Analysis
-
max time kernel
79s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 17:35
Static task
static1
Behavioral task
behavioral1
Sample
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe
Resource
win7-20220812-en
General
-
Target
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe
-
Size
762KB
-
MD5
61100d43a149d129dd54142600e34ed8
-
SHA1
140d028670022775807e7817cf5e1c1e95eb5c1b
-
SHA256
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b
-
SHA512
a55478437bea7a253031d2de0e055b835f9af5c2f396644cd98e5184e562db6911a7ed94944e688cbc6a6f3fa5fa0e7ea68d817b2619918c0046575cb0dca3a9
-
SSDEEP
12288:A0KcgjVIgfgbn2dHPXjbUTGc4PvLLc5Un5G6QoamvlHsL1Zf69xA2MfKliPP3kUb:ACVi/zPDHKhGu2K3l
Malware Config
Extracted
cybergate
v1.07.5
Zombie
amdzone.no-ip.info:3086
06I43WDM5B044Q
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
PrivateSW87
-
regkey_hklm
Windows Live Messenger
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 748 svchost.exe 2812 svchost.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N1KO863-4LHX-407K-K615-VFN18818NW4A}\StubPath = "C:\\Windows\\system32\\install\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N1KO863-4LHX-407K-K615-VFN18818NW4A} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N1KO863-4LHX-407K-K615-VFN18818NW4A}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7N1KO863-4LHX-407K-K615-VFN18818NW4A} explorer.exe -
Processes:
resource yara_rule behavioral2/memory/748-135-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/748-141-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/748-139-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/748-138-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/748-144-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/748-149-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4844-152-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4844-153-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/748-155-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral2/memory/748-163-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/2812-166-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/2812-167-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/4844-168-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/2812-169-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Live Messenger = "C:\\Windows\\system32\\install\\server.exe" svchost.exe -
Drops file in System32 directory 4 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\install\server.exe svchost.exe File opened for modification C:\Windows\SysWOW64\install\server.exe svchost.exe File opened for modification C:\Windows\SysWOW64\install\server.exe svchost.exe File opened for modification C:\Windows\SysWOW64\install\ svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exedescription pid process target process PID 4276 set thread context of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exesvchost.exepid process 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe 748 svchost.exe 748 svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exeexplorer.exesvchost.exedescription pid process Token: SeDebugPrivilege 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe Token: SeBackupPrivilege 4844 explorer.exe Token: SeRestorePrivilege 4844 explorer.exe Token: SeBackupPrivilege 2812 svchost.exe Token: SeRestorePrivilege 2812 svchost.exe Token: SeDebugPrivilege 2812 svchost.exe Token: SeDebugPrivilege 2812 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
svchost.exepid process 748 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exesvchost.exedescription pid process target process PID 4276 wrote to memory of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 4276 wrote to memory of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 4276 wrote to memory of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 4276 wrote to memory of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 4276 wrote to memory of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 4276 wrote to memory of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 4276 wrote to memory of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 4276 wrote to memory of 748 4276 9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe svchost.exe PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE PID 748 wrote to memory of 2824 748 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe"C:\Users\Admin\AppData\Local\Temp\9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4844 -
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵PID:3996
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1996
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"5⤵PID:3540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5babfa55af0a3b9fa5275c7f093620ab3
SHA14100c4cefe41ccbd4d36d045d1cf28e642fad6f0
SHA256c7df2f153afcd05e185592caae6bed62c9e765536b6b1330a20ad7279604759c
SHA512953722890d0ba9cef5e5fdadc21759010aba0f99dd112cd6271d48f1fbaa74bbd5d65b2688de4b1e480137d1bc134b58ec730136fedf79aaf73f8b377dfbd496
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Windows\SysWOW64\install\server.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Windows\SysWOW64\install\server.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Windows\SysWOW64\install\server.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
memory/748-144-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/748-135-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/748-163-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/748-134-0x0000000000000000-mapping.dmp
-
memory/748-139-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/748-149-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/748-141-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/748-138-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/748-155-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/2812-169-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2812-161-0x0000000000000000-mapping.dmp
-
memory/2812-167-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2812-166-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/3540-171-0x0000000000000000-mapping.dmp
-
memory/3996-170-0x0000000000000000-mapping.dmp
-
memory/4276-140-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/4276-132-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/4276-133-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/4844-168-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4844-153-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4844-152-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/4844-148-0x0000000000000000-mapping.dmp