Analysis
-
max time kernel
158s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 06:40
Static task
static1
Behavioral task
behavioral1
Sample
cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe
Resource
win7-20220812-en
General
-
Target
cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe
-
Size
337KB
-
MD5
55ef9dab56221dc72b4d6406f756e2ab
-
SHA1
7a535f948980df42bca05ee2d6ada088aa151dd2
-
SHA256
cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68
-
SHA512
75a95e3bda4fa067f42d4e96225958c2a08e3f76633b1df026127c1b88abec4b992a07aecdd14c0017b6f77eb5b06199fec1d3eacd695ed3f7e9694555402521
-
SSDEEP
6144:Ad0llEnjIE+Bv7fwi8ifkQjZE9xqd8fj13iem+pksz:k0QnjIBLwFX9xA8xnk
Malware Config
Extracted
cybergate
v1.07.5
light
l1ght.no-ip.org:82
76XBSQG80O08T3
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
.//public_html/vacation/
-
ftp_interval
20
-
ftp_password
pedro1
-
ftp_port
21
-
ftp_server
marc.comuf.com
-
ftp_username
a7505506
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
light
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" AppLaunch.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run AppLaunch.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" AppLaunch.exe -
Executes dropped EXE 3 IoCs
pid Process 2452 audiadg.exe 3480 server.exe 1640 bcdprov.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{VX24I44T-IXGA-2P5A-2L1U-01M8855044L2} AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{VX24I44T-IXGA-2P5A-2L1U-01M8855044L2}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" AppLaunch.exe -
resource yara_rule behavioral2/memory/4764-140-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/788-143-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/788-145-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/788-157-0x0000000010410000-0x0000000010475000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation audiadg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\audiadg.exe" audiadg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\install\server.exe AppLaunch.exe File opened for modification C:\Windows\SysWOW64\install\server.exe AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3292 set thread context of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 1640 set thread context of 4800 1640 bcdprov.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 2452 audiadg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 788 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe Token: SeBackupPrivilege 788 AppLaunch.exe Token: SeRestorePrivilege 788 AppLaunch.exe Token: SeDebugPrivilege 788 AppLaunch.exe Token: SeDebugPrivilege 788 AppLaunch.exe Token: SeDebugPrivilege 2452 audiadg.exe Token: SeDebugPrivilege 1640 bcdprov.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 3292 wrote to memory of 4764 3292 cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe 83 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84 PID 4764 wrote to memory of 788 4764 AppLaunch.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe"C:\Users\Admin\AppData\Local\Temp\cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:788 -
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"4⤵
- Executes dropped EXE
PID:3480
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵PID:4800
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD524d14743f72fe40babbb20a22afe12e7
SHA17c22498a522dc954d746882fc214b703ed6e7d6f
SHA256383b9f1ec304eaf54d8cc9fb7a211641ce4f7d325aad55d72b6b48385f1fcc93
SHA5124921d74d93454b5046016fb51c0847afc1cf98ef20cd9b491e41422a35540a0209b3ff455d1fb144b7f8defb9011fb6fef6ebbfb8152b781250ce784fefff975
-
Filesize
337KB
MD555ef9dab56221dc72b4d6406f756e2ab
SHA17a535f948980df42bca05ee2d6ada088aa151dd2
SHA256cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68
SHA51275a95e3bda4fa067f42d4e96225958c2a08e3f76633b1df026127c1b88abec4b992a07aecdd14c0017b6f77eb5b06199fec1d3eacd695ed3f7e9694555402521
-
Filesize
337KB
MD555ef9dab56221dc72b4d6406f756e2ab
SHA17a535f948980df42bca05ee2d6ada088aa151dd2
SHA256cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68
SHA51275a95e3bda4fa067f42d4e96225958c2a08e3f76633b1df026127c1b88abec4b992a07aecdd14c0017b6f77eb5b06199fec1d3eacd695ed3f7e9694555402521
-
Filesize
10KB
MD5ea196209244297c543ec542109c9a9b9
SHA148a843f194b89c8ccd547ea4ab7e1a24898c6cd9
SHA256644e2a74e866baaffe2cf3ac6107547769ff77614b5ffeacb64245b114d9870b
SHA5126e38603ce3718f85c29417aa232a22323a121155bd69599b2587e7b68214ecbd4138f2ab748083e44534abc4ae8a0fdc5cfa451332a36fca9fbf8acdc6fef2d2
-
Filesize
10KB
MD5ea196209244297c543ec542109c9a9b9
SHA148a843f194b89c8ccd547ea4ab7e1a24898c6cd9
SHA256644e2a74e866baaffe2cf3ac6107547769ff77614b5ffeacb64245b114d9870b
SHA5126e38603ce3718f85c29417aa232a22323a121155bd69599b2587e7b68214ecbd4138f2ab748083e44534abc4ae8a0fdc5cfa451332a36fca9fbf8acdc6fef2d2
-
Filesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7
-
Filesize
57KB
MD5454501a66ad6e85175a6757573d79f8b
SHA18ca96c61f26a640a5b1b1152d055260b9d43e308
SHA2567fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8
SHA5129dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7