cybergate | 3c661019453cf93635be2e5d07d2c843c93418ea1bdaf79b4fd24146fa1c4a9f

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Size

782KB
MD5

da957e71f1bccec9c5306f6af4949c90
SHA1

4b27f6a6dfe5cc4a10c8aeddd957718d70202a6f
SHA256

3c661019453cf93635be2e5d07d2c843c93418ea1bdaf79b4fd24146fa1c4a9f
SHA512

6af014467b1e33cca383eda6e333f35ae6c4052b5652e2c4c03d70250140673915ed17c9608f8952bb092c1ff04567eaa0011a3a887e5873c85533ffa9adf899
SSDEEP

12288:GJleeDzwso7HSUoP/ROnLFncCY1jMDe0xaf8eG6MvunVM7ET/lMM:GJleeDzwsomrP/snaPMKDf8HcnWgaM

Score

10^/10

cybergate 28may2 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

28MAY2

diren.no-ip.biz:1011

Mutex

KI-N11R-1837-T4E7-8X45MD3A153H}dfdfd

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
License
install_file
Licenskey.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
osman123
regkey_hkcu
VGE Licence
regkey_hklm
VGE Licence

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}\StubPath = "C:\\Windows\\system32\\License\\Licenskey.exe Restart"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}\StubPath = "C:\\Windows\\system32\\License\\Licenskey.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Licenskey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Licenskey.exe

Executes dropped EXE 3 IoCs

pid	Process
1400	Licenskey.exe
2324	Licenskey.exe
2800	Licenskey.exe

Loads dropped DLL 3 IoCs

pid	Process
1952	explorer.exe
1952	explorer.exe
1400	Licenskey.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VGE Licence = "C:\\Windows\\system32\\License\\Licenskey.exe"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\VGE Licence = "C:\\Windows\\system32\\License\\Licenskey.exe"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\License\Licenskey.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\License\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\License\Licenskey.exe	Licenskey.exe
File created	C:\Windows\SysWOW64\License\Licenskey.exe	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\License\Licenskey.exe	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2404	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	31
PID 2324 set thread context of 2800	2324	Licenskey.exe	36

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-27-0x0000000024010000-0x0000000024072000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\VersionIndependentProgID\ = "ADODB.Record"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}	Licenskey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\ = "ADODB.Record"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\InprocServer32\ = "%CommonProgramFiles(x86)%\\System\\ado\\msado15.dll"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\ProgID	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\KQMalymdYnkk = "AnbfLUT`klKkTNBYQeRnRNa@KqDPGEaBblHQKr@_^_yGBw_tgdDO}LDPJ[HzUoD\x7faaaknRMXnX_kVBGPg\\xekoGysnBn"	Licenskey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\KQMalymdYnkk = "AnbfLUT`klKkTNBYQeRnRNa@KqDPGEaBblHQKr@_^_yGBw_tgdDO}LDPJ[HzUoD\x7faaaknRMXnX_kVBGPgLxekoEIyxBS"	Licenskey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\InprocServer32	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\InprocServer32\ThreadingModel = "Apartment"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\ProgID\ = "ADODB.Record.6.0"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\VersionIndependentProgID	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2404	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1952	explorer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Token: 33	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: 33	2324	Licenskey.exe
Token: SeIncBasePriorityPrivilege	2324	Licenskey.exe
Token: 33	2324	Licenskey.exe
Token: SeIncBasePriorityPrivilege	2324	Licenskey.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2404	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
1952	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1952	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
2324	Licenskey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2684	2648	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2404	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2404	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2404	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2404	2684	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe"
    3⤵
    - Checks BIOS information in registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2404
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:848
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Loads dropped DLL
        Drops desktop.ini file(s)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1952
      - C:\Windows\SysWOW64\License\Licenskey.exe
        
        "C:\Windows\system32\License\Licenskey.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\License\Licenskey.exe
        
        "C:\Windows\system32\License\Licenskey.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\License\Licenskey.exe
        
        8⤵
        Executes dropped EXE
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
230KB

MD5
e52478b431d02e88d03030eef0bbba06

SHA1
637be2fcfb9fdd526076f4f5404200e8c98b30b2

SHA256
c5356cd123dd0e23e0f17db22cd07485c1c9a4b4cebf6674787efea05ba1e088

SHA512
b40cae0733c8d67702b2968350afc22c356c69c10b19fe16a8ad51e2fea8d30665566695736c8537dc6dec2e7e2f29634e90921d2ce258945f098f75653248cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3024c918b40e9308879b9eb6a970dd8a

SHA1
df689e891151e9c39fdc5bf269dad1d2441eb41f

SHA256
4821b26f28bca10d6bcfd4e6cb2cb96928c432cddd7d46b63c7550ddbf740df8

SHA512
63eb16d572befb288677eeaf1fa598b245b625840026e54cb0dcb5bca11f0f084ffa8246eb80acb384a32f36a88bbddc8ae7f4f5c8fdd921393ab366481e1a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5435aeaae647094c055d46bf9199bdf2

SHA1
172b720558c6a6be3b9e48a6997fd38a0525b74a

SHA256
9d6ddb0d3b9cc33eaf17216e1a992c20b2a0aab347e7e423ee6d1ed913785b3e

SHA512
0a1af2631c2a457f6fa53a091caf548e2eea0d04e7cf7d51cfe162ad717e38393024aa393351d66cf0c408279751b79a551143e262fafa293276e452ecba2d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8a83b655533802ce9c345e49385797e0

SHA1
4d443c4d741b8c50cee129fad3cd1f066b5d6b30

SHA256
0ebde968971ebb0fd24a8cf6e99e9dc66874632b553f7ca23fad5799122f7f5c

SHA512
f4c7e09e2398134a78a5a05d60f8bbf5f3658e6b7492498143ada6cc3c8ad19f4be21c8da61ea322ff3c7da95a685f0993dbfb39b70f264b57cfcb025d78fc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7b98d2747df38622e507080e86ae16ab

SHA1
11ada673988e2db6fec192740674ddb4d26b146e

SHA256
b2da30dbe305ddc61c16294add693ffc5a7503165ea51c83301b2ab2f792e5a2

SHA512
ff467388b697547d3c2e26b35920233e7787cc465f2760150fbfa1422d801c37fb16e1f185dda785fba41fe839599586512a1f58789ff410c498613d12637a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
acac8f9001bf2d06d40d91ae878b97f5

SHA1
3cd675e248bc632eb0f739e06b17771fc2e3ef76

SHA256
29665770e121dd4dfa2c6d2d3cf4880e1f685f77e6291421258578afa2b94350

SHA512
554d5b5679f97fe949d9bddfab892bba91926e3ee216c74e6a2ad5026ea5bfcb41f6514552d0ba8f1e0f12f21ea5ab182e32e624f9cc7379a1130dc347d45e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ebba759cc9ba3f6c754cfc5b2299ed15

SHA1
116bc58d304b155ec1211774deaa0de304b4431b

SHA256
941057a115220b39564a1d94635cec5a8738651a5f5afdea70bcf80e966c6d75

SHA512
4ca4fcddfb6afcfdf15086dd7fe6107d88827449cac513d043cb822828ed7e2858284bcabcab87ac38a75d5b1d8e256acfde3cfc0bf358e2dd84f7f0f44ecdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
69c7854da152d0ee5fa92380dedbb66a

SHA1
3da840c4f39b626ea213bba6993fd081dc1fd00e

SHA256
f0795bb42660f615b88787e3c006d94bc84f9ee99c75ae6b5194c438a38834d1

SHA512
022a9340d8a6ccaaf73329beeb0d1414d072b13f6ceeff38114d97fa950618de7264ab21e268db903b233ed8cbb96f180cf82e64ceaf771ad37eb58a18505f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
69a32c2bdf81b8ba23a63e5a61fb6154

SHA1
7f6c8cfaa73b961b02736222952e96a417fdacd3

SHA256
9d1b04b52ee45f2691a42c212cf62d36d225efc5d08be55e8e387d6754adc3d3

SHA512
135a4b70ac54d87ee090ea2dd320cf048483ae21cdfff249d34df031df4e56c95a9381f04b14a5d8ecc51f707c2024e19020a99b6e0c956ab9a0ab4d455c386f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
be5bb2c12f215fb178f4a3bdc9d7da82

SHA1
e752052008912e2d18dd872d1aeda15650048ba5

SHA256
bc8b4722beaa9a196669eb8784c45d2ab7d74cbe0b8c173cfff665a696ec3d67

SHA512
198839c6c4cef65717201640f44690b0b74d57f458164737eaad6e05e223e3f977f8526ba08dca6cac6dc02088b5024b440aa1449806c002591c13514f490ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
454c63d738b51292236f5826c4a4db22

SHA1
61ba9186b06b3f5aa07648c6dfbb96835602abb6

SHA256
bea04143390abac48684b2ecf88434591c782aede736de20ade1f3f41e75abf5

SHA512
282d4d18e700060c7bc4a6b2dc4a694cb4dbf983e77569d03d55fb4d9b823a5242d4fc0681de4b0c9b48b343255c1d7af39da2f5bacf37ee46929f67a273c11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0e996d600edc4b85bc79f0b34bbffd06

SHA1
2fe316028b2505dabb962230b4d136cec1e1ff19

SHA256
62ae57f585de472ab309932245ecbdb54c0993e48248f8995e2e2ca10e9a8efe

SHA512
e3490b0e32d5609f38bae4a22fa287272c95e20ce66f1aac6bc59125a2444cb00879c830a4a377bb72a94c89dcb80db3b8ad714fd8cd602d3af8a99596803b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cccd64d41d4fb388ad3b964b53237738

