Analysis
-
max time kernel
193s -
max time network
227s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe
Resource
win7-20220812-en
General
-
Target
7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe
-
Size
309KB
-
MD5
54d5afbf4d5c8746aa7ac2fcf25fb388
-
SHA1
67d8be596ee29e1e5b361dd792418aa5c411b1d4
-
SHA256
7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a
-
SHA512
65e3e60f52680a939a04de4df72f09190ec4709eb73054338c66edefa43f4d169d6f2cef507eee3df5bfbcf6e9291033f6717dbb6eb1365719e6c649cca11ffd
-
SSDEEP
6144:gW5ib345WUO9b3heYDD+2tJCqgmBRzASgZnQzNjbZ0L00Zy:JEU6The72tJTHEbZ83eLy
Malware Config
Extracted
cybergate
2.6
lamer
192.168.1.68:4899
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
12345
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Idman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe" Idman.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Idman.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe" Idman.exe -
Executes dropped EXE 3 IoCs
pid Process 5116 Idman.exe 4852 Idman.exe 1948 server.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y77N30K0-I7DI-0K56-6Y56-WPUQT2A78T24} Idman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y77N30K0-I7DI-0K56-6Y56-WPUQT2A78T24}\StubPath = "C:\\Program Files (x86)\\install\\server.exe Restart" Idman.exe -
resource yara_rule behavioral2/files/0x000500000001daff-134.dat upx behavioral2/memory/5116-135-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/files/0x000500000001daff-136.dat upx behavioral2/files/0x000500000001daff-139.dat upx behavioral2/memory/4852-143-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/5116-140-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/5116-144-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/files/0x0006000000022e08-146.dat upx behavioral2/files/0x0006000000022e08-148.dat upx behavioral2/memory/1948-149-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4852-150-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4852-151-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4852-152-0x0000000024010000-0x0000000024072000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Idman.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\install\server.exe Idman.exe File opened for modification C:\Program Files (x86)\install\server.exe Idman.exe File opened for modification C:\Program Files (x86)\install\ Idman.exe File created C:\Program Files (x86)\install\server.exe Idman.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4276 1948 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5116 Idman.exe 5116 Idman.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4852 Idman.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4852 Idman.exe Token: SeDebugPrivilege 4852 Idman.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 5116 5096 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe 82 PID 5096 wrote to memory of 5116 5096 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe 82 PID 5096 wrote to memory of 5116 5096 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe 82 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83 PID 5116 wrote to memory of 4852 5116 Idman.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\Idman.exe"C:\Users\Admin\AppData\Local\Temp\Idman.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Program Files (x86)\install\server.exe"C:\Program Files (x86)\install\server.exe"4⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 5685⤵
- Program crash
PID:4276
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1948 -ip 19481⤵PID:5068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
276KB
MD5272f511f152edb6bc58d6d01366c426e
SHA1cd42a68f76452a98ce81a59eb423775d31862e09
SHA2568ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA5125cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87
-
Filesize
229KB
MD5c5e1bdd86e67331360efe4b1beef79ba
SHA14d2d1165550f9bfb94174e5a7a2f3906dbec5cfb
SHA25618d6d25a2689dbbbdb7315b7bdf0b709bd866d39498dc1e9ea36e1c48277fa96
SHA512448a4e895d86b40c83907248d739f67abd1dd48d67058471440d168cd53043a27b4cbdab1ce4c06db225a5fa24cc0781f90ce695e4366624fb76c4bf442e0145