Analysis
-
max time kernel
151s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 08:52
Static task
static1
Behavioral task
behavioral1
Sample
55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe
Resource
win7-20220812-en
General
-
Target
55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe
-
Size
1.1MB
-
MD5
295186d521efde600fe65a53a8649ff0
-
SHA1
a5d068dd8955fc29427298c9d5f2044d3b2a7114
-
SHA256
55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824
-
SHA512
f6ef927e49567b21a7ff2b914a8d7837fc3060914a97467b9b29b6c58c4ddca68c4042830f1f37a2ddc77653f0c02f652221ce587e97eb0be56cc6ae85c4fef9
-
SSDEEP
24576:7zStYF/AiO8FbIZB1WiQXhF905CtBkV0Hf4Rl4NPtkDrT3lww2l/3:7zAYV8H4hn0KBkVEf4gNPtkCjJ
Malware Config
Extracted
cybergate
v1.02.1
Lammer
patinhosmill.ddns.net:2000
Pluguin
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Microsoft
-
install_file
Pluguin.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
123
-
regkey_hkcu
Avirnt
-
regkey_hklm
skypeupdate
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" Software.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Software.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" Software.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Software.exe -
Executes dropped EXE 4 IoCs
pid Process 944 Software.exe 1580 Pluguin.exe 1112 Pluguin.exe 1256 Pluguin.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0KQ33UH-1MT3-LET3-B7O7-0JJBUM64IV32}\StubPath = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe Restart" Software.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0KQ33UH-1MT3-LET3-B7O7-0JJBUM64IV32} Software.exe -
resource yara_rule behavioral1/memory/1580-76-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral1/memory/1112-81-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral1/memory/1112-86-0x0000000024010000-0x0000000024070000-memory.dmp upx behavioral1/memory/1112-87-0x0000000024010000-0x0000000024070000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1644 55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe 1644 55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe 944 Software.exe 944 Software.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Software.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\skypeupdate = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" Software.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run Software.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Avirnt = "c:\\directory\\Microsoft\\Pluguin\\Microsoft\\Pluguin.exe" Software.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1112 Pluguin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1112 Pluguin.exe Token: SeDebugPrivilege 1112 Pluguin.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 944 Software.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 944 1644 55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe 28 PID 1644 wrote to memory of 944 1644 55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe 28 PID 1644 wrote to memory of 944 1644 55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe 28 PID 1644 wrote to memory of 944 1644 55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe 28 PID 944 wrote to memory of 1580 944 Software.exe 29 PID 944 wrote to memory of 1580 944 Software.exe 29 PID 944 wrote to memory of 1580 944 Software.exe 29 PID 944 wrote to memory of 1580 944 Software.exe 29 PID 944 wrote to memory of 1220 944 Software.exe 17 PID 944 wrote to memory of 1220 944 Software.exe 17 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30 PID 1580 wrote to memory of 1112 1580 Pluguin.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe"C:\Users\Admin\AppData\Local\Temp\55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\Software.exe"C:\Users\Admin\AppData\Local\Temp\Software.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:944 -
C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1112 -
C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"6⤵
- Executes dropped EXE
PID:1256
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
221KB
MD5fc9d88d84188db4508380d92739226c3
SHA1d11f9a28c3cf9c0ea96e0e51662ecadf666aa5a7
SHA256817370d9da01632fc078db6fc215f5e565976af7339896f94239468cf10765e0
SHA512d6260737de07fe2282d9320f3f27e00ec8b226ded47170f1190d9d7f248d0ee0357d20cf10ee5aa8e99f480ad96fec1f0e8d207604f2579cc4639758b12ae7b3
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55
-
Filesize
1000KB
MD529c7d8fc6d0a21a3e4242ba9aec82995
SHA158771c5694e43ce3194fbdca3740c55f5beadb01
SHA256f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66
SHA512dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55