Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2022 22:48

General

  • Target

    4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe

  • Size

    281KB

  • MD5

    5b36b3995a5069b87122954451d6d160

  • SHA1

    a8d27a0cb5b31e3a0421e5d0bcf34ebdae3baa15

  • SHA256

    4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7

  • SHA512

    b1f7fa2ce292465199b8d7cd0e403a13c33b6416f7694e79c97918bcdb47de70f2805151775e5e324653b5260512ad2874479a8aa817b5ca93ee56c0dfa55ad9

  • SSDEEP

    6144:gScrLM4mp8D6WGc/YSlIipBReubLzeh7Yy0DMIdeXijL:xczy78QSVnNyhsFMCeSjL

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

Hacker

C2

ttttt.no-ip.org:999

Mutex

8O16A0RR43WCEC

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    dwm.exe

  • install_dir

    dwm

  • install_file

    dwm.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    999

  • regkey_hkcu

    New

  • regkey_hklm

    dwm

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2948
      • C:\Users\Admin\AppData\Local\Temp\4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
        "C:\Users\Admin\AppData\Local\Temp\4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1684
        • C:\Users\Admin\AppData\Local\Temp\4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe
          "C:\Users\Admin\AppData\Local\Temp\4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1772

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    3
    T1060

    Defense Evasion

    Modify Registry

    3
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      236KB

      MD5

      6c81de7c02975ae990533a142c582dcd

      SHA1

      cc875aa6426d3359a48a520643f542c760b6308a

      SHA256

      d82a7a38e298f9bc3f73d0d73c9b38b4428b373f567afb11206aa5a82c232a1a

      SHA512

      6bae5797d69ec554c690a603e7b9632541b81abd71f745cf7e436dcd2ccfbab930952d81ebfacdfad0c609a3f6ebb9c4b79c3864178a42d40e379bbc7d5d8679

    • C:\Windows\SysWOW64\dwm\dwm.exe
      Filesize

      281KB

      MD5

      5b36b3995a5069b87122954451d6d160

      SHA1

      a8d27a0cb5b31e3a0421e5d0bcf34ebdae3baa15

      SHA256

      4c72d51ee9335fb2e8329f8154f33fb3733dc1d05739d37357ac1c0e2d5787e7

      SHA512

      b1f7fa2ce292465199b8d7cd0e403a13c33b6416f7694e79c97918bcdb47de70f2805151775e5e324653b5260512ad2874479a8aa817b5ca93ee56c0dfa55ad9

    • memory/1344-146-0x00000000005D0000-0x0000000000642000-memory.dmp
      Filesize

      456KB

    • memory/1344-151-0x0000000010510000-0x0000000010582000-memory.dmp
      Filesize

      456KB

    • memory/1344-138-0x0000000010490000-0x0000000010502000-memory.dmp
      Filesize

      456KB

    • memory/1344-133-0x0000000010410000-0x0000000010482000-memory.dmp
      Filesize

      456KB

    • memory/1684-141-0x0000000010490000-0x0000000010502000-memory.dmp
      Filesize

      456KB

    • memory/1684-144-0x0000000010490000-0x0000000010502000-memory.dmp
      Filesize

      456KB

    • memory/1684-137-0x0000000000000000-mapping.dmp
    • memory/1772-150-0x0000000000000000-mapping.dmp
    • memory/1772-154-0x0000000010510000-0x0000000010582000-memory.dmp
      Filesize

      456KB

    • memory/1772-155-0x0000000010510000-0x0000000010582000-memory.dmp
      Filesize

      456KB

    • memory/1772-156-0x0000000010510000-0x0000000010582000-memory.dmp
      Filesize

      456KB