cybergate | b020358b635f38253feb2a7df66483f2fb6da2269f6ed38ee4bc85894d480e20

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/12/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Size

350KB
MD5

f2e154d8cce92ab7b6bb4e35df0e7197
SHA1

761bcee64df6f36bdc98d22ab43753ba09851cde
SHA256

b020358b635f38253feb2a7df66483f2fb6da2269f6ed38ee4bc85894d480e20
SHA512

6e12a83d2494b89533b8e14a74e1ad876a81a36e3e234871df6835de4c44da96e980c2081d7a0ba73a3478ac7a49ff0d0eb65ea19d773ac72db38feff11eaf55
SSDEEP

6144:63hazQR7m8i0Xbr4Zr4Md58B+vlY74jXJK+itM7JCEPSrWt7tT6xKpGs63aC1lPc:60XYH4J4Advla4DJRR6qt7OZT3R1Fc

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

jesiiccaa.no-ip.biz:100

Mutex

S16KA3810546EE

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
update.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\FirefoxUpdate\\install\\update.exe"	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\FirefoxUpdate\\install\\update.exe"	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2I6X0175-5IEW-FF0G-C3R7-7YG3IHBX364H}	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2I6X0175-5IEW-FF0G-C3R7-7YG3IHBX364H}\StubPath = "c:\\directory\\FirefoxUpdate\\install\\update.exe Restart"	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
4596	update.exe
3240	update.exe
4700	update.exe
4568	update.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 4596 set thread context of 3240	4596	update.exe	86
PID 4700 set thread context of 4568	4700	update.exe	91

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2620-12-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2620-71-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1792	3240	WerFault.exe	86
3580	4568	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3648	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	3648	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Token: SeRestorePrivilege	3648	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Token: SeDebugPrivilege	3648	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
Token: SeDebugPrivilege	3648	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
3648	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
4596	update.exe
4596	update.exe
4700	update.exe
4700	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2376 wrote to memory of 2620	2376	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	83
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84
PID 2620 wrote to memory of 3648	2620	f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f2e154d8cce92ab7b6bb4e35df0e7197_JaffaCakes118.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3648
  - - C:\directory\FirefoxUpdate\install\update.exe
      "C:\directory\FirefoxUpdate\install\update.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4700
    - - C:\directory\FirefoxUpdate\install\update.exe
        
        5⤵
        Executes dropped EXE
        
        PID:4568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 548
        6⤵
        Program crash
        
        PID:3580
- - C:\directory\FirefoxUpdate\install\update.exe
    "C:\directory\FirefoxUpdate\install\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4596
  - - C:\directory\FirefoxUpdate\install\update.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3240
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 548
        5⤵
        Program crash
        
        PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3240 -ip 3240
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4568 -ip 4568
1⤵
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
99f08ef963e9f134d9a1291b9873496e

SHA1
58c5fc1200db5935d1474b2514480686e6fee694

SHA256
c59b843c870203912138b471e688ab29e00378def9f165c5c4e1e7b3563e74ad

SHA512
93946f26cce71eb060e0fa064ebc1f0aa463af371a95f60b6cf20d8276ddb6666f4332620b56db25f34845715294cbc32e0e54706be4c1a283077f9a14b186db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9f347596477487b842a01b467ce9338e

SHA1
f14ef13dcc865aca1d70b854325a9e98a539fa38

SHA256
2755758f62f9493cf935204c9f361923e27015e5863d930018dc92098c020b28

SHA512
c96a3430605e128997ad889fb3295d6f9bca064e1da9568fefdd3b137173b1d701da515c3175ef4f831504c3563cde76f21bb236feb2f4f73f9043451e1357d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
291354d6ab15fb841c4e15abfe8c6a2a

SHA1
d14624a3f962e4fb2de5866f6550515096cd18e0

SHA256
35cddaecb1ec2258ac662b119f0cfcc16710bdba618e42d75e75d5a73cd1b7f4

SHA512
abad249eeb43de74c36341b6562d4f053ff2c9e30fb04b98bb78be3d018fa897145213be3922535e211323775d870b6a79dd74ce6cdf140ca357426d4fdce253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
cec345a7951512cd42f7872ce70168d4

SHA1
68dfbaf36b38621b2ae6015bbb16291724296932

SHA256
0b2672b068147868428d84f9ef8d9353d1a5874d584caf419b5f7ef361d623a8

SHA512
c7d5f438586811dd32e95410518432fe6b74845a7f0c41fb19248c5c321e5cf8e6fc8049c438ef5f2ecf09b64301addaf912d1640168025846dd8fd71422fd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5cf019079e1a09ad9bc0eea92ada3690

SHA1
f7ebfb6ddddca5093aa215360fa3d7be3a355d3b

SHA256
074a11c0937e7bec3f162021358ef83623aadef204c8f98168b23a70da9f4a7a

SHA512
f8c01a3e16014f56ea73b3e00013fb07c3085b72ef2434813d7204e56656eb7b5b23db4a141a63f3507785ca7b4dd097a73d220f3b9651e337ef8c34ca64c4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b9c70482b150c4e6791534a5fe5205d8

SHA1
8150cc23105e76f1858fcd95387eba410a954642

SHA256
52a95b1e53bb3945c5b91aee6ae50c2a9e6a0d7f1f5afbfd5ae305999b60151e

SHA512
ea18adfb04e011b3b909011e89b92568e4a48ed11b5b564fced1134916255a886c41c1fa474d9b4eba6a9aebf09bcd49dfa1e5898a2ad6fb07f9cf71e5340b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b31a87f808632ed034a56c5a044b0b78

SHA1
9d7e9ae415556b0f117450c9e6ac61eb46d581a0

SHA256
1208a3c52656462e1e2b427ac3323c9f263bf66e96c4c37bacea6beb90daa1f9

SHA512
19e02fbcabfea08dec911f2da79eae9fe447b89bb22922b0f9d6edc06c51c5fa5b83b824cfb31adacb1b42d5823aeb1f29039db4339fae44ff3f0fb3d10f429e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2b1aa67e3e62584300ff55b9fb96050c

SHA1
c09fb9216f61b7a94f40809f1e4db87a73be35b4

SHA256
229e13e37cc662bf5957a174febf3af898b56395cf630ebd72091c3a8d7f2c36

SHA512
cb84f39f116fb9bdb5d15fb84889777512e0a271b1fe53d713fec8024048c0ca1f058042f5d539b19427dba5b79d432753de11c864d1ef9588cec330e2fcd1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
62888f9306d3440a574e9a22ac9b3322

SHA1
aa6abf572abdce0db59bfda2281b740454c9c0dc

SHA256
00a4b79cd0ddd3877ad3d7ee8f8fea81457862756bb7231b8fb43237f68d8570

SHA512
bab33b4b2761c1caba9b5b487dc844192a554f83d9d845c1755b1f6d48ebf3546dff17f559399446fff1a80accc0365a105770ea28a632339931f2119cb9b057

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fc4e9dba2df54393314aff80482df82b

SHA1
122e504b8d896c5fbf6c975451fc8433bf07a47c

SHA256
065c1e167b6dd016e05bcbaa6cb818b23630b758e67a8cc5c36846b93a6115f9

SHA512
6f61c7134fddf9c5f50b7300c68346420fa50c0a7ff9f0d6d1ab37cdb20d7f297269df7119c0fac1d6c028e557c9e882ad524e9d6e9520d20673ef6177a5215a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2098b4065f01fddfbad1adde5c5bcefa

SHA1
ffdd088bef831b36cf75d8314433fc8762ace5da

SHA256
6af44c414d2c49d0b794147ec5d8255ae637e6ed2cde0f9b6b9d961c6a6ea2ab

SHA512
65acb5783a726fc1c7a751aa8b69e5d9aea0cf49957421958cd50b55a993957645a01a4225a577850713d68ef506029d21ed972cc43d37423a2a9d75aed7f034

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
4727a9e0630119d4aa93a642e2edca87

SHA1
0ffa64d3b25ef89a105a29bdd92b7d062a5e975c

SHA256
1af591662c090a6251df32538bf5e6fe509b4f5be2d7fa281cd1009dccb13ca9

SHA512
ccc17b678981e55bc7c6d70d48df14bd41dff7d67dec1a48d68669e6cb5b63385f312ae1bbc5e72c7eae63e70c4d1002ffeac7346d52963772eccdbeb2741135

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
409d8d2d49b0be58da7268ee499a8761

SHA1
daffcd77234e004344c7d2e355ac3b0415a09a06

SHA256
2f5f34277c43fa2a2678c43df59a65c9cc38ce6a0af266f22a94b371fac952b3

SHA512
e88f0cafe97f8455b3fb0f30cc9696e66db7b5ed682d26c2f76c1ce5c1924da00a53ae7c025ed6396c76afe77190797f43beb5246e4bc4907ed30ab0f1be9f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1f633eb248f1374bac4183e682d37534

SHA1
0df18c467a2864fef47b232a061476c5ba6b40c5

SHA256
41f8aa3be66c5a9ee503727f6929fdd4afbd36d568ce4673b793a3065303fcad

SHA512
304e545e838bf8892e5fe85c9417dd11d53518eb6914d07009f65a665d0089c9903dc08c54cae6bee90ae4880123a1805585f19403ee1d862954f9a8360cd608

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
28aaf2697a98884ea7260a78b310dac6

SHA1
5534dbd4debf9f1904eeeff1ccbec32052d59d36

SHA256
f02efc3927c682229c72b3dbe41a563970676c9f30440cc485821f6a7248dcca

SHA512
f660df9ca9c6b83dfe37383575034859c4c6cfbaf397ba86a69310c1559049c9d52c77a5008cefb20a3baba8b3b9bd57934e5daa4872d6078455d7707e84ed45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
26bf9a72d897be9c53ae803797bb002b

SHA1
12cd8bd92db6d92cbb200bc08d0a0dab20ec369c

SHA256
0538c5b1c0d2f999d5768b3c7a3626feacd65d0acb599d3496d4e5d89ff10479

SHA512
d359895b64a5a4433cf78aea2a2455dd139624489746ea9f895f312e1817d9cbf88889194d3f682191cc97a8193e5323b98dadbb16d30e657fa8b83aae6ee6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e2d969ece48629638a610d8955478c4e

SHA1
505becb0af7d87a44c4733a736959bbaf687b7e8

SHA256
d6cfa94c483dc194a72ee08b2b59e615381e43d40f445889254ed52a1467d7bb

SHA512
166cf20e73360f43e4126a15a4a3c2ec3fa9eb5d32ca2d6a2c33e7f432ed1ecd88adf9dba1f54a5228af06bf5ef5258d1086c56df87d5fc771ab7eefd8a6f8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
5f25dfc5682391f946c742141303101e

SHA1
1f1348ebd23c41df86d64a66cc8cd386ea57400b

SHA256
17cd54e43ffb26460dabf6ffe6551f4963f44c390f22a82851c8d588fd185f40

SHA512
1e7e39a625f7cce844d4cb286f3e74c3b6233f076c94b660c1035d79a602f29a2276ab7b60b5ef5c2ed7481dd578f9d36d0b5d4e01a9b6d3bdbb1b311ce7fb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9e79429cac7788ce5a9bbab49d357c5d

SHA1
8873a4bcf10e7a893fb5e1ee8b745272ee046296

SHA256
f0b2aef357cb268d96180c50a658cf7eea483c9d1cf50d269ea4f00c5c40d2b8

SHA512
137e0de349e218ea6b34f62b841fb2aad0a8d44aed3738ebd20ce2182fe37465de18237647ec812d0c91a070c5efe39b1844a40a9b4a1dcf0722536568da6061

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fd7ce31b95549982bade7a87438b2a19

SHA1
e816cb7c3715deb1822025b423783cb44efdf3ff

SHA256
4ca096768f5d758f8d24cb9d12bdbb27f8dfb7fd7b62337aba2fab20bdf107b8

SHA512
f1bad05bc673dce5d62f9587a2b9ca1355e376a62861d009be6d2eba1878d13c3c35615507553c0e3acbb3c881012d5fb0a354ae9ef2202b73b40e5859a59a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
fda02d00b14a2d2ea2d7a8d279432928

SHA1
2651a4dd983c21e53bf861b9472a84d8fe455ed4

SHA256
406389303083fea78ea82eaf96943ac69ec136481aec22ea21c600f1b32b6bfb

SHA512
1d0988e328cd461ebd0cc0c8cb9f6a9a6eabee0abadbba4d6c992b9ba5915344ef7cd02a6f66e9928e5f78e866f19ab4b8d561f67b5fdc921d96641ec57bb60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e3a3a88887838df2802ffffd35cb1394

SHA1
7756b986b33a25702be5c2320af9d663d2e4246d

SHA256
3f0200b4c222df9b26c2e6264576b42a2755a6abbe27f444a9a017516f7063ad

SHA512
5b124459e52713c5be4918e2485279bcc114e992ab17ceaa92ab7d041dae7df7ba3297d5044b0c98651ef8ce6627c0b307531157b8a40ea592eef5a8aa10e73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
aa195c6aa9d5f85cf6a8a4c2753cb6c5

SHA1
003884c2d223297b48dd55d09cfb1dd571a995ee

SHA256
36eb65a3db8fdac2ef2462ebc88dab3812d46e621e1e4a0b2b305588a5297502

SHA512
c197634c8942df0cefdea9ce9c77b2e7c3d9f33d75b50314d1f3b9586932d575244891d0712acc4b4772f1b597227a36c8e00b05a5d403f0ce6f0a946a9aec2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
e7317a61d59826e1a36f527faed26fcd

SHA1
0ad41ede6c2ec8c701d433cef9d9cd757fbad89d

SHA256
a3089bc36bd5b792707ca806600eeb64349e7490b4a6ce6a88d19613f7b8c4c1

SHA512
38b02cece814d4c1a6846ac4a8d84f37905ca3f11aed038b6280e6dcb456f382054c73149bbbd5fc9fa3a06cb7d7a9072af430d3798ebb19dff9a9c8fd00a783

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c7dee9887eaaaf9d22b36043073475d7

SHA1
17bbacc7eb00bc5f846c6eb22f7074b3d760f395

SHA256
e1fcfe4b7963b571775ca122ed14f8d948635ad18cdd64af2238f6ea3fe6fa5d

SHA512
d9e12c2bcfa5fa6e33b92048c2ff2c540493094ed2c78df564c8b0ec813363716cff892254c89c92ac15545a51463f84740c9475d28bb33ae9be6f4b27edfa4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
ebdb1c7305a0eeaf123d3f95b51b9c4d

SHA1
f6602bd337ee7a26cc87e856fe61a8751394ae8b

SHA256
2e3f2e944753042aef92b357f81dd0710721c5c086b9d49eff3645afb9021968

SHA512
ea2d9dd5b057e055b672905111c10e09ce743f1c5b9f34fdcc9f1897954b99914569fca0ef580b48c734830c95af760dc676e2c857cedbd9becf7ca036f535b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
41c0cf276f13ed0bb05a9726dfa13241

SHA1
0aee76ad56936a83da99f0f1f60885db19a6b197

SHA256
6cac6b2c801a8669f83190ca1303dd15007d3bf11850135bf08fd2786341c1d5

SHA512
aa87bb2ea6c9a9c6a2d96c2325f42e37d41518922e1a3296f21e5023899cefea06c38e1ea837f904487fba46bbc817898ea73b075fdbdd206031defba5da5619

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1d25a7850d75fb0d392b2653855c9c83

SHA1
a58a815e7445b9b98a824483eb95ffe74c7b9a45

SHA256
9fbd4434858f4a62148d898f4aabd1cd8b55b6ba76a574fc61236ce578df596d

SHA512
c1df846074def1f3a720108d92978303c4c7c5c8d5ae9b2dfb76e49a8ed6b96f0f5f8bc8a19f0e7766785096e8f9000ca25d77543bce5927625451d1beae4ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
afa5ba13e637ff960ceb5d2fdd281b5a

SHA1
7cef0b42e5cec5f586eb971c68106fe0350ebea5

SHA256
b15b710253a00aab96d548f8269bf37b4ee5696b01a5cbfb746dce28bb51bc8d

SHA512
6e0f230e7ac5322dad39741f934371c93bc41fad96863f010b42fa0d53eeab5983e458108e38eed5a55681f033c0ecb7bdc289c5d6b51c9772d64a05b43cbfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
1bf36b95f2279e887f7c0dd4a63be7a0

SHA1
db1539635d2b34163d35267b1faf60a6a2aa6874

SHA256
d3b5e9d1981afc895b9be56ab61922ea6fef1126332feaf7b10c6447cec673f6

SHA512
0f14a7ffe2519baa378adcc86209bc601f0813f3f0ab2fc0071cf6e0b80337a6e7f3b5c252221405417583686e5a87c49792bc627c9b36632951913640751ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
595400c0f5152d9f865ea9f9de397744

SHA1
961e0be0705c11c116400352838da03f225ff36b

SHA256
5f993ba1583608e71ced5dce8520f923a09e7a41697b8b1875f62fb89eea3c5f

SHA512
8d2fab0117af43fe0dc28cdc086ef0c0748a6616f4d79d6a2a02e0871727e7811609fea3c2381b3d805a8a7cba00465fd528d75c078bf0f0fa94076bc9b3cede

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c312165b7bc5e3dbc06ec39be2eacc6

SHA1
a2f1f507091ae9eb788d9edaad5e26b3bce23b33

SHA256
b1b52e0e4920bf7688976a774654133d56b6b7b1ab704dfd1ee4fbb47bd6f7ba

SHA512
de8aa3e78a0ef5f1f2dbc1825d249d01ef073c1d68fbf3734ed4e9bd1d3916c74b9a24b1646e0e4e088531126361bd4d705311d40c8b806d6fb48b917c40ea64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6e3f7c2435a8175e00e2a20861ae3b9f

SHA1
fa1b2229eb53a46e814b20922b91fec86582f373

SHA256
285a133130a90b7839982f0e90cc49de9bf84d60ecf42ff12739a130a046233a

SHA512
555b444ca08b40c2cb27e5b90dd491ef7f180635da60b4af512f70ec746b056d8017a29026db60725706cd80929cbb4af01b121ce510982cdf5a92cf4a2c65b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c01e62d18256f9b4754ca336f25d1a29

SHA1
09b3acee97a6f1379693b829e94b2b427712c31b

SHA256
a74a65f96b86e900dfc131b7a6afac29e735396b62eca324cd138ad70cbc0be7

SHA512
9cf487b4f114fe0ea3cce9c563e393b550e800b6aa9ecb4c40f747f1710e0d9704c7a93465a16548702a98216324feeb64935d2919bffe48010e4a55fdf3f428

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
065f0842d87fe3c85fabd36a5dd5439f

SHA1
5b4cfda2b6597770105f3a037da0e2af58d82ee4

SHA256
13a06b465deb7ebb72b386aa9dcf9c1612267774244c277fa7104ebb6118edb3

SHA512
3787ffa072ed4ce6d48a42278a96fcd9a51888b5e7cec9ba725f5fc236a67b71c2931aa4c2205bf1dcf5bda0b8d5796b98e321c9510e3ea9b68377c8daf91237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8c598356d8b6a3ad2e9281c71d875c80

SHA1
da63f8e00ddc79119b9e1c771e0d53f294808d23

SHA256
cd3aef2f5f4becdd817a72fc587751b8224cd959f41864ee45b49c267ff5ef72

SHA512
d7e12a6bbcb01603292b4221469847e9f2717a5ff73fb445f1fd256c53fa96f758081cc961d37a77bf0ad0f2e8b9931f0544a32cf11a9f56d1153dfe93540df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9420c45b41a63e76ef0940bd86894ede

SHA1
f4d235f0f6b3b1d62d5ceb36a7813662f0e1af2d

SHA256
4c693fbb01aa46f42957117aea44bc6c9eaeeabe335c4f712cb5fb64962deee4

SHA512
acf325e1bde45cff370d907b26f4f5398090e000ee50c3b5cf88e9e515fdbf7d39437c5be152131d930583d7377e1a1b0b0a15df850e28bcd37323fa1efe99bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b84d0f9c81f7efdde02ce2875dc3eb91

SHA1
7f4f0889b5504a1749c33c775c8c6dc305a8e2ea

SHA256
0ec59631f101d9056ae878df31f2cc6d7ec4d5b17f29ab31590c96a9f7a8a61f

SHA512
16eafbad0e1a8eb0808ab766cdc5e2c4a9ed2b7c625c1639d40d30b6d8d042c9e7d9e5dd4f0c744d357fa3a384228b9236e6b0a4d98d3749b02b83d9312acab9

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2437139445-1151884604-3026847218-1000\699c4b9cdebca7aaea5193cae8a50098_4304acb9-c3f6-452a-9860-eb4e85d38d4e

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
\??\c:\directory\FirefoxUpdate\install\update.exe

Filesize
350KB

MD5
f2e154d8cce92ab7b6bb4e35df0e7197

SHA1
761bcee64df6f36bdc98d22ab43753ba09851cde

SHA256
b020358b635f38253feb2a7df66483f2fb6da2269f6ed38ee4bc85894d480e20

SHA512
6e12a83d2494b89533b8e14a74e1ad876a81a36e3e234871df6835de4c44da96e980c2081d7a0ba73a3478ac7a49ff0d0eb65ea19d773ac72db38feff11eaf55

Download Submit
memory/2376-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2376-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2620-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2620-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2620-95-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2620-71-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2620-30-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2620-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2620-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2620-12-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3648-74-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3648-14-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3648-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3648-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4596-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4700-114-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads