Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 13:12
Static task
static1
Behavioral task
behavioral1
Sample
708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe
Resource
win7-20220812-en
General
-
Target
708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe
-
Size
407KB
-
MD5
6afa8fc0c50ca00b9c9e44ead4a53d20
-
SHA1
8f8d6f886b138271c0910d1ebe1d765a7d074368
-
SHA256
708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f
-
SHA512
ba3c49693c9cfab653f2b382d9a60b2d86ebf32e03bf21bbab40b3b04c0245dcb30120e66dab0237974eda61271b079ad8c6c33480023658161c9a850e36ac8a
-
SSDEEP
12288:yUYrtmqS/fQ17WKuqN3QPYTV0/K1p8HgXY8w:yZrtrS/Y6B+3QPYT6KN
Malware Config
Extracted
cybergate
v1.07.5
Keepvid
paradiszamal.no-ip.info:15963
PTK63LKF5T63AR
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
97420
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2020 WinUpdate.exe 3908 WinUpdate.exe 404 WinUpdate.exe -
resource yara_rule behavioral2/memory/2020-143-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3908-146-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3908-149-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/3908-153-0x0000000010410000-0x0000000010475000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WinUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\inv.exe" 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1664 set thread context of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3908 WinUpdate.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 3908 WinUpdate.exe Token: SeRestorePrivilege 3908 WinUpdate.exe Token: SeDebugPrivilege 3908 WinUpdate.exe Token: SeDebugPrivilege 3908 WinUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 1664 wrote to memory of 2020 1664 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe 85 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86 PID 2020 wrote to memory of 3908 2020 WinUpdate.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe"C:\Users\Admin\AppData\Local\Temp\708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Roaming\WinUpdate.exeC:\Users\Admin\AppData\Roaming\WinUpdate.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\WinUpdate.exe"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Users\Admin\AppData\Roaming\WinUpdate.exe"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"4⤵
- Executes dropped EXE
PID:404
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5ae8860b5e0332ec1835640299d729dba
SHA187d6966f10aec9dc64a4a6de3bf9098479ca7f1d
SHA256b6eecda81e2b00bcfa22b071bddcf724ef7a1cdfc55fa4c48c4b13554e197832
SHA512186b08f308a2290b4c0d9d297a1cc019a48e1e2812eb8b880e7a77033b8da838eb997f250724acb1cf3e2925161b4315a2ae3a4df5789474a63290d3a359a687
-
Filesize
1KB
MD50df5b5319b99007441a57e8fd0b8727b
SHA173f1d54d460f84a68973e3a6fb56959dd853be5b
SHA25627a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc
SHA512563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6
-
Filesize
1KB
MD50df5b5319b99007441a57e8fd0b8727b
SHA173f1d54d460f84a68973e3a6fb56959dd853be5b
SHA25627a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc
SHA512563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6
-
Filesize
1KB
MD50df5b5319b99007441a57e8fd0b8727b
SHA173f1d54d460f84a68973e3a6fb56959dd853be5b
SHA25627a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc
SHA512563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6
-
Filesize
1KB
MD50df5b5319b99007441a57e8fd0b8727b
SHA173f1d54d460f84a68973e3a6fb56959dd853be5b
SHA25627a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc
SHA512563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6