Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 03:33
Behavioral task
behavioral1
Sample
eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b.exe
Resource
win7-20220901-en
General
-
Target
eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b.exe
-
Size
336KB
-
MD5
69d0cba10d41ffaded42a429d339c5a5
-
SHA1
30f6aac8ba2883f098d23d2448b52dc4592fdec6
-
SHA256
eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b
-
SHA512
51e6e9e3d4590b75e0f805805450a15eb8ef25f94121c9031598ba79312f02ec156f9fee840f4d4b8607955896f1e37045587d4b4a85b925b36c460dd52937f2
-
SSDEEP
6144:qOpslFlqphdBCkWYxuukP1pjSKSNVkq/MVJb3D68ws:qwslWTBd47GLRMTb3D68ws
Malware Config
Extracted
cybergate
v1.07.5
Test
nekisamja.no-ip.biz:85
127.0.0.1:999
L38D5PV8S47081
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
explorer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
156577_a
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\explorer.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\explorer.exe" server.exe -
Executes dropped EXE 3 IoCs
pid Process 1392 server.exe 856 server.exe 440 explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{387K34EM-GBK7-R4AX-YBD4-W4GWY0E4T6H4} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{387K34EM-GBK7-R4AX-YBD4-W4GWY0E4T6H4}\StubPath = "C:\\Windows\\system32\\install\\explorer.exe Restart" server.exe -
resource yara_rule behavioral1/memory/1392-62-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/1392-70-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/856-75-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/856-83-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/856-84-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 1392 server.exe 856 server.exe 856 server.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\explorer.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\explorer.exe" server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\install\explorer.exe server.exe File opened for modification C:\Windows\SysWOW64\install\explorer.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1392 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 856 server.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 856 server.exe Token: SeRestorePrivilege 856 server.exe Token: SeDebugPrivilege 856 server.exe Token: SeDebugPrivilege 856 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1328 wrote to memory of 1392 1328 eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b.exe 27 PID 1328 wrote to memory of 1392 1328 eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b.exe 27 PID 1328 wrote to memory of 1392 1328 eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b.exe 27 PID 1328 wrote to memory of 1392 1328 eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b.exe 27 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29 PID 1392 wrote to memory of 884 1392 server.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b.exe"C:\Users\Admin\AppData\Local\Temp\eca370714cffc52def1b513f8813c771bdb4735c4063498cd81ab42bd452ae2b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\SysWOW64\install\explorer.exe"C:\Windows\system32\install\explorer.exe"4⤵
- Executes dropped EXE
PID:440
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5c0a1f8fd298a75bde9a1cc0c9677f4e9
SHA1e8d8a8c6397e1ea6b0caf3f72c875e1faacfe3fc
SHA256ae32052942756e2e3ddaa13514583df7a8a90389fe71df591c95324638825be8
SHA512edac4cd3a670c9aa0c897d0c0727ffceb8ff936c2011141976185736376fcea827369aee7b90f532bb806843de638f2509997cf15569958a53140051406785e3
-
Filesize
296KB
MD52a244f64f229c38e3e17b0e1afa43461
SHA1dd8537e3f47b71c3981c8d21c01148386d7ff4f2
SHA25656b8f88b352dd1632966e032ff2e1aebdb84bf8cd706bae8936035459157315c
SHA5124e350ee723dc59fdd5a07705e5f77b54bf9f0fbbfaba8395fa063cecdad48daece3a8438facc8ee9bb286ebe946f5fd5434a4e965f3fe6bc789349d4e5410b84
-
Filesize
296KB
MD52a244f64f229c38e3e17b0e1afa43461
SHA1dd8537e3f47b71c3981c8d21c01148386d7ff4f2
SHA25656b8f88b352dd1632966e032ff2e1aebdb84bf8cd706bae8936035459157315c
SHA5124e350ee723dc59fdd5a07705e5f77b54bf9f0fbbfaba8395fa063cecdad48daece3a8438facc8ee9bb286ebe946f5fd5434a4e965f3fe6bc789349d4e5410b84
-
Filesize
296KB
MD52a244f64f229c38e3e17b0e1afa43461
SHA1dd8537e3f47b71c3981c8d21c01148386d7ff4f2
SHA25656b8f88b352dd1632966e032ff2e1aebdb84bf8cd706bae8936035459157315c
SHA5124e350ee723dc59fdd5a07705e5f77b54bf9f0fbbfaba8395fa063cecdad48daece3a8438facc8ee9bb286ebe946f5fd5434a4e965f3fe6bc789349d4e5410b84
-
Filesize
296KB
MD52a244f64f229c38e3e17b0e1afa43461
SHA1dd8537e3f47b71c3981c8d21c01148386d7ff4f2
SHA25656b8f88b352dd1632966e032ff2e1aebdb84bf8cd706bae8936035459157315c
SHA5124e350ee723dc59fdd5a07705e5f77b54bf9f0fbbfaba8395fa063cecdad48daece3a8438facc8ee9bb286ebe946f5fd5434a4e965f3fe6bc789349d4e5410b84
-
Filesize
296KB
MD52a244f64f229c38e3e17b0e1afa43461
SHA1dd8537e3f47b71c3981c8d21c01148386d7ff4f2
SHA25656b8f88b352dd1632966e032ff2e1aebdb84bf8cd706bae8936035459157315c
SHA5124e350ee723dc59fdd5a07705e5f77b54bf9f0fbbfaba8395fa063cecdad48daece3a8438facc8ee9bb286ebe946f5fd5434a4e965f3fe6bc789349d4e5410b84
-
Filesize
296KB
MD52a244f64f229c38e3e17b0e1afa43461
SHA1dd8537e3f47b71c3981c8d21c01148386d7ff4f2
SHA25656b8f88b352dd1632966e032ff2e1aebdb84bf8cd706bae8936035459157315c
SHA5124e350ee723dc59fdd5a07705e5f77b54bf9f0fbbfaba8395fa063cecdad48daece3a8438facc8ee9bb286ebe946f5fd5434a4e965f3fe6bc789349d4e5410b84
-
Filesize
296KB
MD52a244f64f229c38e3e17b0e1afa43461
SHA1dd8537e3f47b71c3981c8d21c01148386d7ff4f2
SHA25656b8f88b352dd1632966e032ff2e1aebdb84bf8cd706bae8936035459157315c
SHA5124e350ee723dc59fdd5a07705e5f77b54bf9f0fbbfaba8395fa063cecdad48daece3a8438facc8ee9bb286ebe946f5fd5434a4e965f3fe6bc789349d4e5410b84
-
Filesize
296KB
MD52a244f64f229c38e3e17b0e1afa43461
SHA1dd8537e3f47b71c3981c8d21c01148386d7ff4f2
SHA25656b8f88b352dd1632966e032ff2e1aebdb84bf8cd706bae8936035459157315c
SHA5124e350ee723dc59fdd5a07705e5f77b54bf9f0fbbfaba8395fa063cecdad48daece3a8438facc8ee9bb286ebe946f5fd5434a4e965f3fe6bc789349d4e5410b84