cybergate | c0944b41d8898a4f33ce2164ecfe8aae30a4b4348320f740432d4cee727a7a63

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Size

444KB
MD5

a4dcd5ea254149470d264480eef8667c
SHA1

e1f5b49586b94a0178ed07239df057c417062149
SHA256

c0944b41d8898a4f33ce2164ecfe8aae30a4b4348320f740432d4cee727a7a63
SHA512

80f8557b192fd3574c74ae69ece48c0a8cabda92459e965882d85d0c5e44772c35bb0568e7ffc64ac7579cf1ddf9b1504e72dc66627ef472aa13eb1564f95f96
SSDEEP

6144:4I0o6Sri1/lyNfFgVTpjv86B4e+gC27M9ynzwxU1JMM54gFHQzFmJ8pTazFYW:CPB9lrOOl+g77dz+U1Jnu6Hl8MWW

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

Cyber

failsafe.zapto.org:82

Mutex

T6668RWN210653

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1337
regkey_hkcu
HKCL
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe"	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL}	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBVI211C-C2LV-OQ72-S55V-A2PEPS5HO0UL}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart"	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3124	svchost.exe
1648	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe"	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCL = "C:\\Windows\\system32\\install\\svchost.exe"	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\svchost.exe	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\svchost.exe	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 3124 set thread context of 1648	3124	svchost.exe	100

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5020-2-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5020-4-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5020-6-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5020-5-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5020-9-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral2/memory/5020-10-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral2/memory/1396-75-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/5020-85-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5020-145-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/5020-149-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1128-148-0x0000000010560000-0x00000000105C1000-memory.dmp	upx
behavioral2/memory/1396-174-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/1648-177-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1128-178-0x0000000010560000-0x00000000105C1000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe
3124	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1128	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
Token: SeDebugPrivilege	1128	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
3124	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 1560 wrote to memory of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 1560 wrote to memory of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 1560 wrote to memory of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 1560 wrote to memory of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 1560 wrote to memory of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 1560 wrote to memory of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 1560 wrote to memory of 5020	1560	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	85
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56
PID 5020 wrote to memory of 3436	5020	a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:1396
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a4dcd5ea254149470d264480eef8667c_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1128
    - - C:\Windows\SysWOW64\install\svchost.exe
        
        "C:\Windows\system32\install\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3124
      - C:\Windows\SysWOW64\install\svchost.exe
        
        C:\Windows\SysWOW64\install\svchost.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
651b6c5ddb0a5e00c814af40736c84a3

SHA1
ddfbef6aa01bb2abc9fe118243408fecc6803848

SHA256
469d00967eecd1061ea9dc9ad40a69d77cedb73cb6c6599302aca5a2545f79ea

SHA512
7cb62797b6bdfdecedd0f2d0ad7490e9e4023099bf5f830715bbc59933f3f93a08183e31f37fdedfe236deabe1bc7a07d9166175ffa4206226a5e82dee58d50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
da273f19601f7d41f8fd8b69db0f80af

SHA1
669a199514b2e8fd1c1412cdd3900f4dd84cf890

SHA256
93f70e23a5b8e0f8a5d92e829022e5ec2034206272a4e3c63a634fe92ba7c821

SHA512
93a314f71bccf8088a39572f83390ff362beedf468d80d54eb3327741b818b604117cd20df81a54b7d6ae00771f9f4c942a0049a0249b02124c4f9773aeb7de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a8ca4184405e15fd2949adf9fd4505fa

SHA1
bf0a0ded4966c14589f7c15a4e74155fb99033f9

SHA256
b6a32ebe1af52ac7b5fba46d5de88b37de8968054c34c78ccad5cf98ce2facb0

SHA512
525e023a6ce3f55b64311061f006349e5957c1ae7375ca8ce1ad9aff959aa399835f548e2f2ef1556ad0b5b6e927588c4995b342cb5464c89723891088a3d5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4f4561759f7158259c3b95e6bb3c14c

