Analysis
-
max time kernel
188s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe
Resource
win7-20220901-en
General
-
Target
e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe
-
Size
820KB
-
MD5
921b80455a7247fcc772910295259645
-
SHA1
98bccebeb53d685358bde1a44b92b6b37c4588e8
-
SHA256
e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
-
SHA512
2a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e
-
SSDEEP
12288:gWJYin9OT8BfJLuIQCzvJ0OXNSBVNIjsOQkcqPeOVLBTO:gWX9OT8BfJSIQCDJ0OXNSBVDkRV1O
Malware Config
Extracted
cybergate
v1.04.8
jelmla
twiti2390.no-ip.biz:81
XWD25X024878C4
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Executes dropped EXE 2 IoCs
pid Process 4980 server.exe 812 server.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1WIW4J-3656-88U8-C783-13G26L0F0K01} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1WIW4J-3656-88U8-C783-13G26L0F0K01}\StubPath = "C:\\Windows\\install\\server.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1WIW4J-3656-88U8-C783-13G26L0F0K01} e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F1WIW4J-3656-88U8-C783-13G26L0F0K01}\StubPath = "C:\\Windows\\install\\server.exe Restart" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
resource yara_rule behavioral2/memory/3424-308-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/3052-476-0x0000000010560000-0x00000000105C1000-memory.dmp upx behavioral2/memory/3052-643-0x0000000010560000-0x00000000105C1000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1532 set thread context of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 4980 set thread context of 812 4980 server.exe 90 -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\install\server.exe e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe File opened for modification C:\Windows\install\server.exe e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe File opened for modification C:\Windows\install\server.exe e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe File opened for modification C:\Windows\install\ e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe File opened for modification C:\Windows\install\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3328 812 WerFault.exe 90 1228 812 WerFault.exe 90 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3052 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3052 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe Token: SeDebugPrivilege 3052 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 4980 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1532 wrote to memory of 1136 1532 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 78 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43 PID 1136 wrote to memory of 3076 1136 e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe 43
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe"C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:3424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe"C:\Users\Admin\AppData\Local\Temp\e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917.exe"4⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\install\server.exe"C:\Windows\install\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4980 -
C:\Windows\install\server.exe6⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 5447⤵
- Program crash
PID:3328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 5447⤵
- Program crash
PID:1228
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 812 -ip 8121⤵PID:4576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD540d8382bd78c9cd7cb573636a4d22640
SHA1db668f7b51cde352fd74657da948fc7ff0c589ed
SHA2560b80068ad0193567a4698322ee9a4d1f3d55a0b958c0a9f8653f7de8f7f5a293
SHA51225fb6700796a2cad02e39251d30cd3bdb37f794d273203fa457d1a777438c1b5b8ba54a1e601c229e9f29358a452ffe804eec49c8db9855885ea8fe61410bb2d
-
Filesize
820KB
MD5921b80455a7247fcc772910295259645
SHA198bccebeb53d685358bde1a44b92b6b37c4588e8
SHA256e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
SHA5122a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e
-
Filesize
820KB
MD5921b80455a7247fcc772910295259645
SHA198bccebeb53d685358bde1a44b92b6b37c4588e8
SHA256e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
SHA5122a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e
-
Filesize
820KB
MD5921b80455a7247fcc772910295259645
SHA198bccebeb53d685358bde1a44b92b6b37c4588e8
SHA256e90923e136faca4ac61fa0aedb956488e6522a96267f2d272188c44b30a6a917
SHA5122a11b72037f67454daceee57d7ce07f75470204a0976bb0bc69a7a35706e0a978dc6721caba0c7dca004b60070bcca38eca897a6af9c82924476f305dfee155e