Analysis
-
max time kernel
172s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 17:35
Static task
static1
Behavioral task
behavioral1
Sample
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe
Resource
win7-20220812-en
General
-
Target
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe
-
Size
762KB
-
MD5
61100d43a149d129dd54142600e34ed8
-
SHA1
140d028670022775807e7817cf5e1c1e95eb5c1b
-
SHA256
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b
-
SHA512
a55478437bea7a253031d2de0e055b835f9af5c2f396644cd98e5184e562db6911a7ed94944e688cbc6a6f3fa5fa0e7ea68d817b2619918c0046575cb0dca3a9
-
SSDEEP
12288:A0KcgjVIgfgbn2dHPXjbUTGc4PvLLc5Un5G6QoamvlHsL1Zf69xA2MfKliPP3kUb:ACVi/zPDHKhGu2K3l
Malware Config
Extracted
cybergate
v1.07.5
Zombie
amdzone.no-ip.info:3086
06I43WDM5B044Q
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
PrivateSW87
-
regkey_hklm
Windows Live Messenger
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exesvchost.exeserver.exepid process 2016 svchost.exe 1456 svchost.exe 984 server.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N1KO863-4LHX-407K-K615-VFN18818NW4A} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N1KO863-4LHX-407K-K615-VFN18818NW4A}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N1KO863-4LHX-407K-K615-VFN18818NW4A} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7N1KO863-4LHX-407K-K615-VFN18818NW4A}\StubPath = "C:\\Windows\\system32\\install\\server.exe" explorer.exe -
Processes:
resource yara_rule behavioral1/memory/2016-58-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2016-60-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2016-61-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2016-67-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2016-68-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2016-69-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2016-73-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/2016-83-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1600-88-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1600-91-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2016-93-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral1/memory/2016-100-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/1456-105-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/1456-107-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/1456-111-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exesvchost.exepid process 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe 1456 svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger = "C:\\Windows\\system32\\install\\server.exe" svchost.exe -
Drops file in System32 directory 4 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\install\ svchost.exe File created C:\Windows\SysWOW64\install\server.exe svchost.exe File opened for modification C:\Windows\SysWOW64\install\server.exe svchost.exe File opened for modification C:\Windows\SysWOW64\install\server.exe svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exedescription pid process target process PID 1480 set thread context of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exesvchost.exepid process 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe 2016 svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exeexplorer.exesvchost.exedescription pid process Token: SeDebugPrivilege 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe Token: SeBackupPrivilege 1600 explorer.exe Token: SeRestorePrivilege 1600 explorer.exe Token: SeBackupPrivilege 1456 svchost.exe Token: SeRestorePrivilege 1456 svchost.exe Token: SeDebugPrivilege 1456 svchost.exe Token: SeDebugPrivilege 1456 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
svchost.exepid process 2016 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exesvchost.exedescription pid process target process PID 1480 wrote to memory of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 1480 wrote to memory of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 1480 wrote to memory of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 1480 wrote to memory of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 1480 wrote to memory of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 1480 wrote to memory of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 1480 wrote to memory of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 1480 wrote to memory of 2016 1480 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE PID 2016 wrote to memory of 1380 2016 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe"C:\Users\Admin\AppData\Local\Temp\9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5babfa55af0a3b9fa5275c7f093620ab3
SHA14100c4cefe41ccbd4d36d045d1cf28e642fad6f0
SHA256c7df2f153afcd05e185592caae6bed62c9e765536b6b1330a20ad7279604759c
SHA512953722890d0ba9cef5e5fdadc21759010aba0f99dd112cd6271d48f1fbaa74bbd5d65b2688de4b1e480137d1bc134b58ec730136fedf79aaf73f8b377dfbd496
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
C:\Windows\SysWOW64\install\server.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
C:\Windows\SysWOW64\install\server.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
\Windows\SysWOW64\install\server.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
memory/984-109-0x0000000000000000-mapping.dmp
-
memory/1380-76-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1456-107-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1456-105-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1456-97-0x0000000000000000-mapping.dmp
-
memory/1456-111-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1480-65-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1480-55-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1480-54-0x0000000076831000-0x0000000076833000-memory.dmpFilesize
8KB
-
memory/1600-88-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1600-80-0x0000000000000000-mapping.dmp
-
memory/1600-82-0x0000000075421000-0x0000000075423000-memory.dmpFilesize
8KB
-
memory/1600-91-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2016-93-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/2016-100-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2016-68-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2016-83-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2016-73-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2016-67-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2016-78-0x0000000000411000-0x0000000000455000-memory.dmpFilesize
272KB
-
memory/2016-69-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2016-62-0x0000000000454030-mapping.dmp
-
memory/2016-106-0x0000000000411000-0x0000000000455000-memory.dmpFilesize
272KB
-
memory/2016-61-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2016-60-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2016-58-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2016-57-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2016-70-0x0000000000411000-0x0000000000455000-memory.dmpFilesize
272KB