Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
176s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 00:13
Static task
static1
Behavioral task
behavioral1
Sample
1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
Resource
win7-20220812-en
General
-
Target
1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
-
Size
888KB
-
MD5
a0efe7e5c16f631870d5d29b5992a020
-
SHA1
70afc709e34a9a9cddcebfe0237520d9efb95b76
-
SHA256
1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206
-
SHA512
3dfb6122e1656a8c8da52a0cd72d20cf8df0595a6761fea9a94e2ab362c009940515243c16984397c18f1a41e3f3af7fd16a7ed7780e64d05ddc91f25e4e9c34
-
SSDEEP
12288:dHlDbtDorPevhdQivIi3kTy/lZyNDaHBgwM3dBE5c:dHlD1gPeJdVv73azDwGX
Malware Config
Extracted
cybergate
v1.07.5
RS3
blueparrot.no-ip.biz:87
61FUA6146NINT0
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
winessentials.exe
-
install_dir
install
-
install_file
Windowslive.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
c1ndy123
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\g4HYvpm3b00GZB2I\\zhgctAGmVRpS.exe\",explorer.exe" 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cvtres.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Winessentials\\install\\Windowslive.exe" cvtres.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Winessentials\\install\\Windowslive.exe" cvtres.exe -
Executes dropped EXE 1 IoCs
pid Process 1984 Windowslive.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AVDRR2M-O003-70KB-8I13-0477ML04F252} cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AVDRR2M-O003-70KB-8I13-0477ML04F252}\StubPath = "c:\\directory\\Winessentials\\install\\Windowslive.exe Restart" cvtres.exe -
resource yara_rule behavioral2/memory/2696-140-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/2696-145-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3672-148-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3672-150-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3672-155-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cvtres.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\Winessentials\\install\\Windowslive.exe" cvtres.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run cvtres.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\Winessentials\\install\\Windowslive.exe" cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2032 set thread context of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 2696 cvtres.exe 2696 cvtres.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3672 cvtres.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe Token: SeBackupPrivilege 3672 cvtres.exe Token: SeRestorePrivilege 3672 cvtres.exe Token: SeDebugPrivilege 3672 cvtres.exe Token: SeDebugPrivilege 3672 cvtres.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2032 wrote to memory of 2696 2032 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe 85 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86 PID 2696 wrote to memory of 4648 2696 cvtres.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe"C:\Users\Admin\AppData\Local\Temp\1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:4648
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\directory\Winessentials\install\Windowslive.exe"C:\directory\Winessentials\install\Windowslive.exe"4⤵
- Executes dropped EXE
PID:1984
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD51dc2681ba094f15c8e53112112c6f0d9
SHA18647c3afb6cf4f52e8a7f4d323eb1710628d935b
SHA2569796e58057363c1d0d8911328c9021486bcaa6e4d2627394b086ee65ba7dc0d6
SHA5126d9790e70e2a7aa1b75bd7df297d93efa10f74ea050916ed82aad29f270b39cdfb8124c510a9e91739cd1dea788de1cc18b698fc733940260fdca4784b59a58d
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0