cybergate | dc622843e839699246475d2b8e98b4e382e34ef1f1038285c1c4bee29cf3c4e5

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
Size

311KB
MD5

b0eb2f6b8cbacd6ecf005ed96c8959da
SHA1

505e91a8ae6f42c478210bb90c24de92b620a58c
SHA256

dc622843e839699246475d2b8e98b4e382e34ef1f1038285c1c4bee29cf3c4e5
SHA512

b7b82a04582d1a0e46dc911fe34bae1a21b532c2f97a8c767f9d46eb2c302f55a7f37ac120168009ea4c0872712d4881a6b2f5a31e2e9548b3928bbc408abd01
SSDEEP

6144:fjupVaUwka+LBhWyZXtrdJIFOf0N6O01JP206gEiqe0:7upVfRz1rdJIAI6O0u06Jiqn

Score

10^/10

cybergate spy-net discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

Spy-Net

Myownhost.no-ip.biz:100

Mutex

D9S7A8D69A90AD890ASD

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinSys
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinSys\\svchost.exe"	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinSys\\svchost.exe"	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6YUJOXCT-K1K5-382V-8O6A-LS3110L6RLHY}\StubPath = "C:\\Windows\\system32\\WinSys\\svchost.exe Restart"	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6YUJOXCT-K1K5-382V-8O6A-LS3110L6RLHY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6YUJOXCT-K1K5-382V-8O6A-LS3110L6RLHY}\StubPath = "C:\\Windows\\system32\\WinSys\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6YUJOXCT-K1K5-382V-8O6A-LS3110L6RLHY}	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
656	svchost.exe
4384	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
656	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinSys\\svchost.exe"	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinSys\\svchost.exe"	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinSys\svchost.exe	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinSys\svchost.exe	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinSys\svchost.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\WinSys\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\WinSys\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 656 set thread context of 4384	656	svchost.exe	95

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3616-34-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3616-35-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3616-37-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3616-36-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3616-41-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3616-44-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3616-173-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4384-225-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3552	1316	WerFault.exe	82
2944	656	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
860	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	explorer.exe
Token: SeDebugPrivilege	860	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
656	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 1316 wrote to memory of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 1316 wrote to memory of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 1316 wrote to memory of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 1316 wrote to memory of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 1316 wrote to memory of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 1316 wrote to memory of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 1316 wrote to memory of 3616	1316	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	83
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56
PID 3616 wrote to memory of 3448	3616	b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b0eb2f6b8cbacd6ecf005ed96c8959da_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:3684
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:860
    - - C:\Windows\SysWOW64\WinSys\svchost.exe
        
        "C:\Windows\system32\WinSys\svchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:656
      - C:\Windows\SysWOW64\WinSys\svchost.exe
        
        "C:\Windows\SysWOW64\WinSys\svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 572
        6⤵
        Program crash
        
        PID:2944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 588
    3⤵
    - Program crash
    PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1316 -ip 1316
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 656 -ip 656
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\He168gMekM.log

Filesize
10KB

MD5
588ccb279d937f322586e2bd9bd4c842

SHA1
6094882ae2caa7173e17ba8e0b8df4e92d06966e

SHA256
5e04678664fe5489272705c0f5df39094b0eb07455a332ec478617c8e0f8b6e1

SHA512
a45a06e583551f31cd22fc0c63ca6c7647a139446207065144cc63bd7bc78b168efbc68d925142b288f774e87c217028143fef9afa0246bc236b22701defa81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
230KB

MD5
784f49564f99086f3e94ff382beb5fe6

SHA1
a2b53d68b6576774aaaa8c070d00f33a3d97a112

SHA256
9758e3a1160cabab34ea0b2552167476382c2216461f52499c7f48f35870073d

SHA512
49d9075fc71191b30585bb2b7833f454ba693a1fc27238ac1afe1570cc43495127eadc1994ab44b071108677e060a304873a17ffaa082691add367b1889969b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4d4d7f80276c7ae519935433cd0842bd

SHA1
49774fda074773cbc74584af93c2fa2186517007

SHA256
3da662bc6f06843ed2b80b57d8f4b7080bd40e1388d22bdf9f82b49870e65914

SHA512
622addbae83868824cba9dcc9b0a80c22f19d12b62d198822fe3b7045cba4a903ddea5e958dac21efd54e5fc797c94cef81529b980ea32353ef37267168e9e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb303c7b52ac46182b8387977c6b0e2e

SHA1
476d3e6f86ff504d6cf1a18006b7217047fa2f65

SHA256
d6e912f581465d46c78ac1ccb0de70f0295e944466ec7b0ace91d2894833559e

SHA512
797ced8d34a9bef3ed49991f16ae36f50a579b6d82e2e9a7ef594e0113d382d486f994225eaeca1a4f985bb2fc911252bc87c3f503cae546aa2a90df1ad59155

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7dcabf693ccc1184b114a640e2741e3d

SHA1
81699ad9403ccc9b978771618da4d3540f239016

SHA256
70cdb74edf1f6cf3b4e3620da5eaa920b083f194a39dba8bb2c4d9851b8e1263

SHA512
a8fcbf1515a12df6cff87558b16b4af12ae33cf58749c688b6993a5a11dd149b97d6b3005f9d2dba2f452a4d5b387e4811850a80a5d4b849d810d7cea3ab8e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
211bd4d67f1d72fe730a3b30639443ac

SHA1
654da145d9fbe16392bda1501991add4c1a2c2e3

SHA256
5f8b3400dfe47433d92413d17fd1fc290bb994b127d146627ce97d2f870666b2

SHA512
f24a0b425a02842cfbdb569681987820f80c0dfd643a45104b1cf433a88e21cb02526eef1340564c5cedafed2fa34535520edd2742e6625781478a3be85a9dfc

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\WinSys\svchost.exe

Filesize
311KB

MD5
b0eb2f6b8cbacd6ecf005ed96c8959da

SHA1
505e91a8ae6f42c478210bb90c24de92b620a58c

SHA256
dc622843e839699246475d2b8e98b4e382e34ef1f1038285c1c4bee29cf3c4e5

SHA512
b7b82a04582d1a0e46dc911fe34bae1a21b532c2f97a8c767f9d46eb2c302f55a7f37ac120168009ea4c0872712d4881a6b2f5a31e2e9548b3928bbc408abd01

Download Submit
memory/1316-33-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1316-24-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1316-32-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1316-22-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1316-31-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1316-25-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/1316-17-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/3616-41-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/3616-44-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/3616-37-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3616-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3616-173-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3616-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3616-36-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3684-45-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3684-85-0x0000000000040000-0x0000000000473000-memory.dmp

Filesize
4.2MB

Download
memory/3684-46-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4384-225-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads