cybergate | b85b825a13d2b5277dcecb5020ffdcacdbd1b83a056409a670c1e0aa36c55718

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OP7_Atheuz/OP7_Injector.exe
Size

510KB
MD5

5694f7da1daedb0591c5f76a098e57ef
SHA1

10d34b602dc7efae4603725e15f80a3ae335c535
SHA256

ebd82554ff28e53d135a3be94c51879106eff01f511f6755cd7bf54ba3432096
SHA512

501df940a9be6d92b7dacb9bbacc5b782535d42e830b1f241447d0d5c716208ecd0096942c330b9770f685b7526f9e0a08dfd72a07d43572a49d5069d46cbd62
SSDEEP

12288:YMDRxxcZ8V9gYLpvr25Bm9Z/pUz6N0k8Cy2LVaP7D0:BZcZ8V97r2OXFoA

Score

10^/10

cybergate operation7 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

OPERATION7

polluelos.no-ip.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
syystem32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Not compatible with SO
message_box_title
Atheuz V1
password
admin
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	OP7_Injector.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\syystem32.exe"	OP7_Injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	OP7_Injector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\syystem32.exe"	OP7_Injector.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CAT4DON-A4Q0-1N20-265P-0AK6Y1F205U2}\StubPath = "C:\\Windows\\system32\\system32\\syystem32.exe Restart"	OP7_Injector.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CAT4DON-A4Q0-1N20-265P-0AK6Y1F205U2}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CAT4DON-A4Q0-1N20-265P-0AK6Y1F205U2}\StubPath = "C:\\Windows\\system32\\system32\\syystem32.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CAT4DON-A4Q0-1N20-265P-0AK6Y1F205U2}	OP7_Injector.exe

Executes dropped EXE 2 IoCs

pid	Process
2336	syystem32.exe
2340	syystem32.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	OP7_Injector.exe
2072	OP7_Injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\system32\\syystem32.exe"	OP7_Injector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\system32\\syystem32.exe"	OP7_Injector.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system32\syystem32.exe	OP7_Injector.exe
File opened for modification	C:\Windows\SysWOW64\system32\syystem32.exe	OP7_Injector.exe
File opened for modification	C:\Windows\SysWOW64\system32\syystem32.exe	OP7_Injector.exe
File opened for modification	C:\Windows\SysWOW64\system32\	OP7_Injector.exe
File opened for modification	C:\Windows\SysWOW64\system32\syystem32.exe	syystem32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 2108	2420	OP7_Injector.exe	29
PID 2336 set thread context of 2340	2336	syystem32.exe	34

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2108-24-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral3/memory/664-547-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral3/memory/664-925-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syystem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OP7_Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OP7_Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OP7_Injector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	OP7_Injector.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	OP7_Injector.exe
Token: SeDebugPrivilege	2072	OP7_Injector.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2108	OP7_Injector.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2420	OP7_Injector.exe
2336	syystem32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2420 wrote to memory of 2108	2420	OP7_Injector.exe	29
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20
PID 2108 wrote to memory of 1284	2108	OP7_Injector.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:664
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2072
    - - C:\Windows\SysWOW64\system32\syystem32.exe
        
        "C:\Windows\system32\system32\syystem32.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
      - C:\Windows\SysWOW64\system32\syystem32.exe
        
        "C:\Windows\SysWOW64\system32\syystem32.exe"
        6⤵
        Executes dropped EXE
        
        PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
d22ae3d7b3efbc99b42d3fbb22429ce7

SHA1
302f0ac22c9335af0cea9d404c62191a0c648e2e

SHA256
a957e978fc2b1d5706897cc6f7846fb27e601da192d60e805b86c2bd23671573

SHA512
063f6060a71f8f4ac8a1b43f02a258be60992a822e13e05e1b0321964bfc5c112d6b350e7ef56a0d1f0bb05113d4692b5304c5d47a248f06b200cb49944affcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3d936c4231aed334c0910104c901f225

SHA1
b8453305d373d9927501c9719a37b8f9dc42ffc6

SHA256
d9d556dca1b049bb9ca237241529cb828bd8e278c5f126c357b9a940bfb01d45

SHA512
73abe3cd2ed43d110f854f042f15d1d97c650df5310feca77ed0b2ad9be9648385c61ba8cf09b6ff9008f0dec72fef0d55689ccb53b50ce6cc4d0d9268f52a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
eb1d5e24d50628f1d54586a50458a487

SHA1
ce17a9cd96fd9429026799a7a2c74f323e6e6e87

SHA256
acc859acd4156a30d493b1417973396809b2959f6603c56b2682ac003fd432ac

SHA512
d33950cad51223797f750e087e008eb510fb63949dbbdd12d27faf6a2ad201f78efda965b879c2517692d2f70e1bb8258ba86e1c8d0e9dd58e2ddc6714e87862

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
512fa76d9b20b6aacb794bf44d5d6e42

SHA1
2d2c98ccecc05f462947184bc2a12b5890a7a1f5

SHA256
8e209141c55234f0db769b33e78477143a79a05c4e1f06f20d34278c4f063c59

SHA512
b424bca5d45484083b4dcc7cb8001bcb2e7895770d3bf4e251ccce41e8d4a1b04bf7706df1ef690a9bbfe094ecad70af687e72f481f4d667cf1f227da5c4ddd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8d21ebfabafc5e8b66524b30714a193c

SHA1
f1f0cb8883b8d316bed4da0c266ed95cb391e4b5

SHA256
58acfe89aec12b1a9168887cd31d8bde1a2d44f3425ef6d62b233a25d19b66ea

SHA512
74a5f0c5ae00ba81a315911c9f8866b3369d0459fb22ba072c26420da6086c7509678ab15ad71aac89ec1c483b5e339755a078027a9d678c00ddf5fc3c6920d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
26458c36e445121b283f7a503146bed2

SHA1
a12c8e7e22faa6378d57f697822c7125df7f9ab2

SHA256
609aa03e42c40b186cf5e0efcc50bafa568cb72543d6319411a379be4dada671

SHA512
abe929c7957112c2e451d33c199fb93c62a1be26ccba0db3795f6884c5382cd2586343dfe6d3fb579703c2d28647a34a989d45c72c254e286a5ee09441e86a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e11bd4eef3672c8322a1cbb91a0c8f43

SHA1
3268021850f830afa5d4308bcc15d7529b6ad318

SHA256
d1363209e78cc99e5da501b2df744c79d363bfd2d2cdb6c98a0356fe84a87bfb

SHA512
15f640d68e05510406a62037fe35903812f7145b9d6d7d9e5adb0890da2b745fd9b90056947aa92301302e2e629c6972cd5c91b81bdda485bf726b1d3bdfee94

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
00ca9bd7ec5c03dd3685a1341338c0de

SHA1
afc131891910631090e7a1e8ff7918cdf30456b4

SHA256
924c76f9880ef9696d0969590bb4c4cc4f029d5a3cee05ce51ae29659738a17f

SHA512
253884a925a4b59356708796416ff59761e4830ab10207452d73628803e97d2028ecc7108f6a40a840ea43d7ef09e65f20c8bd6dd6984a6b1a2464941177840a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c151d6f46ea876a3f218d769e45e5d40

SHA1
7057b1a59057fd5feb1f0fe2b8c2094078c7ee6e

SHA256
8c86c97518cc3c46e86faed3e2080ff9e6ac9e9fb9dbdb38a1747992b2727073

SHA512
91efc63238bfc18f6f47cbd1330e733cdb44978d12311265813779958e0a3523660276706ca001973d49f927299b6d2a577f8001412e159274ceb40ad634a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c802e924edf6cf9b4097209c35c055d2

SHA1
74ef20ae69820b563420bec01e227683ca548040

SHA256
58c9dace0197ce622e893bbcd040f860f29f13f68b7629384b7258fe48d95b46

SHA512
c05f2c36ca4b9dd1cde59f9d2d1008faec876769628771776def142a6c4695b4628cfa9813d2f0fa8918e7c7f69d7551f2b087f0bde7e9dd5e661c7249bcb266

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2d81cdb95e2b07c308cce3ab849bcd91

SHA1
ab4005363f2d898e579f52e6c902f83fa1e13ae4

SHA256
37b7d8bfdaabe8019d8023f77234a0b7b4ce686ca704922159b79ee251f71fba

SHA512
92384d02d4555c5481cef73fb8e8b4b8aaa08fff8641a6254ce94a440b50dde9976da99df826dcbeb9ad4acfe9b19e2daace1250dd2e85e5e8511942cfae2d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8a6854dbffd7088778f35857f6f66d8b