SHA1
034eaa5539aa05ac027fd3638d66d823d92dc7b5

SHA256
f018e7c5fef1f3a51a656d13150aeb1f9c16e168b93028891683c2923442974d

SHA512
b976e12652b038e7c111bbd6424c1bada4e163073621702b8610a0071fd298e66a2d40637aa91cae2cd2497965f1bb48540df5dc4414b18e2b5cf6048c0c834f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9142025f313cda7b8c07e5db49b1b965

SHA1
c134453d40c1c91ada2209ef3e61f0271625dc1f

SHA256
883d10376354045eae4847897fb89310388663b4fa06bc7fcc0f68e390f31d36

SHA512
58d74385a1b41eb738c502cffc8578158b3f70f2ad3a18676528488e89cfe2c0f5954f542fe05cbc48b7c2069110b59997e7a30b001f4728a15b8dcc48734595

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8b3a6067933a32c6bc9c3b0967caa971

SHA1
c7a6aab617e44623267c37893fd3a4e65fec8f3c

SHA256
02e9c05c821a9701c3d68e989a734ec46ba968509140ed9890fc4139d9e0e49e

SHA512
d68c02c40677a8ea49feecf3822a000af2430309cc800f8e80a81ac83747854911a1e72f6185c6527d93a44a94a6833f3937ff772cc12f24d6bbd4370f38b696

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
65e37561b15cae36b4ab659b1844350d

SHA1
4be5964d41d85ae0aaca533e8f9e850da70151db

SHA256
c43e8632e67446a945ac562a1bfa028b2e385a82f4437480b89273e56e4de03a

SHA512
82398f6382500ed1a1f192ed42a1d9f387e80285d78ce4f3f5594cf5adebe75fa73ceff1f3e204d734071d2921c51efc1a3684a50c537a05d5ee0e8be2880d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
022b424ec04bbb65730dea85f7aefda6

SHA1
eced7582480e32414ec3c9b490c175bc5232e6f5

SHA256
e44dbe4a1f30961b6ad34466fd6084a581b804146aad0947334d3b2f002baf24

SHA512
6436d57229b73e94f90be4b9c2fe8f2b567a87e76608d42a3e389e69df1ecbe899bc3934bbc9b6723c58f7f414dc96669531f0f66f750a497369c460d3f50db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1151d61c9e552e2286105d445c261f39

SHA1
7ab4fe2ec923d7b24be0096e7f13bdf5defe3654

SHA256
cf56c7e58250eb75d281bca7cad1bb50e5c4e881067cbf7b0aa87265cbf8f8d2

SHA512
1d3c22aa3468fedcf4147dd7a830774d36381d373ccb45beab4b6c5d0e19a3d9142b596280605893d793b30a20e0017f67a3ad9020d36c6076650cef79835920

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6e1d981dc362ab373d4fd0e082755a8c

SHA1
3886f43d3acac8149cf1a0bbfb90a9a15ffa7760

SHA256
878655b32960597ba87724430361ff773a4cb917621a181b36d6fe266fb39d34

SHA512
c0f424519af1816d22ac19b31334eafe05fa34322b6bb3332955abbebf0db628f452845e1a14e1fede6e6c8d7246f74936a1d94952df483f0f3753483c8f0746

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8041945afe1bc36688573e84a8572451

SHA1
e854831ef8341876a92948a9fc9c917b34cb0d84

SHA256
07b531b02fc09018484dbfb917d11507861a86ea4bfe114a93cfc041216c9c7d

SHA512
af7ba8bc4cea442c81fd469caebfce84e8217153d57fa141829722fcbaba83d2b4ad40c33df20e56d972fd04e1bf131782f579191174e7314cc2eacff1a2261b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2e1eb4301e8d408b4e1aae0dd85e62d0

SHA1
08e9068f329411a3d6ecf943e2a565fbc1e690bb

SHA256
eceeca0769dfaae398b41a09d16378c2e5c3ed8483230e7683161abcc676a4e8

SHA512
274cb86b18f26a96f5d63360663316df176cbc3217fb52dbfb304838be43ce3eaba8c4905121110bf5650db7dca9ca41c54c8a8cf7b49bd39599f59ad5a4445c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fe136fe48989f4d88289aa44c0d80866

SHA1
6be83be631ecb8c567f59e4153680444d114b0b4

SHA256
eb3c9b292dea57468c3517fc6bef580c8dcdf520a03e11661d969ab2112672a3

SHA512
520fe69c00729d74941626bec4c69b769204078eb8c83ef9f3f1113462755edfc770dbc0c41789a11469d4709a5192de79e83184da619c84bd32c0097597f1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f25ed9ded1afd2716cc1a4c41e729d6b

SHA1
f505487c3620dc7558962b6586f471dc0e76d529

SHA256
06433ccd550296b31afb3a01d7a94b8cc2f1487fa7021b246dc66d19101f79f4

SHA512
2807b0e44d80e486def32070f35e4cb42e52698e342a7fe1fd302ad154627180be18c83be2af8da70cfcd3e8117c4bedde38e86a2078a2f7fa7f52ff6db397aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
151b3214651495caed33e775c0355b85

SHA1
53676804488e881130faf260a5371b9c31a59eac

SHA256
9ee86a002473fef0a12eaeddc892e154a52c2a9e72d6fe7f63ed8186e7b08c79

SHA512
f1ec8525955ca0d663114f3549f28772b29f0b9840a625cf3b45e3119acab6a53bdb7d2621aa53ca1a76eff24a54beeb9ed3eb74bfa5ed5e43afe9e6ca17d286

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ec2f25a317cd8fb638037260bc927a79

SHA1
ec0b232fe5da0c1e59faa26b58d343afe921b92f

SHA256
505b207f68f375b09fdb3c017f13327484bfaa7a3a70ac97fab12fa3284e385d

SHA512
60a6afd200ecfe43a1de3dd366feeadcdbe384c565feacecb566a676f08e4f6ac8d9791bcb3fbb9793fabf6c65f15711762d908b3ee1db462130dda9f44f7e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
80f87b99ef3fbf52a0a76fbf27a5a29b

SHA1
79bf47de622f6408f173bde4a383ae0268696e4e

SHA256
d98c84809c0b36e7be978b0974351cbb079ae47cc61ae01d52536214ac14ef9c

SHA512
1f95c39ecbbf4fce9be2995c2aa46e9077ecc90a70e6faa10e8c3d900a29c603cdf42b598adbe3c64d09f23e229eadc9e6d0a4dc8be24dcf20329f82399ea4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a4a63f045244237225603126b494923c

SHA1
a0723fe388daf173d59d9079e621f0298b1dba6a

SHA256
d9f5afd7eb97e185f8f59eef0f78cf8ffbc89ab5378b4f504209eea5908af51b

SHA512
52411bb6dcc28a842b7aecf6e0bce78f93cc46aa9d0303681efb114e07719fb82fb4c92c279842d2e5bb6db944236687c3ca655859386d269cdf4587c33638fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5e9084052239f76df83c12a072289cd4

SHA1
8ce060a48c04ccef1a7976f2649f0d7df67caa05

SHA256
2abc34f69b91ed0125e145dc2a3fe649ec5eb5dca84f2f05af38ebb63ea377c5

SHA512
7a41c99fee448ebc2d63e02757eebdb777a5e3bff0c8d16421bdbc95e40f48dc1eb0a5c09e8394d537a524ade05ac0fca87350cbf99740ac5044002d330847de

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\svchost.exe

Filesize
444KB

MD5
a4dcd5ea254149470d264480eef8667c

SHA1
e1f5b49586b94a0178ed07239df057c417062149

SHA256
c0944b41d8898a4f33ce2164ecfe8aae30a4b4348320f740432d4cee727a7a63

SHA512
80f8557b192fd3574c74ae69ece48c0a8cabda92459e965882d85d0c5e44772c35bb0568e7ffc64ac7579cf1ddf9b1504e72dc66627ef472aa13eb1564f95f96

Download Submit
memory/1128-148-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/1128-178-0x0000000010560000-0x00000000105C1000-memory.dmp

Filesize
388KB

Download
memory/1396-75-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1396-174-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1396-15-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1396-14-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1648-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-85-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-10-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/5020-9-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/5020-5-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-6-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-4-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download