SHA1
2362a9aa7fcbd2eb71a469f730037ad2ecf548bc

SHA256
a23709dc7bbaec4a7831834795545260e9c5bbfb540d35a22ebe03aa7555fe0b

SHA512
59b2e3d65b9c99486a424ea9dc58873c72915bf1a1ddb3d182ddc020517b30b55a7f61bffce4798aa8195b226708f5f392fd1e18513f63a36ce6f5ab0c2302e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
39801cd5b6e32459a4598b93f5e42329

SHA1
65a92978be2d30fca1160797a25c8f2032c760c2

SHA256
cd3de25e3a85e05d25f29fcba38135ddbac94851dbb4b410defc1d0e5bfec497

SHA512
dc1dbc70521b9addf20cf4c8e8f62e9aa31eea264eca257b88af35226ed44c2d588e2110037cf014e133c811ff1d936c132f646e35b49bf90762ddbadc8ac709

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a77612387d385f9e4f87e98acfeaf9f1

SHA1
805d707627f26821b0900bdb679ec5d4637d155e

SHA256
3264f4f0a66f4e0302aa99664815d3b7ae19105e25477fa50c014546eb7132a8

SHA512
cf7be12ecb66005aee55f86189461c499213a24383dc7d1b7f83a045581ba727bd21c8922587a082fa9b363f9fb805d3002e04f3ffd0236028d7972de6f3d4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c65f93eebd0e53bb175b81f6c960c01

SHA1
2cb68af742b5b8124081ad91543a51e8a3a7f72b

SHA256
03bfc11343138c9a55e7e1e28cb91a001a6d36d6703172a21f5fbf80140ac5f7

SHA512
66dcca4bd3f9af532550dafacd8ae9010f7b69cd7f80139ca5a2f2b3f454d2a63c735bcdc0d5c86d7c86b3eb60665916bb4efb72afc0d7c8cd35f7ddd74f19ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
de3782e8cbbc2504e0c38bd9203db9e6

SHA1
beb527c96ceeb30e30abb2ae503605faf32eb6d3

SHA256
7b765f3026d67449d8321f4d41ab1ae07cd192b20df2216389410b7a643e12ca

SHA512
19f3cc9cd8cf6ed7126049635f0b58ba9109e6a2c594046a2363e6dea0749b7546e384ba84578033b9409ec44d2ca2490893fdacc468031268222a9a452c1b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4eb0371ad19b4369a13b07e49f8465f2

SHA1
af6e7d4890b81111cb93a02893b9c19ce8b2c5d9

SHA256
defc4b2c097164bd749cbc6c7545d071162029f6639ef63e6fcefe3a804a8e3a

SHA512
86a3a4e88419062e6c8c7c5adb5e226b8446b75bda704392530ddbb40c474863a13ca18ce0db9a1352769df161a97700032b9e7c839a0c84f59145dd9072c71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73bddabf79f54f5c7c859d87900550c9

SHA1
da3a3482ea8114ab343debdaa5d64ae2e604548f

SHA256
7ac63d270d28830600bc4565fd9b4e51e61fc5b4e654f3d36bd8921dab834d0e

SHA512
2f53f242ee1b2f1ba7c1d5e35764822209a679f0e971c658c2202a0beb60d64dc9bce78d728d3de6560c1e1dfcc48d3bb8f6d75c74e0f4b61821bc22843785e6

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\License\Licenskey.exe

Filesize
782KB

MD5
da957e71f1bccec9c5306f6af4949c90

SHA1
4b27f6a6dfe5cc4a10c8aeddd957718d70202a6f

SHA256
3c661019453cf93635be2e5d07d2c843c93418ea1bdaf79b4fd24146fa1c4a9f

SHA512
6af014467b1e33cca383eda6e333f35ae6c4052b5652e2c4c03d70250140673915ed17c9608f8952bb092c1ff04567eaa0011a3a887e5873c85533ffa9adf899

Download Submit
memory/1160-28-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1400-969-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1400-947-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1952-945-0x0000000004C60000-0x0000000004D24000-memory.dmp

Filesize
784KB

Download
memory/1952-943-0x0000000004C60000-0x0000000004D24000-memory.dmp

Filesize
784KB

Download
memory/1952-973-0x0000000004C60000-0x0000000004D24000-memory.dmp

Filesize
784KB

Download
memory/1952-974-0x0000000004C60000-0x0000000004D24000-memory.dmp

Filesize
784KB

Download
memory/2404-27-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2404-920-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2404-20-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2404-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2404-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2404-19-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2648-1-0x00000000004D0000-0x0000000000594000-memory.dmp

Filesize
784KB

Download
memory/2648-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2648-24-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2684-22-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download
memory/2684-11-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2684-10-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2684-13-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download
memory/2684-12-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2684-9-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2684-2-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2684-3-0x000000000044D000-0x000000000044E000-memory.dmp

Filesize
4KB

Download
memory/2684-4-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download
memory/2684-16-0x0000000000340000-0x0000000000389000-memory.dmp

Filesize
292KB

Download