Analysis
-
max time kernel
170s -
max time network
208s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21/10/2022, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe
Resource
win7-20220812-en
General
-
Target
7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe
-
Size
309KB
-
MD5
54d5afbf4d5c8746aa7ac2fcf25fb388
-
SHA1
67d8be596ee29e1e5b361dd792418aa5c411b1d4
-
SHA256
7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a
-
SHA512
65e3e60f52680a939a04de4df72f09190ec4709eb73054338c66edefa43f4d169d6f2cef507eee3df5bfbcf6e9291033f6717dbb6eb1365719e6c649cca11ffd
-
SSDEEP
6144:gW5ib345WUO9b3heYDD+2tJCqgmBRzASgZnQzNjbZ0L00Zy:JEU6The72tJTHEbZ83eLy
Malware Config
Extracted
cybergate
2.6
lamer
192.168.1.68:4899
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
12345
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Idman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe" Idman.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Idman.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe" Idman.exe -
Executes dropped EXE 3 IoCs
pid Process 1764 Idman.exe 956 Idman.exe 1880 server.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y77N30K0-I7DI-0K56-6Y56-WPUQT2A78T24} Idman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y77N30K0-I7DI-0K56-6Y56-WPUQT2A78T24}\StubPath = "C:\\Program Files (x86)\\install\\server.exe Restart" Idman.exe -
resource yara_rule behavioral1/files/0x000a0000000132f6-57.dat upx behavioral1/memory/1764-60-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/files/0x000a0000000132f6-61.dat upx behavioral1/files/0x000a0000000132f6-62.dat upx behavioral1/files/0x000a0000000132f6-65.dat upx behavioral1/memory/956-68-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1764-69-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1764-74-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/956-75-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/956-76-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/files/0x0008000000013473-78.dat upx behavioral1/files/0x0008000000013473-79.dat upx behavioral1/files/0x0008000000013473-80.dat upx behavioral1/files/0x0008000000013473-82.dat upx behavioral1/memory/1880-86-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1880-87-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/956-88-0x0000000024010000-0x0000000024072000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 1764 Idman.exe 956 Idman.exe 956 Idman.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\install\server.exe Idman.exe File opened for modification C:\Program Files (x86)\install\server.exe Idman.exe File opened for modification C:\Program Files (x86)\install\server.exe Idman.exe File opened for modification C:\Program Files (x86)\install\ Idman.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1764 Idman.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 956 Idman.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 956 Idman.exe Token: SeDebugPrivilege 956 Idman.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1764 1032 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe 27 PID 1032 wrote to memory of 1764 1032 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe 27 PID 1032 wrote to memory of 1764 1032 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe 27 PID 1032 wrote to memory of 1764 1032 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe 27 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28 PID 1764 wrote to memory of 956 1764 Idman.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:956 -
C:\Program Files (x86)\install\server.exe"C:\Program Files (x86)\install\server.exe"4⤵
- Executes dropped EXE
PID:1880
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
229KB
MD5c5e1bdd86e67331360efe4b1beef79ba
SHA14d2d1165550f9bfb94174e5a7a2f3906dbec5cfb
SHA25618d6d25a2689dbbbdb7315b7bdf0b709bd866d39498dc1e9ea36e1c48277fa96
SHA512448a4e895d86b40c83907248d739f67abd1dd48d67058471440d168cd53043a27b4cbdab1ce4c06db225a5fa24cc0781f90ce695e4366624fb76c4bf442e0145
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87