Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
Resource
win7-20220812-en
General
-
Target
86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
-
Size
514KB
-
MD5
31b32a4b9868e2872e08cbc5edc6f1f0
-
SHA1
8b879e7d75a05b957a49740a302eec40d63630e3
-
SHA256
86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba
-
SHA512
f680e855961e791287472d78a6772e4725f1a2421182d0fd75ef546bff9b8082de446866515df7ca227da07e15fb5313070efea3a7d1a6173198b03905e01855
-
SSDEEP
12288:nh6Bo7lyUDyiFBpbH7Xxu8XhE9wOqWBKh7Ho0LVdM:kBo7bFvz7hhqwOqDHvfM
Malware Config
Extracted
cybergate
v3.4.2.2
Client
ph4nt0mzz.zapto.org:999
VKTWTS75QF741D
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
mstcfg
-
install_file
mstcfg.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 2084 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe -
resource yara_rule behavioral2/memory/4744-145-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral2/memory/2084-148-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral2/memory/2084-149-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral2/memory/2084-152-0x0000000010410000-0x0000000010480000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe" 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2404 set thread context of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2084 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe Token: SeDebugPrivilege 2084 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1104 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 83 PID 2404 wrote to memory of 1104 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 83 PID 2404 wrote to memory of 1104 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 83 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 2404 wrote to memory of 4744 2404 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 84 PID 1104 wrote to memory of 2156 1104 cmd.exe 86 PID 1104 wrote to memory of 2156 1104 cmd.exe 86 PID 1104 wrote to memory of 2156 1104 cmd.exe 86 PID 2156 wrote to memory of 3796 2156 net.exe 87 PID 2156 wrote to memory of 3796 2156 net.exe 87 PID 2156 wrote to memory of 3796 2156 net.exe 87 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88 PID 4744 wrote to memory of 2084 4744 86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:3796
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exeC:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
Filesize514KB
MD531b32a4b9868e2872e08cbc5edc6f1f0
SHA18b879e7d75a05b957a49740a302eec40d63630e3
SHA25686661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba
SHA512f680e855961e791287472d78a6772e4725f1a2421182d0fd75ef546bff9b8082de446866515df7ca227da07e15fb5313070efea3a7d1a6173198b03905e01855
-
C:\Users\Admin\AppData\Local\Temp\86661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba.exe
Filesize514KB
MD531b32a4b9868e2872e08cbc5edc6f1f0
SHA18b879e7d75a05b957a49740a302eec40d63630e3
SHA25686661c3207cf787d710602a9067d464b271b3e858946c1eab311d0eae74d5aba
SHA512f680e855961e791287472d78a6772e4725f1a2421182d0fd75ef546bff9b8082de446866515df7ca227da07e15fb5313070efea3a7d1a6173198b03905e01855
-
Filesize
385KB
MD5743c17705fb79d86efd6ded5a57e7dbb
SHA1ed2255f22083b33dad301a05bc3f36d756acc18d
SHA2560108efd7ecd7685fc99fa32b8abbb02bcd89815df6fb973187489cb67d2590f1
SHA512d9d92078ffb30559fbc3142bfee9b5944d2181441e651b2c0a7d17187d46fbe4998f86cab0874ffaeb8903fde94de9deb92d16111437f8d1ab7ce832951445af