cybergate | fa35778cd58754297fef513a4e15371bd1c7045e535d28d490ac2046787854d0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Size

576KB
MD5

e896eba812ea3fb2e54b56b78444d08c
SHA1

fb80a88176e921a625f71b2eed24e7b7a8191e96
SHA256

fa35778cd58754297fef513a4e15371bd1c7045e535d28d490ac2046787854d0
SHA512

49962050ecff6b1212b914cca638e6628593fef3dff8c514a11f234aa3784a6c1eb6bbf849164b881fd604a7e4cebacf3dea2e5f9ac7807660c536075037edaa
SSDEEP

12288:B58QaE7V0AlfdX4VVS3AHbzdQM58QaE7V0AlfdX4VVS3AHbzdQ/:YQaKiUlHAHNQ5QaKiUlHAHNQ/

Score

10^/10

cybergate mast discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

mast

10.12.155.178:333

mastadont.no-ip.org:333

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
10
ftp_password
j95pu0wt
ftp_port
21
ftp_server
stealagress.far.ru
ftp_username
w246246
injected_process
explorer.exe
install_dir
svchoster
install_file
winhost.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
mast
regkey_hkcu
winhost.exe
regkey_hklm
winhost

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\svchoster\\winhost.exe"	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\svchoster\\winhost.exe"	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{25V2X504-T3S2-5IXU-FMWK-LEEJ22V4QS67}	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25V2X504-T3S2-5IXU-FMWK-LEEJ22V4QS67}\StubPath = "C:\\Windows\\system32\\svchoster\\winhost.exe Restart"	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{25V2X504-T3S2-5IXU-FMWK-LEEJ22V4QS67}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25V2X504-T3S2-5IXU-FMWK-LEEJ22V4QS67}\StubPath = "C:\\Windows\\system32\\svchoster\\winhost.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4248	winhost.exe
2004	winhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winhost = "C:\\Windows\\system32\\svchoster\\winhost.exe"	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\system32\\svchoster\\winhost.exe"	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchoster\winhost.exe	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchoster\winhost.exe	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchoster\winhost.exe	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchoster\	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchoster\winhost.exe	winhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3352 set thread context of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 4248 set thread context of 2004	4248	winhost.exe	89

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1416-4-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1416-5-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1416-6-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1416-7-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1416-10-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1416-14-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1416-31-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4136-77-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4436-149-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1416-148-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2004-174-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/2004-177-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4136-178-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4436-179-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2520	2004	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
4248	winhost.exe
4248	winhost.exe
4248	winhost.exe
4248	winhost.exe
4248	winhost.exe
4248	winhost.exe
4248	winhost.exe
4248	winhost.exe
4248	winhost.exe
4248	winhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4436	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
Token: SeDebugPrivilege	4436	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
4248	winhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 3352 wrote to memory of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 3352 wrote to memory of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 3352 wrote to memory of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 3352 wrote to memory of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 3352 wrote to memory of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 3352 wrote to memory of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 3352 wrote to memory of 1416	3352	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	83
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56
PID 1416 wrote to memory of 3568	1416	e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:4136
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e896eba812ea3fb2e54b56b78444d08c_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4436
    - - C:\Windows\SysWOW64\svchoster\winhost.exe
        
        "C:\Windows\system32\svchoster\winhost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4248
      - C:\Windows\SysWOW64\svchoster\winhost.exe
        
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 564
        7⤵
        Program crash
        
        PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2004 -ip 2004
1⤵
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
284c5b832b3e4a8df29aa430cef2bee5

SHA1
1ab6a9430fd4efdc523dd4368c06309d8eec4717

SHA256
e509b3b51cdb999f5eed69068456189163ea76a010c2f8e14e72a9ca7a755baa

SHA512
f67d9bce3edfe36d36cdadf7a93c085a0313aa9fced4258a20c582db1a0d426b3502da27d3e7de9c2c17511ea2bd2883e1139692aa8c43a0e0ef862e5b95a612

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e425eaf94572559ad3f7b4789de7aa5b

SHA1
e6a8c707b3f7166080d43a6d2715146d9718f1a3

SHA256
e836044115dcb714cf884a38f4e39645c75ecb75460d139d94721b10f7d13d65

SHA512
8b04c1c865dee9ebd47034a58833284e54c843ea0f22cee6423fd7478643f1205bce86f18070fc34702e0b60e5c60ffea13228d50fde67f381c3e44df82026a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
373ef5de942bbeb7f1aac34a95c10e05

SHA1
f81b4e9b8ae82b84c98890a6804dc4c1237b84b2

SHA256
23679fa1503233f571c3e54374d75dda2bffef671ec5bdad17e104142ed6534a

SHA512
91f11d3ec0136d6ff4b3ce3bd1616aefc63328b3fd616993b2be81a522a3aebbd1dfed5c6e97062530bee34004b77ec51df0edb147068fe94e6ed83aa160da8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
388b06e4d27f838740316ab98adce8de

SHA1
22f4f434e0824f427175efd89589a26592b3efe9

SHA256
88611abbaee17d4508653437165dc1483ae46e26eac62176e2bc503d13ff92a3

SHA512
7cbd1b35315a583adb2fc7c2e92b797f551246231754f4617b61ab9d7162bfc45a4f8f81ea24b82821f49284127e202e4e2a7f87e2d3c22af5891a70d9b2402e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b648545627c62b08ed3b90993286261

SHA1
7f726d5aeb7aa844d44bea01ea8bc945372cf258

SHA256
933bd6ee79061c4bc8f0a4c89896396b69c6cb3f551e3d4fc3ab511995acca8e

SHA512
8c2c8ee9301d4b78c9e43c053eb3f9ab711962331a2a79a73cb9a0c9e1c83a9db78fbe639b2caa9bf5930ce95c8d078282107ac44691b5b0e25bd48c3357480d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
869a06d310c7637b04ded7572ec99731

SHA1
08a2209756fc77fa06ddf55ba503f90d84368aa5

SHA256
847e4fc56938796455088e5f751488fd5ecc9a8d59620cada2dbec8e64fb6d19

SHA512
3340ce9ce504e4b5b9c2377e498b495f6bf1fa13585ebcbc219a1c366abfcac6174686ba728b4d68240b11c5f1ee32961ef4f4564e48d135b314e71e4b161ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
30a870ce09287fcf1dc3532561ad502c

SHA1
2ce902f910e55499acc1cfc05e4234f8e3d66c79

SHA256
ccd3257419a26a1a9e83d43cbaa22609b3fadfcdf8a5b13112392950026f07c4

SHA512
d823355d0a470f0382e2c42a06c51f571a4e468c9e19f9e3c045fc938953c2930dee34bacb9d969d1bdbf798d92ac3db6c1e28cd261141ed0768f47998f02b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7cfee88e246285ab3f631750a02787c3

SHA1
499a9b5ac4e75caed5e8aea006430c25de604d5a

SHA256
dbb06eac153c786966deffde12e212f8e5f2e17b94612696ef1a5603cdcd3cc7

SHA512
5766f7a22def30f1bf1c5d7ca57b786c44a7b609da806d597fe058bfe18080fbfcb83307e8799799d906b3c9c2903ece64f5aa4dd2fcfae6985bf3da0c707cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1b1230972fd313629bb2afec74251833

SHA1
efe03275628c41452155a5cc63050e9fe4558c05

SHA256
acedf6a5b9e12b3aede697a6815db3c0458c9d1887878d906765802e797613ad

SHA512
27efd3b001541364ef1a1029bf8ce2886d31cbe5ad102248c6b6f093a453437a06813394c21c1e0f43af990bc93e78da7356e1ad108ca9ac9086104c66840640

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
692dd248d88d68bd78f70dfa346fb1f7

SHA1
db803d28144d6dc39e08cf49df16487987182419

SHA256
afd6e7669d7286798a949c8541a0c0fb0d6798b3cba09a815920c2d891a182cd

SHA512
30ec386e700601fc3c9fd24786ad1dfde2c433cb71e884805b1eae52c2594b7374fe0ab4f5b65df6e2ef158f91983fed102373264f6b871278b45a4e43f7e1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
bab2b7150f84e19d687751677001280d

SHA1
49b87a3ba9524fe7854c142f130483d5b2d35d47

SHA256
8bed9f95556d789b9156277560cdf3762113eb492bbbb1faad7ae91cb797f753

SHA512
3e5e527f121d824bcc75083bf5e1ee7c9a92c4fb829fac7b699bf659ffb16c024b4b1172df4c198246df1363aecf94ece091afa2a933ea8e5941da0237a3b290

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3de0bb0bd313ddd98b6232cde5def1eb

SHA1
e09273d5d258499a8af958e7faf6b889a5286db7

SHA256
a33ec438e8b4eb3b68c6310d331cfaa95ba4fc6c39b4f9fb869f32309d9182d0

SHA512
8762ee4cf8e424ff2f66d6f4febc3990e9a1ac87672fffa179002485b7efd0496bfa0f73f0a3213f83ee4cc998c7f0146c65966c554a394bd649645487d2da2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b1fab836469e026c17397a7baed01838

SHA1
4e471989f8d9b55a65037bbff33691d6fe0c6141

SHA256
9c7f1aeef03d46a01f349fa2fdca1b7348d9d3cbf5b4ea94ebf7625b764ea61c

SHA512
95618f23aedd7e30722d3ff8ef9bd50baed87c3f77723c665b36c1250a18c3256535aabf193a66bafd96fb28d40693de192c8b43f435023dd0939a8a93d083df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e614bc5a0e3180b2e270189d7076cb98

SHA1
a192746c324ec6a5f100ac55e04c711d27098563

SHA256
f7ad6c8946baa45447801674d8d442966ba9b25eae5a5600151029e7e959e095

SHA512
8e4913b9f7ca93450f54637e74c7156ebf2bfe6b7b07c75f8fb8d2cdd1e3dd94024360317aab5f4d88e2615c24cf2776e433fda473fa9529d8fad2cd1e7f14fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c856fbf6503a30c95da6766706695511

SHA1
3b496c2ef157b237d1a6214dd7aea83d35749c38

SHA256
0ead4400c1b04377208a5de5afd10d286f63f1fd3130daa05398e4c33dfc9d2d

SHA512
9c4d4c2cec5ec3e4182f77d0db2425f119d4faf8401429670db5c030ad4e6257f2940255364536f680b4f24146fe43d2f036f3cfb4acd513fb599a9b3504a25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cb87389c87cb2065d7d80472b7ff3f15

SHA1
490f8e4fc7bb685d0b83999958a77478ab22d926

SHA256
93b771de2eb1af30ed8d098e56a5fc544f3433bb18dc0d481cc41dfaba1c9b8b

SHA512
3b93869d420e4c98b9a7f50ea525f2989c53192febc0889d9a62ca55b50241803d7c133d5ac5f8aa1337d1ac45e5b19163b383b2c4fddd0a69d62ccd4dbdc21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
348ac5d02aaef32d49f8d32a2c8694d4

SHA1
2fb9af084fda9a47acc070f6fa0c91a27bb6af9c

SHA256
e3991c67e833882f4266b4967f45da5a08ea32487a6eaa8148dca33e27955cbc

SHA512
25920e8cf4fbc3e2abaeda455e76381145287c754b04e91671cd9182f73a5e8d6a8cd1e169df74e425ee7a29352221458cbdc3218eaba2ba4d32914edd3cc1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
747789d46c2e1278cb2aa5d5362c2daa

SHA1
857023e4a07b2fe007c9de72b3f34debf01c2866

SHA256
85fbdc2284a335e8dc3b591e140b1b478af32c8de93adbd16da3dadfd9899798

SHA512
6e65e5962a4036ee243077a0fc86771184739fe9835bed1f004c1d3bdec881afed187beb065012e656572a71ece29e6a729cfb1220d8ba027075f8e2df0252f3

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\svchoster\winhost.exe

Filesize
576KB

MD5
e896eba812ea3fb2e54b56b78444d08c

SHA1
fb80a88176e921a625f71b2eed24e7b7a8191e96

SHA256
fa35778cd58754297fef513a4e15371bd1c7045e535d28d490ac2046787854d0

SHA512
49962050ecff6b1212b914cca638e6628593fef3dff8c514a11f234aa3784a6c1eb6bbf849164b881fd604a7e4cebacf3dea2e5f9ac7807660c536075037edaa

Download Submit
memory/1416-14-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1416-148-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1416-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1416-10-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1416-7-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1416-6-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1416-5-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1416-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-177-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2004-174-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4136-77-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4136-178-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/4136-15-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/4136-16-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4436-179-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/4436-149-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download