Analysis
-
max time kernel
150s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe
Resource
win7-20220901-en
General
-
Target
e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe
-
Size
820KB
-
MD5
921b80455a7247fcc772910295259645
-
SHA1
98bccebeb53d685358bde1a44b92b6b37c4588e8
-
SHA256
e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
-
SHA512
2a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e
-
SSDEEP
12288:gWJYin9OT8BfJLuIQCzvJ0OXNSBVNIjsOQkcqPeOVLBTO:gWX9OT8BfJSIQCDJ0OXNSBVDkRV1O
Malware Config
Extracted
cybergate
v1.04.8
jelmla
twiti2390.no-ip.biz:81
XWD25X024878C4
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Executes dropped EXE 2 IoCs
pid Process 1568 server.exe 1036 server.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F1WIW4J-3656-88U8-C783-13G26L0F0K01}\StubPath = "C:\\Windows\\install\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F1WIW4J-3656-88U8-C783-13G26L0F0K01} e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F1WIW4J-3656-88U8-C783-13G26L0F0K01}\StubPath = "C:\\Windows\\install\\server.exe Restart" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F1WIW4J-3656-88U8-C783-13G26L0F0K01} explorer.exe -
resource yara_rule behavioral1/memory/1100-247-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral1/memory/1160-419-0x0000000010560000-0x00000000105C1000-memory.dmp upx behavioral1/memory/1160-602-0x0000000010560000-0x00000000105C1000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 1160 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 1160 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1000 set thread context of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1568 set thread context of 1036 1568 server.exe 32 -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\install\server.exe e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe File opened for modification C:\Windows\install\server.exe e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe File opened for modification C:\Windows\install\server.exe e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe File opened for modification C:\Windows\install\ e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe File opened for modification C:\Windows\install\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1160 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1160 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Token: SeDebugPrivilege 1160 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 1568 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 1000 wrote to memory of 2024 1000 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 27 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9 PID 2024 wrote to memory of 1396 2024 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 9
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe"C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:1100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe"C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe"4⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1160 -
C:\Windows\install\server.exe"C:\Windows\install\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1568 -
C:\Windows\install\server.exe6⤵
- Executes dropped EXE
PID:1036
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD540d8382bd78c9cd7cb573636a4d22640
SHA1db668f7b51cde352fd74657da948fc7ff0c589ed
SHA2560b80068ad0193567a4698322ee9a4d1f3d55a0b958c0a9f8653f7de8f7f5a293
SHA51225fb6700796a2cad02e39251d30cd3bdb37f794d273203fa457d1a777438c1b5b8ba54a1e601c229e9f29358a452ffe804eec49c8db9855885ea8fe61410bb2d
-
Filesize
820KB
MD5921b80455a7247fcc772910295259645
SHA198bccebeb53d685358bde1a44b92b6b37c4588e8
SHA256e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
SHA5122a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e
-
Filesize
820KB
MD5921b80455a7247fcc772910295259645
SHA198bccebeb53d685358bde1a44b92b6b37c4588e8
SHA256e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
SHA5122a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e
-
Filesize
820KB
MD5921b80455a7247fcc772910295259645
SHA198bccebeb53d685358bde1a44b92b6b37c4588e8
SHA256e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
SHA5122a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e
-
Filesize
820KB
MD5921b80455a7247fcc772910295259645
SHA198bccebeb53d685358bde1a44b92b6b37c4588e8
SHA256e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
SHA5122a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e
-
Filesize
820KB
MD5921b80455a7247fcc772910295259645
SHA198bccebeb53d685358bde1a44b92b6b37c4588e8
SHA256e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
SHA5122a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e