cybergate | 4601cc3609d0ddb80e11cbf083e31e321b1598a20599166cf1892469d1d23f5f

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe
Size

528KB
MD5

155afae6d277f08d5092bc28e5aa6549
SHA1

1e5269325262948b96da20a19b41c35edfd8aa88
SHA256

4601cc3609d0ddb80e11cbf083e31e321b1598a20599166cf1892469d1d23f5f
SHA512

530f37bbd26ac8ca60c6631b71e2a82c8900e135aeab0b55129c9de9e168d71554e1e1d30333433b63103908751fd277d511d25cfb73d109517d2e4a552585ff
SSDEEP

12288:YMHWHVIu1wj3uRtElxnXL8Y4rCzV0YaZuYB:bY9Gj3oElxXL5zVUrB

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

vítima

hakansokar.zapto.org:511

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
datadll32
install_file
sysrun32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

twunk_32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\datadll32\\sysrun32.exe"	twunk_32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\datadll32\\sysrun32.exe"	twunk_32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

twunk_32.exetwunk_32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\datadll32\\sysrun32.exe"	twunk_32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	twunk_32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\datadll32\\sysrun32.exe Restart"	twunk_32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	twunk_32.exe

Executes dropped EXE 29 IoCs

Processes:

sysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exesysrun32.exe

pid	process
2596	sysrun32.exe
1032	sysrun32.exe
5164	sysrun32.exe
5212	sysrun32.exe
5260	sysrun32.exe
5304	sysrun32.exe
5348	sysrun32.exe
5392	sysrun32.exe
5508	sysrun32.exe
5556	sysrun32.exe
5600	sysrun32.exe
5644	sysrun32.exe
5700	sysrun32.exe
5744	sysrun32.exe
5788	sysrun32.exe
5832	sysrun32.exe
5880	sysrun32.exe
5924	sysrun32.exe
5968	sysrun32.exe
6012	sysrun32.exe
6056	sysrun32.exe
6120	sysrun32.exe
1600	sysrun32.exe
2852	sysrun32.exe
300	sysrun32.exe
6168	sysrun32.exe
6200	sysrun32.exe
6232	sysrun32.exe
6264	sysrun32.exe

Loads dropped DLL 29 IoCs

Processes:

twunk_32.exe

pid	process
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe
21284	twunk_32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2388-11-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2388-8-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2388-5-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2388-17-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2388-19-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2388-20-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2388-18-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2388-8747-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

twunk_32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\datadll32\\sysrun32.exe"	twunk_32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\datadll32\\sysrun32.exe"	twunk_32.exe

Drops file in System32 directory 2 IoCs

Processes:

twunk_32.exe

description ioc process

File created C:\Windows\SysWOW64\datadll32\sysrun32.exe twunk_32.exe
File opened for modification C:\Windows\SysWOW64\datadll32\sysrun32.exe twunk_32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe

description pid process target process

PID 2360 set thread context of 2388 2360 155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe twunk_32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

twunk_32.exe

pid process

2388 twunk_32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

twunk_32.exe

pid process

2388 twunk_32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\datadll32\sysrun32.exe	twunk_32.exe
File opened for modification	C:\Windows\SysWOW64\datadll32\sysrun32.exe	twunk_32.exe

description	pid	process	target process
PID 2360 set thread context of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe

pid	process
2388	twunk_32.exe

pid	process
2388	twunk_32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exetwunk_32.exe

description	pid	process	target process
PID 2360 wrote to memory of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe
PID 2360 wrote to memory of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe
PID 2360 wrote to memory of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe
PID 2360 wrote to memory of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe
PID 2360 wrote to memory of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe
PID 2360 wrote to memory of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe
PID 2360 wrote to memory of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe
PID 2360 wrote to memory of 2388	2360	155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe	twunk_32.exe
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE
PID 2388 wrote to memory of 1216	2388	twunk_32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\155afae6d277f08d5092bc28e5aa6549_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\twunk_32.exe
3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:11456

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:21248

C:\Windows\twunk_32.exe
"C:\Windows\twunk_32.exe"
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
PID:21284

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:2596

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5164

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5212

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5260

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5304

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5348

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5392

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5508

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5556

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5600

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5644

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5700

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5744

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5788

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5832

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5880

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5924

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:5968

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:6012

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:6056

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:6120

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:2852

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:300

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:6168

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:6200

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:6232

C:\Windows\SysWOW64\datadll32\sysrun32.exe
"C:\Windows\system32\datadll32\sysrun32.exe"
5⤵
- Executes dropped EXE
PID:6264

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
306B

MD5
c9451f1a985779871eac0e11265c9864

SHA1
4fd3ec1451511c138c8c1a613a975985bda4c9aa

SHA256
2a85ff51baf829f5bd53f8c07eed2dacf346228c6a095bb46b0712ce7509c0bb

SHA512
d871cef9215f90946d60dbde378dd917e2ac37a2a1824b700ef9b6e1a7db0da2bed8514239d643c47d1f69f2e641ef2469c8f177d980c5dc6b476596fe17c63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
612B

MD5
9c82cd594d30455c114ed29d95cfd3c3

SHA1
8b08b3e852ba90a4d4b6879e9b70bb62a69ac4b5

SHA256
5e1a4aaf0b3b84a255018796679bd101589ef0b1c4cb4476762fb1cd85a506e1

SHA512
77a9e5229f87f446735f6df7e27a842ef6120222d00a24ec63e12842f6747fcf182b7fdb59a652ba281a73d40c74eedcfd86815d6e3e14cf118f1421202d2132

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
765B

MD5
c3210b5e7a546e37bb086707d1cb8fde

SHA1
ad684a796a4e7e3972db6647b7b00986ff4733c2

SHA256
84cc857706a65b374b713f5db348305e521c43e4a5d50904e241bdb939b6fcc4

SHA512
fcf92bb1a594c33562e004275220e445f4767f305046776582dea246407951c1fa8d1766646565f08c47e1bd1117a23570937b9eaaa99801d8d9eb31cd89d299

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
918B

MD5
73a52c932f479edbdb92b9c165f5c368

SHA1
cecf3d9fc40391c3f82aa206c1c64b5f0155cf06

SHA256
4fc6d0cbe20b27af6fa69b38701ae505b142be9411523bcae3e0c2aa35b3b132

SHA512
30dcb59191da6b2934186275767dbf7ad7818c87194ebb7262dc3972a8c590c7efac2fdfc8147526537badf317a0d63a2f88816f38883063f533ca5a66de9cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
1KB

MD5
c5e57b7ead21384ce422b673de1b2dc6

SHA1
8f72186a92189c527f6bf124ab3c7fb390cd778f

SHA256
98b7cb28e6122a01848c281192d9c656715cf17b8225a56d4dcc697a643878ee

SHA512
15ea02612c66511faefd34b88fe568796ab3ceae234c55c1616e75bb621c7be6a43803370e5b2f85034b10aee26684a61bdae55e04a89dbac64cce49b983451d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
1KB

MD5
86bfcd4eb1a135b68ae9e57a8641fb96

SHA1
f3bd3a3471cfcdaf9f6a1b8d47130680ad77fa41

SHA256
c9a892cf56a76e617e9c422a45a6f2f8c5e970094d6ed257cb5abefa1564022d

SHA512
020bbf773326751919aad33465bd57024014e81f2b899675ddd6f62c81679678c41520d8580e0f1a65fc055caf0834be615993078f604ff362fd8316b95a59ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
1KB

MD5
2420885780cf623f904a120585ba39fe

SHA1
64b5ba82bba7c8c7984966949d8d9292a43a3019

SHA256
8b94ab781d5da4053697536ab7579395bc9e5e5d23d9e54c685a51f8f1c16e09

SHA512
31115db6754428939f4fb608d6e86d0bd24eabb2eff60fcefc36def57ba694ab0c9507bc9ec7715dc1a5857c4f405f57071444c27e2804a7376fd2a64d8cc4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
2KB

MD5
ee57819178472be044026c5dbd2b9a48

SHA1
9b9cfd30239f3d04924b30dbb4a665638392a7bf

SHA256
cb5d134f9801086616fa93dad2d63006f7f42737a1209e875631e5d32deed964

SHA512
31c8d7a3b5ed7ea2875a0b3e850a10e24321c6aeb573579a8cb3ace185110926f6373903eac588a9231318b9f74abeed9919d2952e0ec0b723268e9480fc0ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
2KB

MD5
fa15e89f5c87a10cdaea30d48b5a0e60

SHA1
7183723158d193d560f104d0d3df66476f3683da

SHA256
b577de42d9e155860b01cfeea174ef623ae70138e1959cbda91d58d4f9634fa5

SHA512
e03349a65bf6c020baa2895b51cffffbcf3c1f911ffb4e376d1a916ae599e88b22db2ab5152e3331b14ed7f3cf908ea5c9d7e301ec4ff356da9a69189f109b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
2KB

MD5
7e1bfd5380867a01eeb4db171f951408

SHA1
1b495acfb4e2444f01b9350fd4d61d5ec7b0b522

SHA256
92a0d0f7f79d62d7e08edaf2a481ca39b91337ee563d18af819f367edbbe719c

SHA512
e0a2aadba2892d5f9fff064164193fa742f8a645f61088579ef95036e8fb60d3d3c9fe9edbee24c20d3386672bb6d3e9c4f095c826fd6bbf7bc3a8bade9bd88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
2KB

MD5
c526883e07f3023e2ef1eb9c8f4d07a9

SHA1
043bb78d511b5a501491f7c6af249f0f14498ce3

SHA256
e69e5c8ca2b99f504b2cf2b96ba801ec6297b04a9f30d9c4af1a1c6d97bca1de

SHA512
48198e28ac089ceacb8728bf9a6136becdd297e53bd1418c275cdda6f5dc177942ef8036b0141fb1c0be4a13dbb82690064c68caf4631fefb7e5eb726eb41455

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
2KB

MD5
2021477389a8427c4ba69a9b2e22b51b

SHA1
3bc7b494051c143f0de871c267b5de1fa689e9cf

SHA256
c6e615036cfbad6512747d3c3614da1f7e8cea944c0d09317528ffa0f51c17ec

SHA512
020f91fdc11ecc5e4ffbbd0a134dd1f48ed6fa33c2d239d9cfea85128162f8c990a06d55cdb44346685f6d0769884bbe0d617a45fb456105c6e7700f304e9517

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWAIN.LOG
Filesize
4KB

MD5
734f736504531047064ef5505dee8cdf

SHA1
3536ea438db5a262901488ad1168fdcdbb760a0f

SHA256
d0201d233c2a2c2de1bcd95f2d122c8a6e37ce8a73543c81f3d1932060bc723e

SHA512
f4a15f5c448c413c7e2dfe75016456cf1be9e993afede97be6a348b72ac35a8fff4a2519e08c8e89b02a1e05b2a25593a820ca4a1bd0dc60535a377970c3d71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
586KB

MD5
26ac7c73aeb155bbe7f3bf56b94a8be2

SHA1
90b242e3045262ca2cc5ddb6b55d46deef64b9d4

SHA256
fabbc882d74d4f767afa83b745c34a35b26d086d187cbaaa3db8909bfa7b354f

SHA512
48a4bc20b48a151e7131a42d13cb05a8aca199fc3323fe1a5848a3117f43bb39da27bf0aa9ada0d08fd003d326fee0788a829cb39f6be4da287bde451b73c88c

Download Submit
C:\Windows\SysWOW64\datadll32\sysrun32.exe
Filesize
30KB

MD5
0bd6e68f3ea0dd62cd86283d86895381

SHA1
e207de5c580279ad40c89bf6f2c2d47c77efd626

SHA256
a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b

SHA512
26504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4

Download Submit
memory/1216-24-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2360-0-0x00000000748C1000-0x00000000748C2000-memory.dmp

Filesize
4KB

Download
memory/2360-16-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-2-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-1-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-5-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2388-8747-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2388-18-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2388-20-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2388-19-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2388-17-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2388-8-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2388-11-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2388-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2388-3-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/21284-8770-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/21284-8748-0x0000000010530000-0x000000001058C000-memory.dmp

Filesize
368KB

Download
memory/21284-5409-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads