cybergate | f6e9a22a5af683f79a51245a05134c606e3a4a0707dff56ff08c331bf955b915

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Size

936KB
MD5

826bdfa9f3ec50267e0c2b45d02103ae
SHA1

9ab7693cb80bfd5d63747c3ae5ca41fcfebe5624
SHA256

f6e9a22a5af683f79a51245a05134c606e3a4a0707dff56ff08c331bf955b915
SHA512

84a6536b7357d266c5bda4ac33518c75e3da5d799afa950687c660b3fe38cad0da0dc2490ada2516c18a1e706597ad9ae39e0d4ccea021f7cc4bcbef4429aa61
SSDEEP

6144:6bK+/lzBE8Aw2adVpAzrSBB7TYBDevrIIqYdq5+EgJ8iY/2qSkJOYxpnD8hY5aum:6+eVrZXA0E4Nxk5xpwqauoTmQWWugeE

Score

10^/10

cybergate victims discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Victims

stahlgewitter.gotdns.org:81

notforsalebloody.no-ip.biz:81

soliver.no-ip.biz:81

Mutex

wurscht

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
bootz
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
bully
regkey_hkcu
WinRarSFX
regkey_hklm
WinRar

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\bootz\\svchost.exe"	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\bootz\\svchost.exe"	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6HM55UCO-1IMI-MLW0-01S7-36D04QO24H6S}	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6HM55UCO-1IMI-MLW0-01S7-36D04QO24H6S}\StubPath = "C:\\Windows\\system32\\bootz\\svchost.exe Restart"	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6HM55UCO-1IMI-MLW0-01S7-36D04QO24H6S}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6HM55UCO-1IMI-MLW0-01S7-36D04QO24H6S}\StubPath = "C:\\Windows\\system32\\bootz\\svchost.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
1608	svchost.exe
3032	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinRar = "C:\\Windows\\system32\\bootz\\svchost.exe"	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRarSFX = "C:\\Windows\\system32\\bootz\\svchost.exe"	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bootz\svchost.exe	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bootz\svchost.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bootz\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bootz\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\bootz\svchost.exe	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 1608 set thread context of 3032	1608	svchost.exe	95

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3524-4-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3524-5-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3524-6-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3524-2-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3524-9-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3524-10-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3524-13-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3524-30-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4996-76-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3524-143-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4396-144-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/3032-171-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4996-172-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4396-176-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4596	3032	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4396	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4996	explorer.exe
Token: SeRestorePrivilege	4996	explorer.exe
Token: SeBackupPrivilege	4396	explorer.exe
Token: SeRestorePrivilege	4396	explorer.exe
Token: SeDebugPrivilege	4396	explorer.exe
Token: SeDebugPrivilege	4396	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
1608	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 5020 wrote to memory of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 5020 wrote to memory of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 5020 wrote to memory of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 5020 wrote to memory of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 5020 wrote to memory of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 5020 wrote to memory of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 5020 wrote to memory of 3524	5020	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	87
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56
PID 3524 wrote to memory of 3484	3524	826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\826bdfa9f3ec50267e0c2b45d02103ae_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4996
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4396
    - - C:\Windows\SysWOW64\bootz\svchost.exe
        
        "C:\Windows\system32\bootz\svchost.exe"
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
      - C:\Windows\SysWOW64\bootz\svchost.exe
        
        "C:\Windows\SysWOW64\bootz\svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 584
        7⤵
        Program crash
        
        PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3032 -ip 3032
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
30e0714a0d40eb9c7c5182acdd15ea20

SHA1
b7daaee2f5603d1c86dacc260c7d416337995d95

SHA256
692f82baaacc30030d64285c2d15eeec32cb40e9639f46bf76e0081f18fd0637

SHA512
e0a6576fb68bcf1cc42c7807dbc55ef91219b84b5f0f82fbdbe6d539589e4ef9524efa7560acba7f24004e142c13863f797a00449033b2d6b97452735d9b9943

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
73c4d8e38a7a5e66067650bb19813c79

SHA1
be94ff91b2771203c82a248235fdbd083ec9fef2

SHA256
1335d1a6e5d3f7aa028626fe5a524d7d55482ae505dd73e8e9df6eb8b571d551

SHA512
e8fb92b0ec409558c4ea103a3f227ad5f7490eb57ea13b76ab7b71096410c8ad80fc2f73103d0c7ade12ba5a5a00cc987a7860456b091c38307df971363970ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b6e651242a62b464627ec0aaefbe1490

SHA1
0a8a4fa467eb466721d5550b73e1159018da3984

SHA256
6b6dd3326a53e10196cb2277d9e37694c733593580d8738afa352307a4d941dd

SHA512
67efecc72186e94f8e573bdb8494a694ec5d0ed382d7cdfbea73b87c9cc84630d1c4aa626b7acff1b72ace0a7673c612f23ba14c8178032df29729976b16a5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3a475b1b17522fe0b4cb61bf0b9cea97

SHA1
356b0011e5561d08ce40d81bca44eb4d232b44ee

SHA256
69ebd278ea56f87b98634285d4784367bbb50dccd36b037ba75144585af066dc

SHA512
b05ef511365be8088ce0c048317bd3153c919f26eb34b210fd2ab587c14581f3e250aae3e92da7a3eb2e0a1d5b0b816d526147bb978f7ea5a6eb7dca4877f5f9

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\bootz\svchost.exe

Filesize
936KB

MD5
826bdfa9f3ec50267e0c2b45d02103ae

SHA1
9ab7693cb80bfd5d63747c3ae5ca41fcfebe5624

SHA256
f6e9a22a5af683f79a51245a05134c606e3a4a0707dff56ff08c331bf955b915

SHA512
84a6536b7357d266c5bda4ac33518c75e3da5d799afa950687c660b3fe38cad0da0dc2490ada2516c18a1e706597ad9ae39e0d4ccea021f7cc4bcbef4429aa61

Download Submit
memory/3032-171-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3524-10-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3524-30-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3524-5-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3524-13-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3524-6-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3524-143-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3524-4-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3524-9-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3524-2-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4396-176-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4396-144-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4996-15-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/4996-172-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4996-14-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/4996-76-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads