cybergate | a94b1346df3a10e9dcc76f9564d15108825401dbc41395d8712b76c249b4ddd1

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Size

350KB
MD5

e1aa56bcf2fff4fc99c88a84330becc7
SHA1

4b15280ce3f4261287ea66413953700e17161179
SHA256

a94b1346df3a10e9dcc76f9564d15108825401dbc41395d8712b76c249b4ddd1
SHA512

a07d60ec6955df493ca5c8059686e790c08fdee5bd12ebccc49e954c2f9272aa204a17d0548f789325981a99bdc16389045fd939477871b61468e629c3d66ef8
SSDEEP

6144:RYhHdanjQ7VZDphR/RHD2k/7a73t4prmblYydvQ/IbOZm3c1zSiEexfBph+:ah9OjQ7VZDjR/Rjl7a73ly/IbSoIGiEZ

Score

10^/10

cybergate zzzzzrealteksoundzzzzzz discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

zzzzzRealtekSoundzzzzzz

puerto82.no-ip.org:82

192.168.1.2:80

puerto80.no-ip.org:80

puerto81.no-ip.org:81

puerto84.no-ip.org:84

Mutex

1KR5132K6M8J8A

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
RealtekSound
install_file
RealtekSound.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
HABER SI ESTA MIERDA FUNCIONA
message_box_title
Mensaje de prueba
password
HPTAS123
regkey_hkcu
RealtekSound
regkey_hklm
RealtekSound

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\RealtekSound\\RealtekSound.exe"	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\RealtekSound\\RealtekSound.exe"	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C462E730-BMO4-DGM0-F3U6-2C71N4NR2451}	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C462E730-BMO4-DGM0-F3U6-2C71N4NR2451}\StubPath = "C:\\Windows\\RealtekSound\\RealtekSound.exe Restart"	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{C462E730-BMO4-DGM0-F3U6-2C71N4NR2451}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C462E730-BMO4-DGM0-F3U6-2C71N4NR2451}\StubPath = "C:\\Windows\\RealtekSound\\RealtekSound.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4840	RealtekSound.exe
3244	RealtekSound.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealtekSound = "C:\\Windows\\RealtekSound\\RealtekSound.exe"	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RealtekSound = "C:\\Windows\\RealtekSound\\RealtekSound.exe"	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4504 set thread context of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4840 set thread context of 3244	4840	RealtekSound.exe	87

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4360-10-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4360-11-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/4360-72-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4036-77-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4880-149-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/4036-176-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4880-178-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\RealtekSound\RealtekSound.exe	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
File opened for modification	C:\Windows\RealtekSound\RealtekSound.exe	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
File opened for modification	C:\Windows\RealtekSound\RealtekSound.exe	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
File opened for modification	C:\Windows\RealtekSound\	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
File opened for modification	C:\Windows\RealtekSound\RealtekSound.exe	RealtekSound.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4540	3244	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RealtekSound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RealtekSound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4880	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4036	explorer.exe
Token: SeRestorePrivilege	4036	explorer.exe
Token: SeBackupPrivilege	4880	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Token: SeRestorePrivilege	4880	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Token: SeDebugPrivilege	4880	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
Token: SeDebugPrivilege	4880	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
4880	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
4840	RealtekSound.exe
4840	RealtekSound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4504 wrote to memory of 4360	4504	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	82
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56
PID 4360 wrote to memory of 3520	4360	e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e1aa56bcf2fff4fc99c88a84330becc7_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4880
    - - C:\Windows\RealtekSound\RealtekSound.exe
        
        "C:\Windows\RealtekSound\RealtekSound.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4840
      - C:\Windows\RealtekSound\RealtekSound.exe
        
        "C:\Windows\RealtekSound\RealtekSound.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 548
        7⤵
        Program crash
        
        PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3244 -ip 3244
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
225KB

MD5
79757d1daae6f043dee6406c966cfddb

SHA1
dfa9e30d5a2234b8e05209400e2910ee9ea56091

SHA256
4e5b6c51be792e7217fa73945e3455206f761d74303544d548a352c96934422e

SHA512
541c3d31864c5925c6564686e6989c2164dba4931f737247b87bc3cb51a7212090bffb1df90282f7d9f6294c8f32fe92e7edac33477568f81d39ac9f79b3d6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
be523acaf90a1a7474c33c3388a04929

SHA1
c9f35146e50e55869da3a53f6e381d8ef87a8d3d

SHA256
b056302f455bdb421f934aaca6b3b5d09fdff28ee2ce46ed922f5d89c3d9a723

SHA512
3e0ef9793c687b225794032ffe1cc2ddcc04a9b79e8c2a2f0df6df2689f1cf1a19cb97f4ce85396e13c482925e937da85ad3b2cfa5b86d036d7b41fa10eed5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
88490934aad068ff2d2b6ce9af5f9ef2

SHA1
77b01af6c49b9cec94ebf51a301abf3211e956ee

SHA256
6a94dd7a2e3b0998770e55d4185201518dbd2f89bfdff061fc0e667037551a58

SHA512
1bfc0a47dea3c2e4a04a7cddbcf87fdb46300386b195f9377c1d1e397501e4009afac188fd2e62f51934f73226feef060f0905117fbdb6f30d36ac39eb4d935f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
848086d2bf9cf21eb2bd3c88332f734e

SHA1
f910ddda3da7c187c5fcdb20099fd9ec10e08e10

SHA256
769190e634ea5375698d699c93bdf45948ae158f0b55ed9215920ee2f507f02e

SHA512
7b2405d5d088cf2d52788a130a50899a69cb9f32db16c2a300d56e3f2d93bf42c93414df96a4419cbac28149d78e618414ad377af57f4a374798cdaf4f55bcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1e912a3b4f2f551b25b7dfd013ca29e1

SHA1
a1e876516ddcff5252ab54f8293039e7eea08b96

SHA256
3a80b09a8e1b611d953f9d756e99b62ad5ff84fb96d2d93cdcaa5b33a14d8d69

SHA512
0c14c715095c322b43b0d2e4497d546aa36d87a57381d669542ef500d5cdec71646369805bd4ec54a3fb1a19b99c9337ab07f14d3d0fcbb16c537b0ec3228585

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b23d9e64bc2a8a1107a2db5503f56d5b

SHA1
49ee2c7ecf3b9d056d443a5264672b9a8d744ffb

SHA256
e55f444b44d99fe53ef1be2a55b761bb5e4076250ec6a9932dd654464b1d565b

SHA512
e990225df7434afd38121eb54db6cb9061ce5f5a71ed4b1b566550137163236f7a93a77b1a8a1bf0ec04d5c48453829854177afd13587e7449a8928077856153

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
388d23f62256e80ecce7619e62587632

SHA1
c58eedc2f519ff7bc9772c8b8640a98f77d2d46e

SHA256
385134bac4415eeb8b48c0fffa35847b94d6acc83165595221e99dd746700d72

SHA512
3f983ff329de0b74c197537358128c93dec3a3e81300ed1f4a700b7588685fa347850a528fdc19399ceb130ef12f1ac4c6c10cbc8c31a59836c36c1f89d1dbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
173092807aefca9d565cba7703455c7a

SHA1
4987c63918c31b7d27a320699a69979cab70dc07

SHA256
91e1a21530d2b6f8772834585b6e5066d00d6b9d72ae7cdaf319ccf8ec30dd23

SHA512
2ab1f10557dc1eb6923150d2104e129903a63bcc86823c771d2b6c40a2d357bd6f004c0094575ddc591c49ecf8bf16b3c226683fec81f8c939832669ac3fc424

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bf49d88cbbab752fe5c83d6d481bbc62

SHA1
c0c53b94766063a637cfcba8a1455d8a0f2b205c

SHA256
26462c6b5ad1e5842848198d47aabbb18fcce4f5b9d0cc3e38c080dcaaa930dc

SHA512
2f60124fb144d689b2a79e1b0624537757369515c8d3d233d86764131cbb8a00d103c96026b26908f85ec3e3f1d86895122cead7255ccacba8480d34490b2926

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b10a3eb93bbd81fdc44b3e64cd92ca07

SHA1
365e2a9e02317ab556c11f2c0e6d1bcda1fa958d

SHA256
1dd1ae15fa3a8121c1009bf19bbd90b2ffcf95ef69525841d23374b7baab58aa

SHA512
9fcf3b9f97b75dd8193f7578b329781167c58be2b6de111db39d21aa9d5cf5b5c5e667dd19f546b1b429c7cea15b33cc2a88d461c1d382d6ed58c359a7fffdc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
68b3b83c779917b00abe80faf179cd14

SHA1
a1f11390ce88de90961ec900fe1187691c2aebfe

SHA256
a8c020f319c4417a778ed5371de42c96df98357c787f74ae2c19fcfeadb280ed

SHA512
d9820528532021c0e16c6e1cf89ca38a97e799dd48703a3706afcb6116b15902a0359b7435b010c7e2ce3df5423aac5cb2b3cb453ee00efbd159de9561ee6734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
86716e24aec4e7b19159b0c1922398c2

SHA1
ae7fdedeeaa6ae60e517839913a20fead475c17b

SHA256
3536d601727b27b9d013a6099b5c2ac9c0758ad68dbc56745c77b056fdaa1dbd

SHA512
007bdcf41e2d8946650e247900d1fbcd7789653b386003076c32877fa92df7f8555cc4acd669cf627c61c83be9b5755264ba742b3180aafb4fe6141f741e5f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
77665318d8ac9cac204f6580594a9af9

SHA1
f61fcd2d31f0541b262e1a244b19bec2676df55a

SHA256
8efafdff746d4cd85b0a6c4a36ebbbc72b0d825e533927c52bb9ffcee4c59f66

SHA512
87fbeb930ce007d27ac7cc71e5119b9625875b2428a2e9881d578d96fa45311b146c38fd9752b816d84db103de5a41132e5a04e602068959869d29895d3bb069

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6d054bd2e12661a1bbaeb5598091c15d

SHA1
08b118b49ffbef177bd5251cb366b45a74fe5dbf

SHA256
64c91aee750d02bc88eb36a4f3da0a169fe3144ab3a2735141d9dfa8a3f55370

SHA512
79fbeb66ae3d26e7baa9011399a26229c13d57784554729787a29544d13393534f84bb5c270fac4c9f5ae21a908418ae6d466c51ed8969df4509dd1d4dfd1021

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
62cb03d264a5717ffdbceee8fd42bc47

SHA1
a187248d67bbf858128256f11faf9bdb3e31d73d

SHA256
3cf33ce0b8009216b28917583ef057a2afdc1caec6f94b7d3a855c251ab6ceb4

SHA512
5e271d82df9f0094447529efe850374898186e1eb5d2b00e5dfc7299a23223e8fa451b66311ebbacfa8cae465c37933fc001bce4c3f9238b3b2087d7bfb19d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d1a7606e570986eff480bc3c955004ff

SHA1
a882115b5280beccfbcab4655ff8ee4e7e0091f1

SHA256
c7d4960fe0a4df662b74395f85276c75b5964b1743d26bd5b79fac3340c211d7

SHA512
f102790e1e4dbaa28fb56fe808bfca6e2344b78859be1d88b26a9cbbb5a542732624f3211ab993f0095fd006a7dd9920675212615f1630a19a832968b3b21e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c6756c485f50fee3394eed0e25f89dd9

SHA1
3ae157c9a4540ee55c29889196d9266091ac21ff

SHA256
31cf47e9c9c161d9f37434e62153d718450500173440ab603e928190164c994c

SHA512
a5561001482bea78ead8091539e65d7a9c48f9f923ece5ab5fb7a6cb69ce86b8b58e952cee7aa7fa5f1b34d733957cc370f6a383f57dc16732161f99c878e2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c498c8fafd614ab91ade88e4a0435c6

SHA1
5cbc4631624144c45c357973fdd5b23039b0fd3f

SHA256
9bc1549257f7bcc9bba24ae6adaa440314c775f41b34ffc8e04ce69000e7193f

SHA512
e70f4b5b5791f8deae98bf56e6605cdbc7e52fb3a6c5cf41c0396b2037f1383d0b68c4dc3f910710e0282dab959027d93d4e2debb3c9b82dd9557244178f1120

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\RealtekSound\RealtekSound.exe

Filesize
350KB

MD5
e1aa56bcf2fff4fc99c88a84330becc7

SHA1
4b15280ce3f4261287ea66413953700e17161179

SHA256
a94b1346df3a10e9dcc76f9564d15108825401dbc41395d8712b76c249b4ddd1

SHA512
a07d60ec6955df493ca5c8059686e790c08fdee5bd12ebccc49e954c2f9272aa204a17d0548f789325981a99bdc16389045fd939477871b61468e629c3d66ef8

Download Submit
memory/4036-16-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4036-77-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4036-15-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/4036-176-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4360-10-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4360-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4360-148-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4360-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4360-72-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4360-31-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4360-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4360-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4360-11-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/4504-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4504-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4840-173-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4880-178-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4880-149-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4880-177-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads