cybergate | 12e1141af87ec7acfbe9f38540e98383de2a0fc2f8c5137a88fa0945f6eb1b08

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/12/2024, 19:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe
Size

463KB
MD5

e2d97356e3463f5a5336565ac7e014b2
SHA1

16b2193f1bcbf07855e3794dbe1e6e8254c14c93
SHA256

12e1141af87ec7acfbe9f38540e98383de2a0fc2f8c5137a88fa0945f6eb1b08
SHA512

b33c26fa0a36fdf4171907a6cef4811aac2fe217fddcbcda8eaf1e8e4c5465cd2436bd1097794d7be94a719d4be1d1d55a9899c9794e64764a9ace5a1d6f2a53
SSDEEP

6144:jfpdYa4r0oLlfrXrfHqtQJBHUCwWQzu5nxkLv1BY42DorfJo1:jH4pRfDrSK5+CyPeorRo1

Score

10^/10

cybergate mufflon12 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

Mufflon12

mufflon12.zapto.org:1337

Mutex

FF2OU652TXEL8D

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Trace Update
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
09101993

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Trace Update \\server.exe"	twunk_32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Trace Update \\server.exe"	twunk_32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6S0E7CP-28ST-E52O-6473-3O030E6A8K76}	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6S0E7CP-28ST-E52O-6473-3O030E6A8K76}\StubPath = "C:\\Windows\\system32\\Trace Update \\server.exe"	twunk_32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6S0E7CP-28ST-E52O-6473-3O030E6A8K76}	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6S0E7CP-28ST-E52O-6473-3O030E6A8K76}\StubPath = "C:\\Windows\\system32\\Trace Update \\server.exe Restart"	twunk_32.exe

Executes dropped EXE 29 IoCs

pid	Process
1720	server.exe
2856	server.exe
952	server.exe
2292	server.exe
1444	server.exe
580	server.exe
2372	server.exe
868	server.exe
1572	server.exe
2580	server.exe
2712	server.exe
1820	server.exe
2940	server.exe
2656	server.exe
2268	server.exe
1592	server.exe
496	server.exe
1796	server.exe
2728	server.exe
2892	server.exe
2744	server.exe
2976	server.exe
2732	server.exe
2628	server.exe
1696	server.exe
2176	server.exe
756	server.exe
3052	server.exe
872	server.exe

Loads dropped DLL 29 IoCs

pid	Process
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe
1400	twunk_32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Trace Update \server.exe	twunk_32.exe
File opened for modification	C:\Windows\SysWOW64\Trace Update \server.exe	twunk_32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1400-824-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral1/memory/1400-831-0x00000000104F0000-0x0000000010551000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twunk_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twunk_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	twunk_32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2360	2072	e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21
PID 2360 wrote to memory of 1216	2360	twunk_32.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e2d97356e3463f5a5336565ac7e014b2_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\twunk_32.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:2216
  - - C:\Windows\twunk_32.exe
      "C:\Windows\twunk_32.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1400
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:952
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2292
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:580
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2712
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1592
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:496
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2744
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
    - - C:\Windows\SysWOW64\Trace Update \server.exe
        
        "C:\Windows\system32\Trace Update \server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
153B

MD5
5a0dc052c05755f3dde24948cae50f83

SHA1
5a6363f7b52fe03f2dff0413a8e592892672cc3d

SHA256
1f739fce0d85c98d01ff0a7ad2d94a3bc3fa514c9967f3ccc1e58cc57466814e

SHA512
5d6bc0c89581eb04565ba94063a1c4c14c521571d846d27987d4a36197024110a1cf136d3e678e2f01d44437f8b5e67901ac10d0b9efd90a69021b111a0e1a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
459B

MD5
8d36fddd581b4f2d9f217c7ae2ea6828

SHA1
729713bea7fc014ce2ecb265f371d24a6ac1d767

SHA256
5e782eef079219543190baba814ec6b601bff11a6ade44c7a83be3da9f5bd97f

SHA512
73e94bf0d26fd60b3c0db054c391b06dcd3d9f5dc16262fb60682896878436212fc4014faa09e3c80afe0c35be8231052685205c2b8543dd363844820dae041e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
612B

MD5
9c82cd594d30455c114ed29d95cfd3c3

SHA1
8b08b3e852ba90a4d4b6879e9b70bb62a69ac4b5

SHA256
5e1a4aaf0b3b84a255018796679bd101589ef0b1c4cb4476762fb1cd85a506e1

SHA512
77a9e5229f87f446735f6df7e27a842ef6120222d00a24ec63e12842f6747fcf182b7fdb59a652ba281a73d40c74eedcfd86815d6e3e14cf118f1421202d2132

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
765B

MD5
c3210b5e7a546e37bb086707d1cb8fde

SHA1
ad684a796a4e7e3972db6647b7b00986ff4733c2

SHA256
84cc857706a65b374b713f5db348305e521c43e4a5d50904e241bdb939b6fcc4

SHA512
fcf92bb1a594c33562e004275220e445f4767f305046776582dea246407951c1fa8d1766646565f08c47e1bd1117a23570937b9eaaa99801d8d9eb31cd89d299

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
fe164e8c0f5d0f4252be5b25fcc6dc88

SHA1
fa160614f22d7bd84bfa7df938141b7659b74158

SHA256
2c2e518de03fbaaa08323bf60880c4ae2d5417b42e856c96e79bcc7a4bf3c8f8

SHA512
578288a54ba54ec5a1c65c68662f6363b8631603afcd1441070a8951824fe8a826479da57e4681b974adb820a42cbd4f6c78ea94f9e7b401c392b624528d84f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
c5e57b7ead21384ce422b673de1b2dc6

SHA1
8f72186a92189c527f6bf124ab3c7fb390cd778f

SHA256
98b7cb28e6122a01848c281192d9c656715cf17b8225a56d4dcc697a643878ee

SHA512
15ea02612c66511faefd34b88fe568796ab3ceae234c55c1616e75bb621c7be6a43803370e5b2f85034b10aee26684a61bdae55e04a89dbac64cce49b983451d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
7eab8efa3d126a69c1a92f99095f1c86

SHA1
f165a11de2785e237ab66d9aae0aa591948adfd1

SHA256
af98407c9882ae501ec7f5c9eac47033e39a493783cde16dbdf1e706dcb49971

SHA512
d6dda1bbfb9137fa174eb8f9f4331202732d90c46b61d15317ee1383fecb9adfa7248757fa29a1bf637ea3eb0975adf873eaf8c7abb66435934721f932645904

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
86bfcd4eb1a135b68ae9e57a8641fb96

SHA1
f3bd3a3471cfcdaf9f6a1b8d47130680ad77fa41

SHA256
c9a892cf56a76e617e9c422a45a6f2f8c5e970094d6ed257cb5abefa1564022d

SHA512
020bbf773326751919aad33465bd57024014e81f2b899675ddd6f62c81679678c41520d8580e0f1a65fc055caf0834be615993078f604ff362fd8316b95a59ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
5159f6471ada101363e8c27cd34fb3c7

SHA1
5de7f5c12912ce40c93a8ac3ac0932029b74de6e

SHA256
1c0be058a28e0cc66e0e2f77961a0adee50b2d1228e64970bb4260161139c106

SHA512
fd21f49d9ff4a2dea820d9525f7d0e1774f3ac23f9b855d5b269accbfbb4fe9d02075992d011bba8ad247dd47928417a202ba767f2c7aa2098bcc3eb5bd4d214

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
2420885780cf623f904a120585ba39fe

SHA1
64b5ba82bba7c8c7984966949d8d9292a43a3019

SHA256
8b94ab781d5da4053697536ab7579395bc9e5e5d23d9e54c685a51f8f1c16e09

SHA512
31115db6754428939f4fb608d6e86d0bd24eabb2eff60fcefc36def57ba694ab0c9507bc9ec7715dc1a5857c4f405f57071444c27e2804a7376fd2a64d8cc4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
1KB

MD5
89e81697185fb7468962c2da3a54fd48

SHA1
024f51206c7eb7d80dd6784de12acb60011ec8f2

SHA256
aad76303b1bfb1ebc3e37d31f2b3f725da7f0b2a5bab7c764de62a7d44d2d15b

SHA512
763c9be6d94a8cd3914821e9c7a6510e5a2d10084bad4be36791463ce2255d403a8253464195d6d4ec0cc62d69e4d061db027d71214afb7e7b630d965aa2ca40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
99eadc93f96f25439810b1db169f59e7

SHA1
f84cb581593ef59e0550e536e26a3cb28f43a680

SHA256
ca6a42c1b76318d800dc3ae14389d57fee7d4cdcc229ab0dd24b560e9b0c0732

SHA512
5b9ccfd6a3a69a19f97e3afa61ed0edaf3ab5d9602a656de79dcab7e86c94e3754ee73a03daae4a96857b4b5b5b2b8e279773cc4f73d749c8ea027c9ce0d8f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
fa15e89f5c87a10cdaea30d48b5a0e60

SHA1
7183723158d193d560f104d0d3df66476f3683da

SHA256
b577de42d9e155860b01cfeea174ef623ae70138e1959cbda91d58d4f9634fa5

SHA512
e03349a65bf6c020baa2895b51cffffbcf3c1f911ffb4e376d1a916ae599e88b22db2ab5152e3331b14ed7f3cf908ea5c9d7e301ec4ff356da9a69189f109b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
7e1bfd5380867a01eeb4db171f951408

SHA1
1b495acfb4e2444f01b9350fd4d61d5ec7b0b522

SHA256
92a0d0f7f79d62d7e08edaf2a481ca39b91337ee563d18af819f367edbbe719c

SHA512
e0a2aadba2892d5f9fff064164193fa742f8a645f61088579ef95036e8fb60d3d3c9fe9edbee24c20d3386672bb6d3e9c4f095c826fd6bbf7bc3a8bade9bd88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
c526883e07f3023e2ef1eb9c8f4d07a9

SHA1
043bb78d511b5a501491f7c6af249f0f14498ce3

SHA256
e69e5c8ca2b99f504b2cf2b96ba801ec6297b04a9f30d9c4af1a1c6d97bca1de

SHA512
48198e28ac089ceacb8728bf9a6136becdd297e53bd1418c275cdda6f5dc177942ef8036b0141fb1c0be4a13dbb82690064c68caf4631fefb7e5eb726eb41455

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
2KB

MD5
2021477389a8427c4ba69a9b2e22b51b

SHA1
3bc7b494051c143f0de871c267b5de1fa689e9cf

SHA256
c6e615036cfbad6512747d3c3614da1f7e8cea944c0d09317528ffa0f51c17ec

SHA512
020f91fdc11ecc5e4ffbbd0a134dd1f48ed6fa33c2d239d9cfea85128162f8c990a06d55cdb44346685f6d0769884bbe0d617a45fb456105c6e7700f304e9517

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG

Filesize
4KB

MD5
734f736504531047064ef5505dee8cdf

SHA1
3536ea438db5a262901488ad1168fdcdbb760a0f

SHA256
d0201d233c2a2c2de1bcd95f2d122c8a6e37ce8a73543c81f3d1932060bc723e

SHA512
f4a15f5c448c413c7e2dfe75016456cf1be9e993afede97be6a348b72ac35a8fff4a2519e08c8e89b02a1e05b2a25593a820ca4a1bd0dc60535a377970c3d71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
04c0ad164d877c0f7e10934bec8ee904

SHA1
4e94e81141fac16f14e92b4fc14572ab81d88088

SHA256
782cee4aea838e300a2882bd3a742b90296dcba3165e531a9282ce9779656e49

SHA512
70fb7295544dd0f1c74b39aca4069911e716a580513d5a0e525cdda5635a902740a0c3dc3f523049fb7ad63c0570eee700a73bb1a6b27e53bf8d518c36a757a6

Download Submit
C:\Windows\SysWOW64\Trace Update \server.exe

Filesize
30KB

MD5
0bd6e68f3ea0dd62cd86283d86895381

SHA1
e207de5c580279ad40c89bf6f2c2d47c77efd626

SHA256
a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b

SHA512
26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4

Download Submit
memory/1216-32-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1400-831-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/1400-824-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/1400-517-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2072-0-0x0000000074261000-0x0000000074262000-memory.dmp

Filesize
4KB

Download
memory/2072-1-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-28-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-2-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-26-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-27-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads