Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8e8f3c6fe3...dc.exe

windows7-x64

10

8e8f3c6fe3...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2022, 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc.exe

  • Size

    818KB

  • MD5

    73de66d2519ad200365714b17da81160

  • SHA1

    f9ce9d8ec3c975ff27e074b75e6b76a6f1eda26b

  • SHA256

    8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc

  • SHA512

    9860b7d40649ceaf7ff442ce42ce0c92cb67f582a4dcac844a77865a06d732b4175b076d958ff5d72e00fec9e63351d32803f42160a00df5947ef83264d4e072

  • SSDEEP

    12288:55sn5mnSeD0IpOB9yAARmRsCD7HXCiS4omMfNFS5VWjua+nrYaSbKYceukhy6Ipb:3sUnke49Ki0SN9yHFm+PFy

Score
10/10
cybergate12345persistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

12345

C2

neruel.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    service.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    12345

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch
          2⤵
            PID:572
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              3⤵
                PID:1764
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                3⤵
                  PID:976
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                  3⤵
                    PID:1392
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                  2⤵
                    PID:788
                    • C:\Windows\system32\Dwm.exe
                      "C:\Windows\system32\Dwm.exe"
                      3⤵
                        PID:1320
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                      2⤵
                        PID:748
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:824
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          2⤵
                            PID:868
                            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                              wmiadap.exe /F /T /R
                              3⤵
                                PID:1712
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k NetworkService
                              2⤵
                                PID:300
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:648
                                • C:\Windows\System32\spoolsv.exe
                                  C:\Windows\System32\spoolsv.exe
                                  2⤵
                                    PID:284
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                    2⤵
                                      PID:1028
                                    • C:\Windows\system32\taskhost.exe
                                      "taskhost.exe"
                                      2⤵
                                        PID:1228
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                        2⤵
                                          PID:968
                                        • C:\Windows\system32\sppsvc.exe
                                          C:\Windows\system32\sppsvc.exe
                                          2⤵
                                            PID:956
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:416
                                          • C:\Windows\system32\csrss.exe
                                            %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                            1⤵
                                              PID:376
                                              • C:\Windows\system32\conhost.exe
                                                \??\C:\Windows\system32\conhost.exe "-163567159519024212811965241654-722554485-542644174-6925929103549883261279302144"
                                                2⤵
                                                  PID:1952
                                              • C:\Windows\system32\wininit.exe
                                                wininit.exe
                                                1⤵
                                                  PID:368
                                                  • C:\Windows\system32\lsm.exe
                                                    C:\Windows\system32\lsm.exe
                                                    2⤵
                                                      PID:484
                                                  • C:\Windows\system32\csrss.exe
                                                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                                    1⤵
                                                      PID:332
                                                    • C:\Windows\System32\smss.exe
                                                      \SystemRoot\System32\smss.exe
                                                      1⤵
                                                        PID:260
                                                      • C:\Windows\Explorer.EXE
                                                        C:\Windows\Explorer.EXE
                                                        1⤵
                                                          PID:1380
                                                          • C:\Users\Admin\AppData\Local\Temp\8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc.exe"
                                                            2⤵
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:112
                                                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                              3⤵
                                                              • Adds policy Run key to start application
                                                              • Modifies Installed Components in the registry
                                                              • Adds Run key to start application
                                                              • Drops file in System32 directory
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:1080
                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                explorer.exe
                                                                4⤵
                                                                • Modifies Installed Components in the registry
                                                                PID:644
                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                explorer.exe
                                                                4⤵
                                                                • Loads dropped DLL
                                                                • Drops desktop.ini file(s)
                                                                • Drops file in System32 directory
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • Suspicious use of FindShellTrayWindow
                                                                • Suspicious use of SendNotifyMessage
                                                                PID:296
                                                                • C:\Windows\SysWOW64\install\service.exe
                                                                  "C:\Windows\system32\install\service.exe"
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  PID:2012
                                                            • C:\Windows\SysWOW64\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs_sbmff.VBS"
                                                              3⤵
                                                              • Adds Run key to start application
                                                              PID:1060

                                                        Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
                                                          Filesize

                                                          240KB

                                                          MD5

                                                          c5e98105b61c6ffbfdefc2b97cb4c971

                                                          SHA1

                                                          78ffd1b328da9c103deaf5992f5f65736e1f0a43

                                                          SHA256

                                                          e89a31920114d960dc2c480736be6ebae166e6341e0d181da34fdfbbb08610b0

                                                          SHA512

                                                          8ce01f0c46f9365cbbc97813b8c9ef415b8936f5df41fe168dd9925b9779687994c67c1ef2bac4518be28926828bc3d9eda9226484bcb503b9c8ffb07470b947

                                                          Download Submit

                                                        • C:\Users\Admin\AppData\Local\Temp\vbs_sbmff.VBS
                                                          Filesize

                                                          765B

                                                          MD5

                                                          b434c1d79a26ca2142e2c27ed1531bae

                                                          SHA1

                                                          5d13c95762b432db1c87bb95776601678ee8e909

                                                          SHA256

                                                          19f543dd1dad365e3e6be1431c7cd7f416bcf9e8aaa57f4ed9a4ce7d6fe80cd9

                                                          SHA512

                                                          658ee72e163da7295ce17625ac6e9cba1110afdbad2aa9456a946d01ecc97b9c8d77c0b4338ddb558151071174adbad6a975d754ff712cfb7925cbf46a8ad5de

                                                          Download Submit

                                                        • C:\Windows\SysWOW64\install\service.exe
                                                          Filesize

                                                          1.1MB

                                                          MD5

                                                          34aa912defa18c2c129f1e09d75c1d7e

                                                          SHA1

                                                          9c3046324657505a30ecd9b1fdb46c05bde7d470

                                                          SHA256

                                                          6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

                                                          SHA512

                                                          d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

                                                          Download Submit

                                                        • C:\Windows\SysWOW64\install\service.exe
                                                          Filesize

                                                          1.1MB

                                                          MD5

                                                          34aa912defa18c2c129f1e09d75c1d7e

                                                          SHA1

                                                          9c3046324657505a30ecd9b1fdb46c05bde7d470

                                                          SHA256

                                                          6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

                                                          SHA512

                                                          d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

                                                          Download Submit

                                                        • \Windows\SysWOW64\install\service.exe
                                                          Filesize

                                                          1.1MB

                                                          MD5

                                                          34aa912defa18c2c129f1e09d75c1d7e

                                                          SHA1

                                                          9c3046324657505a30ecd9b1fdb46c05bde7d470

                                                          SHA256

                                                          6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

                                                          SHA512

                                                          d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

                                                          Download Submit

                                                        • memory/112-55-0x0000000073EB0000-0x000000007445B000-memory.dmp

                                                          Filesize

                                                          5.7MB

                                                          Download

                                                        • memory/112-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/112-70-0x0000000073EB0000-0x000000007445B000-memory.dmp

                                                          Filesize

                                                          5.7MB

                                                          Download

                                                        • memory/260-101-0x0000000031770000-0x000000003177D000-memory.dmp

                                                          Filesize

                                                          52KB

                                                          Download

                                                        • memory/296-146-0x00000000240F0000-0x0000000024152000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/296-157-0x00000000240F0000-0x0000000024152000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/296-99-0x00000000240F0000-0x0000000024152000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/644-145-0x00000000318E0000-0x00000000318ED000-memory.dmp

                                                          Filesize

                                                          52KB

                                                          Download

                                                        • memory/644-156-0x00000000318E0000-0x00000000318ED000-memory.dmp

                                                          Filesize

                                                          52KB

                                                          Download

                                                        • memory/644-80-0x00000000746C1000-0x00000000746C3000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/644-86-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/644-87-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/644-155-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/1080-65-0x0000000000400000-0x0000000000459000-memory.dmp

                                                          Filesize

                                                          356KB

                                                          Download

                                                        • memory/1080-59-0x0000000000400000-0x0000000000459000-memory.dmp

                                                          Filesize

                                                          356KB

                                                          Download

                                                        • memory/1080-94-0x00000000240F0000-0x0000000024152000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/1080-100-0x0000000000400000-0x0000000000459000-memory.dmp

                                                          Filesize

                                                          356KB

                                                          Download

                                                        • memory/1080-57-0x0000000000400000-0x0000000000459000-memory.dmp

                                                          Filesize

                                                          356KB

                                                          Download

                                                        • memory/1080-72-0x0000000024010000-0x0000000024072000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/1080-69-0x0000000000400000-0x0000000000459000-memory.dmp

                                                          Filesize

                                                          356KB

                                                          Download

                                                        • memory/1080-64-0x0000000000400000-0x0000000000459000-memory.dmp

                                                          Filesize

                                                          356KB

                                                          Download

                                                        • memory/1080-56-0x0000000000400000-0x0000000000459000-memory.dmp

                                                          Filesize

                                                          356KB

                                                          Download

                                                        • memory/1080-60-0x0000000000400000-0x0000000000459000-memory.dmp

                                                          Filesize

                                                          356KB

                                                          Download

                                                        • memory/1080-81-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download

                                                        • memory/1380-75-0x0000000024010000-0x0000000024072000-memory.dmp

                                                          Filesize

                                                          392KB

                                                          Download