E0000-0x000000000A089000-memory.dmp

Filesize
8.7MB

Download
memory/956-2717-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/956-6057-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/956-6071-0x00000000097E0000-0x000000000A089000-memory.dmp

Filesize
8.7MB

Download
memory/956-6068-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/956-6067-0x00000000097E0000-0x000000000A089000-memory.dmp

Filesize
8.7MB

Download
memory/956-2716-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/956-6065-0x00000000097E0000-0x000000000A089000-memory.dmp

Filesize
8.7MB

Download
memory/956-6875-0x00000000097E0000-0x000000000A089000-memory.dmp

Filesize
8.7MB

Download
memory/956-6135-0x00000000097E0000-0x000000000A089000-memory.dmp

Filesize
8.7MB

Download
memory/1208-18-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1948-6090-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/1948-6066-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-13-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-0-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-2365-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-2348-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-2715-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-1682-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-2724-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-665-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-581-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-548-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-125-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-66-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-43-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-31-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-17-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/2212-14-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-2-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-1997-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-12-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-11-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-1-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download
memory/2212-10-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-3-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-5-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-9-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-8-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-6486-0x0000000004DB0000-0x0000000005659000-memory.dmp

Filesize
8.7MB

Download
memory/2212-4-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-7-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2212-6-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3224-6303-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3224-6072-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3392-6109-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3624-6634-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/3624-6145-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download