Analysis
-
max time kernel
115s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
Resource
win7-20220812-en
General
-
Target
ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
-
Size
804KB
-
MD5
5f061ef92a483c6a169dd6cc3afc7010
-
SHA1
f3622209435408b0ebf4b44e8b4b24fd787c4a2f
-
SHA256
ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
-
SHA512
b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98
-
SSDEEP
12288:IxvDJrRVxLZ4iYEwR+hrF+tCclsLU3hdU/ukf4RlitsL4pJzPQhOwA2gna+5ZKH/:IHBZopSUxCukKL4vUjA9a+5Z7
Malware Config
Extracted
cybergate
v3.5.1.0
AGR2__
gasbriki.no-ip.org:999
OU6GR6RV42JUI5
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
instaII
-
install_file
jnstaII.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
CG8888
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" winlogon.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\instaII\\jnstaII.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\instaII\\jnstaII.exe" vbc.exe -
Executes dropped EXE 3 IoCs
pid Process 2080 winlogon.exe 4864 csrss.exe 2432 jnstaII.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI}\StubPath = "C:\\Windows\\system32\\instaII\\jnstaII.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{X658E6DC-13L4-67A2-0B8I-XPNV47BC65SI}\StubPath = "C:\\Windows\\system32\\instaII\\jnstaII.exe Restart" vbc.exe -
resource yara_rule behavioral2/memory/628-156-0x0000000010410000-0x0000000010481000-memory.dmp upx behavioral2/memory/628-162-0x0000000010490000-0x0000000010501000-memory.dmp upx behavioral2/memory/4788-165-0x0000000010490000-0x0000000010501000-memory.dmp upx behavioral2/memory/4788-171-0x0000000010490000-0x0000000010501000-memory.dmp upx behavioral2/memory/628-174-0x0000000010510000-0x0000000010581000-memory.dmp upx behavioral2/memory/628-181-0x0000000010590000-0x0000000010601000-memory.dmp upx behavioral2/memory/4432-184-0x0000000010590000-0x0000000010601000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation winlogon.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ explorer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jnstaII.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jnstaII.exe explorer.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\instaII\\jnstaII.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\instaII\\jnstaII.exe" vbc.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\instaII\jnstaII.exe vbc.exe File opened for modification C:\Windows\SysWOW64\instaII\jnstaII.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2080 set thread context of 628 2080 winlogon.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe:ZONE.identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\winlogon.exe:ZONE.identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 2080 winlogon.exe 2080 winlogon.exe 2080 winlogon.exe 2080 winlogon.exe 628 vbc.exe 628 vbc.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe Token: SeDebugPrivilege 2080 winlogon.exe Token: SeDebugPrivilege 2080 winlogon.exe Token: SeDebugPrivilege 4432 explorer.exe Token: SeDebugPrivilege 4432 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 628 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2508 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 88 PID 2004 wrote to memory of 2508 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 88 PID 2004 wrote to memory of 2508 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 88 PID 2004 wrote to memory of 2080 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 90 PID 2004 wrote to memory of 2080 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 90 PID 2004 wrote to memory of 2080 2004 ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe 90 PID 2080 wrote to memory of 4608 2080 winlogon.exe 92 PID 2080 wrote to memory of 4608 2080 winlogon.exe 92 PID 2080 wrote to memory of 4608 2080 winlogon.exe 92 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 2080 wrote to memory of 628 2080 winlogon.exe 94 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37 PID 628 wrote to memory of 532 628 vbc.exe 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe"C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe":ZONE.identifier & exit3⤵
- NTFS ADS
PID:2508
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\winlogon.exe":ZONE.identifier & exit4⤵
- NTFS ADS
PID:4608
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
PID:4788 -
C:\Windows\SysWOW64\instaII\jnstaII.exe"C:\Windows\system32\instaII\jnstaII.exe"6⤵
- Executes dropped EXE
PID:2432
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1492
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" C:\Users\Admin\AppData\Roaming\winlogon.exe -keyhide x -prochide 628 -reg C:\Users\Admin\AppData\Roaming\winlogon.exe -proc 628 C:\Users\Admin\AppData\Roaming\winlogon.exe4⤵
- Executes dropped EXE
PID:4864
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5700c5832083c6017f83b226b4ce46b84
SHA10f64a7c2461b3728191e26a698612e3c134dbd5a
SHA2564e324d714f1a9cc9aa6022cd081a873d862f28c58fe04bab7a49cd3973b8f890
SHA51256ad3d708ba60c0da1abd81d2791c9592de90f7e9461d4825f42192f32104ffac9d8867ae62ffb4dd6049a857eef519516264da7b7cc76b61a8a0a67fb7b58cf
-
C:\Users\Admin\AppData\Local\Temp\ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05.exe
Filesize804KB
MD55f061ef92a483c6a169dd6cc3afc7010
SHA1f3622209435408b0ebf4b44e8b4b24fd787c4a2f
SHA256ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
SHA512b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98
-
Filesize
7KB
MD5a924e94db92303770895aa393798e68e
SHA13c12d5efbd4380303eb737e055513cbe699a2d84
SHA2568d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b
SHA5126452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69
-
Filesize
7KB
MD5a924e94db92303770895aa393798e68e
SHA13c12d5efbd4380303eb737e055513cbe699a2d84
SHA2568d60dc6cebc239b0f1868cbeee25aecf15ff86efc4f531844209f54b92fa570b
SHA5126452437980ac0827f6f29de1aea1d8f9081778e4bf084352b8624cd0ac769ebacb7da1b79261574558121ded68f5e2f853b65d2a021a17a42008ce83dd07bd69
-
Filesize
804KB
MD55f061ef92a483c6a169dd6cc3afc7010
SHA1f3622209435408b0ebf4b44e8b4b24fd787c4a2f
SHA256ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
SHA512b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98
-
Filesize
804KB
MD55f061ef92a483c6a169dd6cc3afc7010
SHA1f3622209435408b0ebf4b44e8b4b24fd787c4a2f
SHA256ad5862ff1d619ed3bcfad7b0b45ed87970f743c311b2d9be92503e2ff8dd0c05
SHA512b0da72f38e5e27dd404e83672e1cd6c921b2551b6c086f6e909e490b388087f0600e2aa56a4c379cf97da0b0c2d7383e65e5f15d04561edd0fcf13ee17563a98
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34