Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe
Resource
win10v2004-20220812-en
General
-
Target
92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe
-
Size
776KB
-
MD5
303775ab33384470f8ab553d87af8340
-
SHA1
e026b61e243844d3329b552e4f46ab366b2291e7
-
SHA256
92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2
-
SHA512
d601967bb12f1a08ec98725c2e64531f7f97b4cf41a99a1d1ef13ca849ca46b23c6c12066326ce69c44d52df0b6bd5be36d1ae01bdd108bb81d481c78c65b891
-
SSDEEP
12288:7AAMW0OfelD3DPDJnm5h9s99VOKGIBr+lLzQbVi6b15u5D2zvC69JXvBGv4:7zAmD9+qqBr+lLzQjx5uE4v4
Malware Config
Extracted
cybergate
v1.02.1
Lammer
jhonjhonzika.no-ip.org:7070
Pluguin
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft
-
install_file
AntiVirús Total.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
123
-
regkey_hkcu
Windows
-
regkey_hklm
Avast
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Software.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft\\AntiVirús Total.exe" Software.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Software.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Microsoft\\AntiVirús Total.exe" Software.exe -
Executes dropped EXE 5 IoCs
pid Process 1124 Software.exe 844 Software.exe 1464 Software.exe 944 AntiVirús Total.exe 1656 AntiVirús Total.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{RH48B6E5YF-4UKU-71CF-AVF5-02901P6HJ002} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{RH48B6E5YF-4UKU-71CF-AVF5-02901P6HJ002}\StubPath = "C:\\Windows\\system32\\Microsoft\\AntiVirús Total.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{RH48B6E5YF-4UKU-71CF-AVF5-02901P6HJ002} Software.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{RH48B6E5YF-4UKU-71CF-AVF5-02901P6HJ002}\StubPath = "C:\\Windows\\system32\\Microsoft\\AntiVirús Total.exe Restart" Software.exe -
resource yara_rule behavioral1/memory/844-84-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral1/memory/844-93-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral1/memory/1608-98-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral1/memory/1608-101-0x0000000024070000-0x00000000240D0000-memory.dmp upx behavioral1/memory/844-103-0x00000000240D0000-0x0000000024130000-memory.dmp upx behavioral1/memory/844-111-0x0000000024130000-0x0000000024190000-memory.dmp upx behavioral1/memory/1464-116-0x0000000024130000-0x0000000024190000-memory.dmp upx behavioral1/memory/1464-124-0x0000000024130000-0x0000000024190000-memory.dmp upx behavioral1/memory/1464-125-0x0000000024130000-0x0000000024190000-memory.dmp upx -
Loads dropped DLL 6 IoCs
pid Process 1736 92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe 1736 92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe 1124 Software.exe 844 Software.exe 1464 Software.exe 1464 Software.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Microsoft\\AntiVirús Total.exe" Software.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Software.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Avast = "C:\\Windows\\system32\\Microsoft\\AntiVirús Total.exe" Software.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run Software.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Microsoft\AntiVirús Total.exe Software.exe File opened for modification C:\Windows\SysWOW64\Microsoft\AntiVirús Total.exe Software.exe File opened for modification C:\Windows\SysWOW64\Microsoft\AntiVirús Total.exe Software.exe File opened for modification C:\Windows\SysWOW64\Microsoft\ Software.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1124 set thread context of 844 1124 Software.exe 28 PID 944 set thread context of 1656 944 AntiVirús Total.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1124 Software.exe 1124 Software.exe 944 AntiVirús Total.exe 944 AntiVirús Total.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1464 Software.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1124 Software.exe Token: SeDebugPrivilege 1464 Software.exe Token: SeDebugPrivilege 1464 Software.exe Token: SeDebugPrivilege 944 AntiVirús Total.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 844 Software.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1124 1736 92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe 27 PID 1736 wrote to memory of 1124 1736 92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe 27 PID 1736 wrote to memory of 1124 1736 92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe 27 PID 1736 wrote to memory of 1124 1736 92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe 27 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 1124 wrote to memory of 844 1124 Software.exe 28 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13 PID 844 wrote to memory of 1392 844 Software.exe 13
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe"C:\Users\Admin\AppData\Local\Temp\92cc325d156ad9b91a7a3fd68fd6bef31b384b535332563a019892e79a8b21f2.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\Software.exe"C:\Users\Admin\AppData\Local\Temp\Software.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\Software.exeC:\Users\Admin\AppData\Local\Temp\Software.exe4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
PID:1608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:960
-
-
C:\Users\Admin\AppData\Local\Temp\Software.exe"C:\Users\Admin\AppData\Local\Temp\Software.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\SysWOW64\Microsoft\AntiVirús Total.exe"C:\Windows\system32\Microsoft\AntiVirús Total.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\SysWOW64\Microsoft\AntiVirús Total.exe"C:\Windows\SysWOW64\Microsoft\AntiVirús Total.exe"7⤵
- Executes dropped EXE
PID:1656
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
221KB
MD52ece09cbab11d41be553a0082fd92e67
SHA15254cac9c12be82988f01fc5aa5c680892a82cea
SHA25637d9f68cccc8c87ad2efbe21bfb8f774f595bd7cd36c05cd75b5858c5409f0f6
SHA5129713d4c2c0b695280a4c0480a3a2e345e909989fee80b706072523b6788a8b4d155d34b9336a6ead77790936799a604b826fbf8ce7518e3977bcf0d56521e39e
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9
-
Filesize
599KB
MD5c182ffc03983fc4c0ab59453bac3aecc
SHA12ff9e406a79b4d7b9e25ba609128f5afa6d4d2b4
SHA256d2e1f72a616d8ad637956c56f4658fb0d9024829f20e3a6417f5a99e3e2f5ed6
SHA51267bb636fe169ada92c8d78f8a7d7ce61eceb20a7847dc4fd4ab2f39c1f27edb3745afe49191cff6e8dcdeedd5d3d2f34cad8837dfb2b08328d6a920af8c86df9