Analysis

  • max time kernel
    193s
  • max time network
    227s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2022, 07:22

General

  • Target

    7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe

  • Size

    309KB

  • MD5

    54d5afbf4d5c8746aa7ac2fcf25fb388

  • SHA1

    67d8be596ee29e1e5b361dd792418aa5c411b1d4

  • SHA256

    7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a

  • SHA512

    65e3e60f52680a939a04de4df72f09190ec4709eb73054338c66edefa43f4d169d6f2cef507eee3df5bfbcf6e9291033f6717dbb6eb1365719e6c649cca11ffd

  • SSDEEP

    6144:gW5ib345WUO9b3heYDD+2tJCqgmBRzASgZnQzNjbZ0L00Zy:JEU6The72tJTHEbZ83eLy

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

lamer

C2

192.168.1.68:4899

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    12345

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe
    "C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\Idman.exe
      "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Users\Admin\AppData\Local\Temp\Idman.exe
        "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in Program Files directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4852
        • C:\Program Files (x86)\install\server.exe
          "C:\Program Files (x86)\install\server.exe"
          4⤵
          • Executes dropped EXE
          PID:1948
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 568
            5⤵
            • Program crash
            PID:4276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1948 -ip 1948
    1⤵
      PID:5068

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\install\server.exe

            Filesize

            276KB

            MD5

            272f511f152edb6bc58d6d01366c426e

            SHA1

            cd42a68f76452a98ce81a59eb423775d31862e09

            SHA256

            8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566

            SHA512

            5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

          • C:\Program Files (x86)\install\server.exe

            Filesize

            276KB

            MD5

            272f511f152edb6bc58d6d01366c426e

            SHA1

            cd42a68f76452a98ce81a59eb423775d31862e09

            SHA256

            8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566

            SHA512

            5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

          • C:\Users\Admin\AppData\Local\Temp\Idman.exe

            Filesize

            276KB

            MD5

            272f511f152edb6bc58d6d01366c426e

            SHA1

            cd42a68f76452a98ce81a59eb423775d31862e09

            SHA256

            8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566

            SHA512

            5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

          • C:\Users\Admin\AppData\Local\Temp\Idman.exe

            Filesize

            276KB

            MD5

            272f511f152edb6bc58d6d01366c426e

            SHA1

            cd42a68f76452a98ce81a59eb423775d31862e09

            SHA256

            8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566

            SHA512

            5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

          • C:\Users\Admin\AppData\Local\Temp\Idman.exe

            Filesize

            276KB

            MD5

            272f511f152edb6bc58d6d01366c426e

            SHA1

            cd42a68f76452a98ce81a59eb423775d31862e09

            SHA256

            8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566

            SHA512

            5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

          • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

            Filesize

            229KB

            MD5

            c5e1bdd86e67331360efe4b1beef79ba

            SHA1

            4d2d1165550f9bfb94174e5a7a2f3906dbec5cfb

            SHA256

            18d6d25a2689dbbbdb7315b7bdf0b709bd866d39498dc1e9ea36e1c48277fa96

            SHA512

            448a4e895d86b40c83907248d739f67abd1dd48d67058471440d168cd53043a27b4cbdab1ce4c06db225a5fa24cc0781f90ce695e4366624fb76c4bf442e0145

          • memory/1948-149-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

          • memory/4852-143-0x0000000024010000-0x0000000024072000-memory.dmp

            Filesize

            392KB

          • memory/4852-150-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

          • memory/4852-151-0x0000000024010000-0x0000000024072000-memory.dmp

            Filesize

            392KB

          • memory/4852-152-0x0000000024010000-0x0000000024072000-memory.dmp

            Filesize

            392KB

          • memory/5096-132-0x00007FF903E50000-0x00007FF904886000-memory.dmp

            Filesize

            10.2MB

          • memory/5116-140-0x0000000024010000-0x0000000024072000-memory.dmp

            Filesize

            392KB

          • memory/5116-144-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

          • memory/5116-135-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB