Analysis
-
max time kernel
165s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe
Resource
win10v2004-20220812-en
General
-
Target
9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe
-
Size
460KB
-
MD5
531590abb6298342e1ea7f7cf582f560
-
SHA1
3211be2f4e1103860dd85d5eaf8f1886be1214f2
-
SHA256
9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
-
SHA512
57220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151
-
SSDEEP
6144:dBJ46bsarHBnVSdGhFkan0TTmLc+wjQPSDV+rvI28bx81VRO9rqQ9pUfhM7raMoj:d9bJx8TmLFu22x8jRO0Q9bun6fY
Malware Config
Extracted
cybergate
v1.02.1
domdom2121
176.240.164.204:2121
95.6.97.198:2121
Pluguin
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft
-
install_file
Pluguin.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
21212121
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 644 server.exe 4972 server.exe 1944 server.exe 4276 server.exe 2220 server.exe -
resource yara_rule behavioral2/memory/4972-147-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4972-150-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4972-152-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4972-153-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/4972-155-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral2/memory/4972-160-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/3892-163-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/3892-165-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral2/memory/4972-169-0x00000000240D0000-0x0000000024130000-memory.dmp upx behavioral2/memory/1944-172-0x00000000240D0000-0x0000000024130000-memory.dmp upx behavioral2/memory/4972-173-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1944-175-0x00000000240D0000-0x0000000024130000-memory.dmp upx behavioral2/memory/2220-186-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2220-188-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2220-189-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/1944-190-0x00000000240D0000-0x0000000024130000-memory.dmp upx behavioral2/memory/2220-191-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\server.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 644 set thread context of 4972 644 server.exe 90 PID 4276 set thread context of 2220 4276 server.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4972 server.exe 4972 server.exe 2220 server.exe 2220 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1944 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1944 server.exe Token: SeDebugPrivilege 1944 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4972 server.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4916 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe 644 server.exe 4276 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 3276 4916 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe 80 PID 4916 wrote to memory of 3276 4916 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe 80 PID 4916 wrote to memory of 3276 4916 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe 80 PID 3276 wrote to memory of 2004 3276 cmd.exe 83 PID 3276 wrote to memory of 2004 3276 cmd.exe 83 PID 3276 wrote to memory of 2004 3276 cmd.exe 83 PID 4916 wrote to memory of 644 4916 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe 84 PID 4916 wrote to memory of 644 4916 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe 84 PID 4916 wrote to memory of 644 4916 9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe 84 PID 644 wrote to memory of 4972 644 server.exe 90 PID 644 wrote to memory of 4972 644 server.exe 90 PID 644 wrote to memory of 4972 644 server.exe 90 PID 644 wrote to memory of 4972 644 server.exe 90 PID 644 wrote to memory of 4972 644 server.exe 90 PID 644 wrote to memory of 4972 644 server.exe 90 PID 644 wrote to memory of 4972 644 server.exe 90 PID 644 wrote to memory of 4972 644 server.exe 90 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49 PID 4972 wrote to memory of 3044 4972 server.exe 49
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe"C:\Users\Admin\AppData\Local\Temp\9271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240599187.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "server" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\server.exe" /f4⤵
- Adds Run key to start application
PID:2004
-
-
-
C:\Users\Admin\AppData\Roaming\FolderName\server.exe"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Roaming\FolderName\server.exe"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:3892
-
-
C:\Users\Admin\AppData\Roaming\FolderName\server.exe"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Users\Admin\AppData\Roaming\FolderName\server.exe"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4276 -
C:\Users\Admin\AppData\Roaming\FolderName\server.exe"C:\Users\Admin\AppData\Roaming\FolderName\server.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143B
MD530427ea9b824990e669b8a383ad42b73
SHA19550aa03263d08a15cb8789c80043686712ac68b
SHA256c7addd0e470d90071c05c5e80ed6ca7bf8a968636b3b732bb735d90ceffdd2f4
SHA512475eb9b535fcc5eb26c1483a4ed0784af509bb195feaf9ceffab3ba6e7ba853590ebd25bd419c7e9846aeba9135f11d3996fef2b2db3e50a5a4f72070acd0d52
-
Filesize
221KB
MD578ec5e9296040c4cecc14210cb2bcd13
SHA18183bcfab475fb5f35f9be4e8d7335ed57da7f6e
SHA2568daf3aefd73885fe84d746a7f672e3032bf8f6fb01e5951d9c7c16e2251feddf
SHA5123fd22d2745b7583c42b9abbae5e86d037b9161ff5410b7e78a655dfede7dc8ab9a617085ee4ddb06253fec77a41bd6d1e19cea6c29c3b3f05e7c1a13e5ec212e
-
Filesize
460KB
MD5531590abb6298342e1ea7f7cf582f560
SHA13211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA2569271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA51257220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151
-
Filesize
460KB
MD5531590abb6298342e1ea7f7cf582f560
SHA13211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA2569271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA51257220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151
-
Filesize
460KB
MD5531590abb6298342e1ea7f7cf582f560
SHA13211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA2569271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA51257220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151
-
Filesize
460KB
MD5531590abb6298342e1ea7f7cf582f560
SHA13211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA2569271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA51257220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151
-
Filesize
460KB
MD5531590abb6298342e1ea7f7cf582f560
SHA13211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA2569271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA51257220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151
-
Filesize
460KB
MD5531590abb6298342e1ea7f7cf582f560
SHA13211be2f4e1103860dd85d5eaf8f1886be1214f2
SHA2569271a2bd2b18dee74fef414b94d2a5cb7d45f33e68cf662887674e01c21cb300
SHA51257220af5ef24d78ed68b19744267c69fc9107eb8ad4baf4ddc47704236a0a8d5bcb2927fea4e887d976f825dc08ca86a71c3b23aadd37f0403538d28fe130151
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\699c4b9cdebca7aaea5193cae8a50098_9be0bf4d-f8db-4af4-be85-dc38433c9501
Filesize50B
MD55b63d4dd8c04c88c0e30e494ec6a609a
SHA1884d5a8bdc25fe794dc22ef9518009dcf0069d09
SHA2564d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd
SHA51215ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb