Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 13:12

General

  • Target

    708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe

  • Size

    407KB

  • MD5

    6afa8fc0c50ca00b9c9e44ead4a53d20

  • SHA1

    8f8d6f886b138271c0910d1ebe1d765a7d074368

  • SHA256

    708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f

  • SHA512

    ba3c49693c9cfab653f2b382d9a60b2d86ebf32e03bf21bbab40b3b04c0245dcb30120e66dab0237974eda61271b079ad8c6c33480023658161c9a850e36ac8a

  • SSDEEP

    12288:yUYrtmqS/fQ17WKuqN3QPYTV0/K1p8HgXY8w:yZrtrS/Y6B+3QPYT6KN

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Keepvid

C2

paradiszamal.no-ip.info:15963

Mutex

PTK63LKF5T63AR

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    97420

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe
    "C:\Users\Admin\AppData\Local\Temp\708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Roaming\WinUpdate.exe
      C:\Users\Admin\AppData\Roaming\WinUpdate.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Users\Admin\AppData\Roaming\WinUpdate.exe
        "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3908
        • C:\Users\Admin\AppData\Roaming\WinUpdate.exe
          "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
          4⤵
          • Executes dropped EXE
          PID:404

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

    Filesize

    224KB

    MD5

    ae8860b5e0332ec1835640299d729dba

    SHA1

    87d6966f10aec9dc64a4a6de3bf9098479ca7f1d

    SHA256

    b6eecda81e2b00bcfa22b071bddcf724ef7a1cdfc55fa4c48c4b13554e197832

    SHA512

    186b08f308a2290b4c0d9d297a1cc019a48e1e2812eb8b880e7a77033b8da838eb997f250724acb1cf3e2925161b4315a2ae3a4df5789474a63290d3a359a687

  • C:\Users\Admin\AppData\Roaming\WinUpdate.exe

    Filesize

    1KB

    MD5

    0df5b5319b99007441a57e8fd0b8727b

    SHA1

    73f1d54d460f84a68973e3a6fb56959dd853be5b

    SHA256

    27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

    SHA512

    563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

  • C:\Users\Admin\AppData\Roaming\WinUpdate.exe

    Filesize

    1KB

    MD5

    0df5b5319b99007441a57e8fd0b8727b

    SHA1

    73f1d54d460f84a68973e3a6fb56959dd853be5b

    SHA256

    27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

    SHA512

    563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

  • C:\Users\Admin\AppData\Roaming\WinUpdate.exe

    Filesize

    1KB

    MD5

    0df5b5319b99007441a57e8fd0b8727b

    SHA1

    73f1d54d460f84a68973e3a6fb56959dd853be5b

    SHA256

    27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

    SHA512

    563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

  • C:\Users\Admin\AppData\Roaming\WinUpdate.exe

    Filesize

    1KB

    MD5

    0df5b5319b99007441a57e8fd0b8727b

    SHA1

    73f1d54d460f84a68973e3a6fb56959dd853be5b

    SHA256

    27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

    SHA512

    563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

  • memory/1664-138-0x00000000747D0000-0x0000000074D81000-memory.dmp

    Filesize

    5.7MB

  • memory/1664-152-0x00000000747D0000-0x0000000074D81000-memory.dmp

    Filesize

    5.7MB

  • memory/2020-136-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2020-137-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2020-139-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2020-143-0x0000000010410000-0x0000000010475000-memory.dmp

    Filesize

    404KB

  • memory/2020-147-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2020-133-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/3908-149-0x0000000010410000-0x0000000010475000-memory.dmp

    Filesize

    404KB

  • memory/3908-146-0x0000000010410000-0x0000000010475000-memory.dmp

    Filesize

    404KB

  • memory/3908-153-0x0000000010410000-0x0000000010475000-memory.dmp

    Filesize

    404KB