SHA1
2e9c3943a4c44a8f7290f818d73cc0fd1a7fdf0d

SHA256
240377b25d9c89e4a018d297282d99b0bccfa02c76eb0c71dbcd3a0c8b7759e5

SHA512
c769a1d00d2ffae307ddba76a4a09c0dba8dce37bd9f907604e66628af5fc8a74101bce0d15b12ba2666f7ceb7e0550eaee9ddda53b884b99ef000b9553d1c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
80c21f105f3a10bf670617ee2127cbf1

SHA1
5922301622ccfa281d3c3a0e6389d7c2fb51637c

SHA256
2cf523b3b654024a60b94e0bc9e22b933c0f3b88c71559a8c04c3189989eccd1

SHA512
e09d7f2b09e001a52f386ba5e935ab1a0297ed82599eac743058c7d456cac20cb7d69494bad21e0ee6462b97080a5de35aa87926d5530e9dfb74a6ad4314c38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4130a12f41dd690f7eb70d3873583a46

SHA1
f767283c97cbe4b61e86947087beae6012590cd8

SHA256
f5712edba6e1e4ec37ab55166e6a76e4cda40070701ca1a0622fd408bd986e6e

SHA512
318fd4f8bb6a602585b55e7c76c057524e90501bdd4f7a176e0424aacea8f51b5032e3e8638caebbe1f8edcd8d31492317a94a8e70f94d945415514b313c902d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0f2635b18f1f1e751c5ee58007274436

SHA1
8a9ac284c47cf7e1f8189035fab345cee57a80b3

SHA256
a1458ef7e2698e9282530d8c13d8f1eeeb9331fa6abd8a1912fa53f3fc6fdd5b

SHA512
4feb2dd17dc42b5725086cea47139827fb137c8dd240465b901917cd601470f133fa3eb1c3c549dc9594c67573e74e43886c4b55fc95bb0f0bc6a3b7544125f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5098f5ec04f9fc0d1dd5fbcac8ec83ed

SHA1
8cc92593ae1f105d33ddba9034dba9d2dcb47d9e

SHA256
454e02da790a222abd0895ecdb8ba6217babfdc8366036c2db3bb6f6f032289d

SHA512
69101c1df089abaed7c6d04c5eb7346e4c0e52406250723848ca8ca8d96f5619da4f3002890934bada508d780fc31ae5ff769ee54721c481abd3a7aaf01bd075

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
46fce2d3b923ce21af7f673fbe0008f0

SHA1
4bd32e07e3729fac2d5f71f9c3a5d33fe708860d

SHA256
278c2985a13afd85f142f3f48dd9cb556aae1e99247a03032cd05cbb35286afd

SHA512
3d1c7c898eeb96daf48defc79fff690b76b46fea83bb3e17435c922bf6deef9079f05df337bb2e6a44026287d307b042b66e68c8457f29dea56e7dda7c4d9081

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ded38b3c63f9f271221f730e6f13a17e

SHA1
5ef4931d84cc2085093edbe907fe2f716eaead8b

SHA256
3b1fed184a415f37e4c7785185aae422b803550681a8ea5e56959170b28205a2

SHA512
0f3824cb9c1b54995ba4a54c78c1e3a5b0cd1a88d49cddb558cbd36bf1e71f74b70d6a2c7669b5ca261be1f23fa17efc38753eb44cfb58bd535c072eb2f916b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
837e216a764874285bf443dd48d21b80

SHA1
1c677a3cb9185b332ea2f4d991ece63075729dbf

SHA256
c47fc7753895f0b0e1b0a692c8f395768b6072594b8e451629071094cce5b7ab

SHA512
f6678739dc78eb4870f6456e45eba72ee44b7f9c95dc14213b235bc917b865a47932a8f2c8f27e955925531abc1a78e2a5a496751086d5c2d0858dea2a701f4b

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\system32\syystem32.exe

Filesize
510KB

MD5
5694f7da1daedb0591c5f76a098e57ef

SHA1
10d34b602dc7efae4603725e15f80a3ae335c535

SHA256
ebd82554ff28e53d135a3be94c51879106eff01f511f6755cd7bf54ba3432096

SHA512
501df940a9be6d92b7dacb9bbacc5b782535d42e830b1f241447d0d5c716208ecd0096942c330b9770f685b7526f9e0a08dfd72a07d43572a49d5069d46cbd62

Download Submit
memory/664-268-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/664-270-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/664-547-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/664-925-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1284-25-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/2108-20-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-879-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-319-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-24-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/2108-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-10-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-12-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-15-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-19-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2108-4-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads