Analysis

  • max time kernel
    155s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 13:55

General

  • Target

    a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe

  • Size

    340KB

  • MD5

    6dae87fc0043e2ed7af7d567c3f43320

  • SHA1

    938e5fb9394b32f8769affab118587a513ba4eae

  • SHA256

    a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97

  • SHA512

    4c8c327ef01d072a3c8b77cbc66d11bd6e0f8b1e8548be8bd6eb25981232caa0fdaf3994674dde6b4727880216f1a1562eb5eb012a8257bf087d377531353b33

  • SSDEEP

    6144:yR6CiG8KotTmhJ4KK2LNbbAS1B6Hr1fwdCsGlS17ZCu3+z:yR6Cr8KoK3V8S+HGt1VCW

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

C2

socorsovolpe.no-ip.biz:81

Mutex

***xMUTEx***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    windowss

  • install_file

    systema.dlll

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123456789

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3060
      • C:\Users\Admin\AppData\Local\Temp\a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
        "C:\Users\Admin\AppData\Local\Temp\a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:4912
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:4840
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Drops file in Windows directory
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1708
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1312

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Scripting

      1
      T1064

      Persistence

      Registry Run Keys / Startup Folder

      3
      T1060

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        229KB

        MD5

        23ad311865a02b862ae5d12a34e4da09

        SHA1

        8531371cd8f6ff2e9ddba94c4d2c0171d7641959

        SHA256

        f9cd3544ece03d558ed52e06735c641cdb9879bc5c857359c7ee42e1ba67d6f4

        SHA512

        5c1289540ee4b697f2d0d0928beec5f475049fbc0004db070535a6f8a2a8c174c9237ffc95a60132451b531d002b6cc7b4399111405065d8dc07ab086d5286a6

      • C:\Windows\windowss\systema.dlll
        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/1708-162-0x0000000024160000-0x00000000241C2000-memory.dmp
        Filesize

        392KB

      • memory/1708-168-0x0000000024160000-0x00000000241C2000-memory.dmp
        Filesize

        392KB

      • memory/1708-167-0x00000000049A0000-0x00000000049EB000-memory.dmp
        Filesize

        300KB

      • memory/1708-166-0x0000000004950000-0x000000000499B000-memory.dmp
        Filesize

        300KB

      • memory/1708-165-0x0000000004900000-0x000000000494B000-memory.dmp
        Filesize

        300KB

      • memory/1708-164-0x0000000024160000-0x00000000241C2000-memory.dmp
        Filesize

        392KB

      • memory/1708-158-0x0000000000000000-mapping.dmp
      • memory/2448-138-0x0000000074EC0000-0x0000000075471000-memory.dmp
        Filesize

        5.7MB

      • memory/2448-132-0x0000000074EC0000-0x0000000075471000-memory.dmp
        Filesize

        5.7MB

      • memory/3416-137-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/3416-134-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/3416-136-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/3416-154-0x00000000240F0000-0x0000000024152000-memory.dmp
        Filesize

        392KB

      • memory/3416-159-0x0000000024160000-0x00000000241C2000-memory.dmp
        Filesize

        392KB

      • memory/3416-163-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/3416-146-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/3416-141-0x0000000024010000-0x0000000024072000-memory.dmp
        Filesize

        392KB

      • memory/3416-139-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

      • memory/3416-133-0x0000000000000000-mapping.dmp
      • memory/4912-149-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

      • memory/4912-145-0x0000000000000000-mapping.dmp
      • memory/4912-152-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB