Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-07-2021 23:48
Static task
static1
Behavioral task
behavioral1
Sample
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe
Resource
win7v20210408
General
-
Target
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe
-
Size
1.3MB
-
MD5
9fb3ef5f9d35773451f983671b2240f0
-
SHA1
0de17fc90bbae1b1a1db740939dd222b44f433ca
-
SHA256
88ab0fb7aab828733d7fad8dd72ba73c7188803ed85c19d01a267ad7809cba44
-
SHA512
f32e742494550b0d8dda6dac6ac28f13b004fb43e782c1358e51a77a8755c152b5713bd524efc487c831462ee93e10b87a68a99b7cff149c257763753eb9d023
Malware Config
Extracted
cybergate
v1.18.0 - Crack Version
remote
morcoy.duia.ro:2002
pinguela.dnsd.me:2003
matreto.system-ns.co:2004
palotes12.chickenkiller.com:2005
JOSE4.NO-IP.ORG:2006
41S0823EXU0802
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
javaw.exe
-
install_dir
systemroot
-
install_file
ms.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
6146
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\systemroot\\ms.exe" 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\systemroot\\ms.exe" 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Modifies Installed Components in the registry 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/3872-120-0x00000000005E0000-0x0000000000652000-memory.dmp upx behavioral2/memory/3872-121-0x00000000032D0000-0x0000000003312000-memory.dmp upx behavioral2/memory/3872-122-0x0000000003420000-0x0000000003462000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\systemroot\\ms.exe" 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\systemroot\\ms.exe" 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exedescription pid process target process PID 3724 set thread context of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Drops file in Program Files directory 2 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exedescription ioc process File created C:\Program Files (x86)\systemroot\ms.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe File opened for modification C:\Program Files (x86)\systemroot\ms.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exepid process 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exepid process 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exedescription pid process Token: SeBackupPrivilege 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Token: SeRestorePrivilege 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Token: SeDebugPrivilege 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe Token: SeDebugPrivilege 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exepid process 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exedescription pid process target process PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3724 wrote to memory of 3872 3724 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe PID 3872 wrote to memory of 8 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe cscript.exe PID 3872 wrote to memory of 8 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe cscript.exe PID 3872 wrote to memory of 8 3872 88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe"C:\Users\Admin\AppData\Local\Temp\88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe"C:\Users\Admin\AppData\Local\Temp\88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Roaming\Adminv1.18.0 - Trial version.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adminv1.18.0 - Trial version.txtMD5
81051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Users\Admin\AppData\Roaming\Adminv1.18.0 - Trial version.vbsMD5
ec0737a274ceb47d3bd6c37580db325c
SHA10dfdf4df7298f23570384d0bba0b56d3bff8855d
SHA256a57585a65ad51b6e10fc2b1ba4dd6435167d543302ad1df1260a22859faea597
SHA5127af08cef86f087e66f23bf6d17ad210f02a7659775b932dfdd4745818f6ce8a4b34afa0b686baf03b41b21538f1444e334563d48636e6d2c9ab11bc261bd8cc3
-
memory/8-123-0x0000000000000000-mapping.dmp
-
memory/3872-117-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/3872-118-0x000000000040A0C4-mapping.dmp
-
memory/3872-119-0x0000000000400000-0x000000000044D000-memory.dmpFilesize
308KB
-
memory/3872-120-0x00000000005E0000-0x0000000000652000-memory.dmpFilesize
456KB
-
memory/3872-121-0x00000000032D0000-0x0000000003312000-memory.dmpFilesize
264KB
-
memory/3872-122-0x0000000003420000-0x0000000003462000-memory.dmpFilesize
264KB