Analysis
-
max time kernel
151s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 03:04
Static task
static1
Behavioral task
behavioral1
Sample
9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
Resource
win7-20220812-en
windows7-x64
13 signatures
150 seconds
General
-
Target
9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe
-
Size
492KB
-
MD5
524a63a2f02d538858d2e5fc224462f4
-
SHA1
442c8efab4ca9ec82410debf94a67287875e819e
-
SHA256
9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725
-
SHA512
1362a2e3ff7c745963db07120d012b537e778cda0a2c7e2726e1eb0937285316e6d31d2f60f4d2b2f9be447baed101ad2b1a864c2ba9a65d452bc7bb8114e7e7
-
SSDEEP
12288:amyzOwFIOBRa8Rj8XUdtlA9W/cKoDLwBoNVbfahf:ByzOOBkw+0Z2MeNVTahf
Malware Config
Extracted
Family
cybergate
Version
v1.18.0 - Crack Version
Botnet
remote
C2
dioslipper.no-ip.org:3460
Mutex
8W7O0NQ17EG0CJ
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
expIorer.exe
-
install_dir
treiber
-
install_file
driver.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hkcu
HKCUx1
-
regkey_hklm
HKLMx1
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\treiber\\driver.exe" 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\treiber\\driver.exe" 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027X7LMS-4E07-7275-6S56-W3X28IVH6L6P}\StubPath = "c:\\treiber\\driver.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{027X7LMS-4E07-7275-6S56-W3X28IVH6L6P} 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027X7LMS-4E07-7275-6S56-W3X28IVH6L6P}\StubPath = "c:\\treiber\\driver.exe Restart" 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{027X7LMS-4E07-7275-6S56-W3X28IVH6L6P} explorer.exe -
resource yara_rule behavioral2/memory/5064-146-0x0000000010410000-0x0000000010482000-memory.dmp upx behavioral2/memory/5064-151-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/4888-154-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/4888-157-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/5064-158-0x0000000000610000-0x0000000000682000-memory.dmp upx behavioral2/memory/5064-159-0x0000000000610000-0x0000000000682000-memory.dmp upx behavioral2/memory/5064-161-0x0000000000610000-0x0000000000682000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLMx1 = "c:\\treiber\\driver.exe" 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCUx1 = "c:\\treiber\\driver.exe" 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4900 set thread context of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 3052 set thread context of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 4888 explorer.exe Token: SeRestorePrivilege 4888 explorer.exe Token: SeBackupPrivilege 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Token: SeRestorePrivilege 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Token: SeDebugPrivilege 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe Token: SeDebugPrivilege 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 4900 wrote to memory of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 4900 wrote to memory of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 4900 wrote to memory of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 4900 wrote to memory of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 4900 wrote to memory of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 4900 wrote to memory of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 4900 wrote to memory of 3052 4900 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 80 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 3052 wrote to memory of 5064 3052 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 81 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57 PID 5064 wrote to memory of 2720 5064 9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"C:\Users\Admin\AppData\Local\Temp\9a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725.exe"4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD543b7ac05d53a42d8881b0b8333c874c0
SHA11580f5ec4b3db5c931b851689e5aa9eff8c83f37
SHA2561b4706987b50f627983d0878df4c094a48647be90a793c262d9e0a078e0dfc9c
SHA512dac29f039eb09ab0066437802f2088a2ae28636372d3809885194b9f8388fd6434ce00b95fdbc24ef335bc9f683501d1e7c5d7b59631b40f00142cd2d2a4ff89
-
Filesize
492KB
MD5524a63a2f02d538858d2e5fc224462f4
SHA1442c8efab4ca9ec82410debf94a67287875e819e
SHA2569a7a17645ae103f2b14917e1a71c56b6ae13c81ca09522ead4423358f9064725
SHA5121362a2e3ff7c745963db07120d012b537e778cda0a2c7e2726e1eb0937285316e6d31d2f60f4d2b2f9be447baed101ad2b1a864c2ba9a65d452bc7bb8114e7e7