Analysis
-
max time kernel
88s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21/10/2022, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
Resource
win7-20220812-en
General
-
Target
ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
-
Size
804KB
-
MD5
5f061ef92a483c6a169dd6cc3afc7010
-
SHA1
f3622209435408b0ebf4b44e8b4b24fd787c4a2f
-
SHA256
ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
-
SHA512
b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98
-
SSDEEP
12288:IxvDJrRVxLZ4iYEwR+hrF+tCclsLU3hdU/ukf4RlitsL4pJzPQhOwA2gna+5ZKH/:IHBZopSUxCukKL4vUjA9a+5Z7
Malware Config
Extracted
cybergate
v3.5.1.0
AGR2__
gasbriki.no-ip.org:999
OU6GR6RV42JUI5
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
instaII
-
install_file
jnstaII.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
CG8888
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\instaII\\jnstaII.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\instaII\\jnstaII.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe -
Executes dropped EXE 2 IoCs
pid Process 1700 winlogon.exe 560 csrss.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI}\StubPath = "C:\\Windows\\system32\\instaII\\jnstaII.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI}\StubPath = "C:\\Windows\\system32\\instaII\\jnstaII.exe" explorer.exe -
resource yara_rule behavioral1/memory/436-103-0x0000000010410000-0x0000000010481000-memory.dmp upx behavioral1/memory/436-112-0x0000000010490000-0x0000000010501000-memory.dmp upx behavioral1/memory/1928-117-0x0000000010490000-0x0000000010501000-memory.dmp upx behavioral1/memory/1928-120-0x0000000010490000-0x0000000010501000-memory.dmp upx behavioral1/memory/436-122-0x0000000010510000-0x0000000010581000-memory.dmp upx behavioral1/memory/436-130-0x0000000010590000-0x0000000010601000-memory.dmp upx behavioral1/memory/1100-135-0x0000000010590000-0x0000000010601000-memory.dmp upx behavioral1/memory/1100-137-0x0000000010590000-0x0000000010601000-memory.dmp upx -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jnstaII.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jnstaII.exe explorer.exe -
Loads dropped DLL 1 IoCs
pid Process 1700 winlogon.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\instaII\\jnstaII.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\instaII\\jnstaII.exe" vbc.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\instaII\jnstaII.exe vbc.exe File opened for modification C:\Windows\SysWOW64\instaII\jnstaII.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1700 set thread context of 436 1700 winlogon.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\winlogon.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe:ZONE.identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 1700 winlogon.exe 1700 winlogon.exe 1700 winlogon.exe 1700 winlogon.exe 436 vbc.exe 560 csrss.exe 560 csrss.exe 560 csrss.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe Token: SeDebugPrivilege 1700 winlogon.exe Token: SeDebugPrivilege 1700 winlogon.exe Token: SeDebugPrivilege 560 csrss.exe Token: SeDebugPrivilege 560 csrss.exe Token: SeDebugPrivilege 1100 explorer.exe Token: SeDebugPrivilege 1100 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 436 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 848 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 28 PID 1648 wrote to memory of 848 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 28 PID 1648 wrote to memory of 848 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 28 PID 1648 wrote to memory of 848 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 28 PID 1648 wrote to memory of 1700 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 30 PID 1648 wrote to memory of 1700 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 30 PID 1648 wrote to memory of 1700 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 30 PID 1648 wrote to memory of 1700 1648 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 30 PID 1700 wrote to memory of 1404 1700 winlogon.exe 31 PID 1700 wrote to memory of 1404 1700 winlogon.exe 31 PID 1700 wrote to memory of 1404 1700 winlogon.exe 31 PID 1700 wrote to memory of 1404 1700 winlogon.exe 31 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 436 1700 winlogon.exe 33 PID 1700 wrote to memory of 560 1700 winlogon.exe 34 PID 1700 wrote to memory of 560 1700 winlogon.exe 34 PID 1700 wrote to memory of 560 1700 winlogon.exe 34 PID 1700 wrote to memory of 560 1700 winlogon.exe 34 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15 PID 436 wrote to memory of 1372 436 vbc.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe"C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe":ZONE.identifier & exit3⤵
- NTFS ADS
PID:848
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\winlogon.exe":ZONE.identifier & exit4⤵
- NTFS ADS
PID:1404
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
PID:1928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1724
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" C:\Users\Admin\AppData\Roaming\winlogon.exe -keyhide x -prochide 436 -reg C:\Users\Admin\AppData\Roaming\winlogon.exe -proc 436 C:\Users\Admin\AppData\Roaming\winlogon.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5700c5832083c6017f83b226b4ce46b84
SHA10f64a7c2461b3728191e26a698612e3c134dbd5a
SHA2564e324d714f1a9cc9aa6022cd081a873d862f28c58fe04bab7a49cd3973b8f890
SHA51256ad3d708ba60c0da1abd81d2791c9592de90f7e9461d4825f42192f32104ffac9d8867ae62ffb4dd6049a857eef519516264da7b7cc76b61a8a0a67fb7b58cf
-
C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
Filesize804KB
MD55f061ef92a483c6a169dd6cc3afc7010
SHA1f3622209435408b0ebf4b44e8b4b24fd787c4a2f
SHA256ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
SHA512b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98
-
Filesize
7KB
MD5a924e94db92303770895aa393798e68e
SHA13c12d5efbd4380303eb737e055513cbe699a2d84
SHA2568d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b
SHA5126452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69
-
Filesize
7KB
MD5a924e94db92303770895aa393798e68e
SHA13c12d5efbd4380303eb737e055513cbe699a2d84
SHA2568d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b
SHA5126452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69
-
Filesize
804KB
MD55f061ef92a483c6a169dd6cc3afc7010
SHA1f3622209435408b0ebf4b44e8b4b24fd787c4a2f
SHA256ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
SHA512b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98
-
Filesize
804KB
MD55f061ef92a483c6a169dd6cc3afc7010
SHA1f3622209435408b0ebf4b44e8b4b24fd787c4a2f
SHA256ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
SHA512b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
7KB
MD5a924e94db92303770895aa393798e68e
SHA13c12d5efbd4380303eb737e055513cbe699a2d84
SHA2568d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b
SHA5126452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69