Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-07-2021 18:02
General
-
Target
Gerador De Cash 2020 PB.exe
-
Size
562KB
-
MD5
02d37ed4bc3422b573fce8265a434d1b
-
SHA1
57c2ff77566afcfbf5d75c5912a22a19656afa29
-
SHA256
571a708504cf085b54eaed702a6c95b3189426dc20c78e42a3f1e1096d6bf044
-
SHA512
cb33ce0df6ce4dcc093f821e08cbd4307540c03cf239e89934e267457705d8ae911004d411555ff95189413f93f9b09105f800e86a74d3bf9e06462133651cc1
Malware Config
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 3 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Gerador De Cash 2020 PB.exe"C:\Users\Admin\AppData\Local\Temp\Gerador De Cash 2020 PB.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Gerador De Cash 2020 PB.exe"C:\Users\Admin\AppData\Local\Temp\Gerador De Cash 2020 PB.exe"3⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exe"C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exe"C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 16604⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System\explorer.exe"C:\Windows\System\explorer.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 6405⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exeMD5
bf29f3a4bdbee79c0da3717aa44338ef
SHA1ca7f07e95e428d3f46c5fddff15b3caeb03eea30
SHA2568af5ba7c1318cf44c818238137109ef7cea0be0853853614168d2f1ce514798d
SHA5121b8f565304c501abe5c6c71cc8ea4226b4ab445d02bda73ff8d53722ecf68cdb0307f45ffe1f857e73d2d1b5f255903cbef3b18e321ec2de5abb605fb83f4b9e
-
C:\Users\Admin\AppData\Local\Temp\AutoXP [PBBR] -.exeMD5
bf29f3a4bdbee79c0da3717aa44338ef
SHA1ca7f07e95e428d3f46c5fddff15b3caeb03eea30
SHA2568af5ba7c1318cf44c818238137109ef7cea0be0853853614168d2f1ce514798d
SHA5121b8f565304c501abe5c6c71cc8ea4226b4ab445d02bda73ff8d53722ecf68cdb0307f45ffe1f857e73d2d1b5f255903cbef3b18e321ec2de5abb605fb83f4b9e
-
C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exeMD5
d4cd3008892010115bf02ce8b9f06347
SHA1c7ddf6c6b5ffb32d62b057039e0a0e5700ca1fe6
SHA2560500d89f67d7f34d582a8a4bdf8f0e4a31c20095cc289c40830dd60873348624
SHA512e7c188b4989b5c3cc5bf03dd5a2eac251fbe640294672238ec2f11f228ebee0c949b62325cf44a9f77b8402de4e0bab0c9ba8b37991ac93d4386aaf05aee2635
-
C:\Users\Admin\AppData\Local\Temp\Gerador de Cash 2016.exeMD5
d4cd3008892010115bf02ce8b9f06347
SHA1c7ddf6c6b5ffb32d62b057039e0a0e5700ca1fe6
SHA2560500d89f67d7f34d582a8a4bdf8f0e4a31c20095cc289c40830dd60873348624
SHA512e7c188b4989b5c3cc5bf03dd5a2eac251fbe640294672238ec2f11f228ebee0c949b62325cf44a9f77b8402de4e0bab0c9ba8b37991ac93d4386aaf05aee2635
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtMD5
4df7d5b3c2840b162dc18042218653ec
SHA135ab3b9ed92ccdaae81d2ffa856dc1de5ae4a541
SHA25694540b9d0a7e7ab41dc3175f3da6ecae5d30864cee6c33831365b8c9348e6c56
SHA5123828f941213da69e9ff677007cc64b826fa5cc0d81756d61d84cbe4baf20573abeabb290a1d60203a6afcde61d1566a42fc451280a7d267ca8f73d25d589e059
-
C:\Windows\System\explorer.exeMD5
02d37ed4bc3422b573fce8265a434d1b
SHA157c2ff77566afcfbf5d75c5912a22a19656afa29
SHA256571a708504cf085b54eaed702a6c95b3189426dc20c78e42a3f1e1096d6bf044
SHA512cb33ce0df6ce4dcc093f821e08cbd4307540c03cf239e89934e267457705d8ae911004d411555ff95189413f93f9b09105f800e86a74d3bf9e06462133651cc1
-
C:\Windows\System\explorer.exeMD5
02d37ed4bc3422b573fce8265a434d1b
SHA157c2ff77566afcfbf5d75c5912a22a19656afa29
SHA256571a708504cf085b54eaed702a6c95b3189426dc20c78e42a3f1e1096d6bf044
SHA512cb33ce0df6ce4dcc093f821e08cbd4307540c03cf239e89934e267457705d8ae911004d411555ff95189413f93f9b09105f800e86a74d3bf9e06462133651cc1
-
memory/512-150-0x0000000002CA4000-0x0000000002CA5000-memory.dmpFilesize
4KB
-
memory/512-148-0x0000000002CA2000-0x0000000002CA4000-memory.dmpFilesize
8KB
-
memory/512-141-0x0000000002CA0000-0x0000000002CA2000-memory.dmpFilesize
8KB
-
memory/512-133-0x0000000000000000-mapping.dmp
-
memory/984-143-0x0000000000000000-mapping.dmp
-
memory/1184-129-0x0000000000000000-mapping.dmp
-
memory/1184-130-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3276-142-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/3276-131-0x0000000000000000-mapping.dmp
-
memory/3276-149-0x0000000005810000-0x0000000005D0E000-memory.dmpFilesize
5.0MB
-
memory/3276-146-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/3276-147-0x0000000005810000-0x0000000005D0E000-memory.dmpFilesize
5.0MB
-
memory/3276-137-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/3276-139-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/3276-140-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/3276-145-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/3860-122-0x0000000003650000-0x0000000003786000-memory.dmpFilesize
1.2MB
-
memory/3860-116-0x0000000000000000-mapping.dmp
-
memory/3860-118-0x0000000003230000-0x0000000003231000-memory.dmpFilesize
4KB
-
memory/3860-120-0x0000000003650000-0x0000000003786000-memory.dmpFilesize
1.2MB
-
memory/3860-121-0x0000000003650000-0x0000000003786000-memory.dmpFilesize
1.2MB
-
memory/3860-123-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/3860-119-0x0000000003650000-0x0000000003786000-memory.dmpFilesize
1.2MB
-
memory/3860-124-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/3860-117-0x0000000002F70000-0x0000000002F71000-memory.dmpFilesize
4KB