cybergate | f1521017831c700cc9049b7533fc03ebcc331e8ead37e473d1a980c3bff74189

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Size

476KB
MD5

e44f70d7d1b9c185e3bc419e28ce6e2d
SHA1

ac5d94ab2c5d2c7cd51f7f3b7656ae6908fa9440
SHA256

f1521017831c700cc9049b7533fc03ebcc331e8ead37e473d1a980c3bff74189
SHA512

2abf01ddfdfd32afdf9114eb29943371fc3ee83ba2478b1a947c5f1fe4057c71e5d2fb9c259d4fc21138eeb23c18d0438e4f728a7ce2e652d0dfce7d2241b465
SSDEEP

12288:BFzP9jHTYIIIYKiBL/IRz61z9ycaRoP8RZ9:T9bpKBL/jbgJRZ9

Score

10^/10

cybergate remote discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

crazyhack.no-ip.biz:100

Mutex

7010C5D6E6VO72

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{462EMHJM-8RQ8-P764-6LJ3-F83MLL31GY1D}	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{462EMHJM-8RQ8-P764-6LJ3-F83MLL31GY1D}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{462EMHJM-8RQ8-P764-6LJ3-F83MLL31GY1D}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{462EMHJM-8RQ8-P764-6LJ3-F83MLL31GY1D}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
3712	server.exe
1700	server.exe
412	server.exe
1928	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe"	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe"	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	server.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1724 set thread context of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1700 set thread context of 1928	1700	server.exe	89
PID 3712 set thread context of 412	3712	server.exe	90

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5072-9-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/5072-12-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/5072-70-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1508-143-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/1508-178-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3588	412	WerFault.exe	90
3096	1928	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1508	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	3852	explorer.exe
Token: SeRestorePrivilege	3852	explorer.exe
Token: SeBackupPrivilege	1508	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Token: SeRestorePrivilege	1508	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Token: SeDebugPrivilege	1508	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
Token: SeDebugPrivilege	1508	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
1700	server.exe
3712	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 1724 wrote to memory of 5072	1724	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	83
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56
PID 5072 wrote to memory of 3508	5072	e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3852
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:100
  - - C:\Users\Admin\AppData\Local\Temp\e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e44f70d7d1b9c185e3bc419e28ce6e2d_JaffaCakes118.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1508
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3712
      - C:\Windows\SysWOW64\install\server.exe
        
        C:\Windows\SysWOW64\install\server.exe
        6⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 560
        7⤵
        Program crash
        
        PID:3588
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1700
    - - C:\Windows\SysWOW64\install\server.exe
        
        C:\Windows\SysWOW64\install\server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 580
        6⤵
        Program crash
        
        PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 412 -ip 412
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1928 -ip 1928
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
126bf1dd3633cd9b9b8329596ae73e99

SHA1
d2015ea14bfbf57c410384242203b1cdeb5f441e

SHA256
6ff3c39f837f2caf66e10d79d9f23ccfdb6104e4f887c1b8968148e93129569c

SHA512
45039719a987bb69c7cc983b615ba35f6ab43b37ea6820bf263bd31844f43a06b742a487e56b716e988607b6eeb93a408a6caa1b85be9c052ced72623e90675e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0ad051e17263c8f49609c51480611ad9

SHA1
32854c678b82fe20e57463e6f68fd2c23276f738

SHA256
1c9ecb7daa1e2b5c8759ad9df051a7db24273654ef2253f86e0634f2dd82ac7d

SHA512
99e682b4e3d7b9f16aca8a6a6156f461628d7ebbbd9c4be60b84690f08b0a679a5616691230d25cded8ad7c9437891f86baf8bba8447d60338ad2178a84bb7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3275bfd396abad2f343ba0b778edd60d

SHA1
f381ac6f761cff4d5d852b6a102b0d22bf6fda75

SHA256
5c5b06a21003d4ec16a756a8d32771be21331b5a16b16008a08bcd29bc483b8b

SHA512
93afe65281ff8fb5891fb408522e23000ed56f0f19b4c53ff4cadad3d480351cb437bd226d2cc90531ad66fcd21af9bedb2de92a71ee8186b57f9024c4a820c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
01e9f4e256ae50b33b201058a188f035

SHA1
14d06aa924f113d85c930b2661e8488a71d5c067

SHA256
074012aa54b0922e9ebde0707645fde5677c418517c4f2582607a3466861fc0e

SHA512
f84ccf1e8c924f623b95f3cafda96762f660b9e7a80969174391ac532d454ff79efd0c41392a3d1830670a1410f94aa14ea78592bdab8df4a571ea51cf13eba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2cfbe1e9a420024d7276bb7aef7a9132

SHA1
cfa0ef0e1e2f88544bb38bb2d11f4f91480a7e4a

SHA256
a30d81adfdfebd6e378b1368436e88a8e4cd2ce895cf5a1b5cb4c8e0f8336fb5

SHA512
727d3c4ce37c7c783ad060a5879a5fb171b260884fa1c8d3a022e7c30657ac98bfa063fd8b6470b60eb09b4f1ee30f5ae6fb822189a45c352f6aace6ce1f41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
56ebcb59d9cd6ff3db57a78363805557

SHA1
3754123eb3a9fbe23d78bae8090f9501a29d5a87

SHA256
5f08deb030c78fd950bc88bfbffa532a698aed5d5f323c28212f0881520549a3

SHA512
3ebf7d0c90be147ca3bad8c14d1640722abfdc6e5d1bc29051340b9d8b757151ace35e565b9e2b52949d2aff5273bf79b9ea554bf12cc8a46e01492d1231c72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
0597b22dcd4381892852dd76bfb8e0bf

SHA1
a248237828599048cdd03d0cd11558f3b3adaed6

SHA256
3a60fe96ff222b4e7bcf26721756cfc3b9e202667d25fca33f4fbd5525820171

SHA512
af903d55fe12f7479934c3732caf9bbd029139ecd6cc1abd6070771797f2acfc2283e685a1073a110178e9615638d2069d840ac8caa5ac8864ac536f67bf78fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dd0460a015645c5073148711825d2e1b

SHA1
1d6a9fc49b003ad55b0e5a33354c7ceb7c47e104

SHA256
0d1c956a1ff2d2a6fcef0fa0e61638047528b17cd718bbe693f918547432b0a0

SHA512
4a9c3d861a3dacea43da5df3d849a39159c63c1b86ba8ed7097253741a3c5896f5d4fa4aaa37dbef396d7be247994e810772e0043874b529b778898454030593

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1f524a7ca145fcbad87c299253a9898b

SHA1
060bc074308a2b63cc0e7d181421b75cf675342b

SHA256
d4084af99d72088ac31fe2c9be92dc72cbdd0f12fdfc053a955878dc664dbce6

SHA512
615d70db5e484d236187b6a110b5f05eb820b78c22be5fc0fa15b6a0f24faefd50ebc08f5f1d2ce469dd819ae09e679dac2b7e6b8d5ecfd6d0d25f68fb28d515

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
15c60e03990a05067927f75c0398c2d1

SHA1
630870cfc46e9c921774ed241bcbbd8d8a99ce94

SHA256
05773afe9e48865936378e5eb3dad2520eb933088648d5799b2d4d5692b65e25

SHA512
a6daed5d1b90d3dde86a816d93b2ca693fa8f3642d0183e5ee0d1e4df42098bcec75d34e2e1e2e808520fda4e21bf6779a988a3824e2071ce2c9bb6146207b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
a152f3e5cd28a33fe843127af0ada3ef

SHA1
f765e804e0255eabb42f87378ceae00c8dd4fcea

SHA256
782a7b72a37619f3ae96e11a27d5d5aaf394adb9383a01ac864a3ef50e785675

SHA512
7846fce0a00f817b59f613d768c47d25ecc0561f7b4b2d13a81594482e5f5319ddf3f52e43eac016e7174fa0c4ad26be6d3a5a375525ed01d47388eaf061283a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ba354a7be93c9bffe4249a3d0a981869

SHA1
bce9e8cb5c2a04c85a62b0d117268c4135d836f9

SHA256
e2037c81fc780deadc7e3e42ec7ef6dd963ea943d5bbd09df63e280f8a50ac47

SHA512
02a1fee42fc51df2bade845b5b8b3d1042588913ef316f2fec1da938fc1e688e2c1268d04bd73853d53b09bef06d19b9fbf7c42e2dff578dc3d1237fda39e50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c7c9dd9f20e880301ed43a26944be2d5

SHA1
2639d78e659834b186e757291e14800f85612bf3

SHA256
2d01850323613e0d198f6b7ec8b7faeac4ee895b6090f4525cc96cd1e220d4fe

SHA512
391ca4b20e161b7a7f4b5e3516f197edf8195d00deae6854687f75654973b90955f1bc0bca64bc35f9ebd1c92c686468dd0e956e10bd374b192fb8cc9e9bd093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e82d521166a2ce11f3e2311ade4d6857

SHA1
56c78a92cf4a38ed3c731f60569c8cdb28e85646

SHA256
d4d7af3f25d3e102175841f2a9bb5b9987135bd40f50bc1639e1bfeda2a5bf96

SHA512
2d9d1424a4b59ed5e9a3f5233d8f64ac3b3dd71671d4b456596d53748062f9f79f80934e58a3872e7abf5803c0f27bf2718bbc80b04c0787de160ab8747b15d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
037c39437c4d0d0d002b99075f2ba00f

SHA1
364d1246235a9cafce66c78589a0b31a15be3a3c

SHA256
e83f7e68613f3b173bc03ee32b352c14fabef23166e3c4568623bae68744fa68

SHA512
3b9eabe17c43cf19a684802322c005d394b9bd91c85fba6d99e3fdc73a1155d1e6a1e9379892f0b20dddb5520d6c9ab0082167553a6e60de0cad7b577916a532

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6a2fb9ff79c2988a07169b371f8e59f7

SHA1
d17531b93407103d1eadc0b6f80b64cedd51de12

SHA256
0be6c6315ab51b71e1a9b23130086feb79fcb9ebf929e7c7a3ffadeac9e48058

SHA512
ac40450dbbfa5b4f3fa7b73bd94849a2515a9df9ee4d45d8b5aee88c97ce618fbaaed1285255a7c4977d015150c47ab718fd83b4559f8ee923bcd5d7b139d16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
164aea2cc7392f5aec9684535f72e544

SHA1
aef1bae5503c914dbe8ff42e8f1defa55d8a716e

SHA256
188350f360826c70d7e6a3065b5d9f231773851ee0977e0b8819a53608d43e20

SHA512
f5a919a180e2ed6435bf240bfaceb24f75810df9a1ab41fb7beef59fe04c82cfca9909b0b2a780eba43c8741439b5977275d2ae8aeb7df7de91f0b7551accf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
24aa1b73cf318d8534de83ea7d52b929

SHA1
cdf3237e498b4fa862ca191d5267f56d72ae7c7c

SHA256
eb02e9b11f97321706c00193eca8b14dcf356aff023c9e32a20aa60ebd2a1762

SHA512
94dc129e3b22c8958a52bafd0825b06fffcc4c65e1925a90465c9f3c701df3b3b9178f2e54365693a425574f7d3d0720d4a45bd7d0fc3e6974718de1718c72b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3aa294661604340798bf8c886ca065a9

SHA1
c68d5d6c7ddfd4a771113b869baa131816d59b7d

SHA256
8eeb3c9ec32f4119e5d86c94861ccc42acfea6ac741b2a4fd1881b80377d7757

SHA512
22f0e461d3502754c41669fc26133c1406eadba9afc6106dfb892511722de4897864c99e66546d0995d2ec9e69887358a84e7ea495b77e36becb8e3c32a2cbb7

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\install\server.exe

Filesize
476KB

MD5
e44f70d7d1b9c185e3bc419e28ce6e2d

SHA1
ac5d94ab2c5d2c7cd51f7f3b7656ae6908fa9440

SHA256
f1521017831c700cc9049b7533fc03ebcc331e8ead37e473d1a980c3bff74189

SHA512
2abf01ddfdfd32afdf9114eb29943371fc3ee83ba2478b1a947c5f1fe4057c71e5d2fb9c259d4fc21138eeb23c18d0438e4f728a7ce2e652d0dfce7d2241b465

Download Submit
memory/1508-143-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1508-178-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/3852-14-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/3852-13-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/3852-38-0x0000000000050000-0x0000000000483000-memory.dmp

Filesize
4.2MB

Download
memory/5072-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5072-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5072-2-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5072-12-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5072-70-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5072-163-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5072-9-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/5072-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads