Analysis

  • max time kernel
    187s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 08:52

General

  • Target

    55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe

  • Size

    1.1MB

  • MD5

    295186d521efde600fe65a53a8649ff0

  • SHA1

    a5d068dd8955fc29427298c9d5f2044d3b2a7114

  • SHA256

    55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824

  • SHA512

    f6ef927e49567b21a7ff2b914a8d7837fc3060914a97467b9b29b6c58c4ddca68c4042830f1f37a2ddc77653f0c02f652221ce587e97eb0be56cc6ae85c4fef9

  • SSDEEP

    24576:7zStYF/AiO8FbIZB1WiQXhF905CtBkV0Hf4Rl4NPtkDrT3lww2l/3:7zAYV8H4hn0KBkVEf4gNPtkCjJ

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

C2

patinhosmill.ddns.net:2000

Mutex

Pluguin

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    Pluguin.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.

  • message_box_title

    LAMMER

  • password

    123

  • regkey_hkcu

    Avirnt

  • regkey_hklm

    skypeupdate

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:780
      • C:\Users\Admin\AppData\Local\Temp\55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe
        "C:\Users\Admin\AppData\Local\Temp\55d4806c35d5ecb57cbc2915c16c48600ac9a01303d97f3a97c1eed6bb1f3824.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Users\Admin\AppData\Local\Temp\Software.exe
          "C:\Users\Admin\AppData\Local\Temp\Software.exe"
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:220
          • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe
            "C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:5076
            • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe
              "C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"
              5⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:1056
              • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe
                "C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe"
                6⤵
                • Executes dropped EXE
                PID:4392
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 532
                  7⤵
                  • Program crash
                  PID:4292
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 780 -s 6312
        2⤵
        • Program crash
        PID:2896
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 416 -p 780 -ip 780
      1⤵
        PID:2776
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4564
        • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe
          "C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe" Restart
          2⤵
          • Executes dropped EXE
          PID:3316
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 532
            3⤵
            • Program crash
            PID:4088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4392 -ip 4392
        1⤵
          PID:1580
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3316 -ip 3316
          1⤵
            PID:3596
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1636
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Enumerates system info in registry
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1648

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\Software.exe

                  Filesize

                  1000KB

                  MD5

                  29c7d8fc6d0a21a3e4242ba9aec82995

                  SHA1

                  58771c5694e43ce3194fbdca3740c55f5beadb01

                  SHA256

                  f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66

                  SHA512

                  dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55

                • C:\Users\Admin\AppData\Local\Temp\Software.exe

                  Filesize

                  1000KB

                  MD5

                  29c7d8fc6d0a21a3e4242ba9aec82995

                  SHA1

                  58771c5694e43ce3194fbdca3740c55f5beadb01

                  SHA256

                  f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66

                  SHA512

                  dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55

                • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

                  Filesize

                  221KB

                  MD5

                  fc9d88d84188db4508380d92739226c3

                  SHA1

                  d11f9a28c3cf9c0ea96e0e51662ecadf666aa5a7

                  SHA256

                  817370d9da01632fc078db6fc215f5e565976af7339896f94239468cf10765e0

                  SHA512

                  d6260737de07fe2282d9320f3f27e00ec8b226ded47170f1190d9d7f248d0ee0357d20cf10ee5aa8e99f480ad96fec1f0e8d207604f2579cc4639758b12ae7b3

                • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

                  Filesize

                  221KB

                  MD5

                  fc9d88d84188db4508380d92739226c3

                  SHA1

                  d11f9a28c3cf9c0ea96e0e51662ecadf666aa5a7

                  SHA256

                  817370d9da01632fc078db6fc215f5e565976af7339896f94239468cf10765e0

                  SHA512

                  d6260737de07fe2282d9320f3f27e00ec8b226ded47170f1190d9d7f248d0ee0357d20cf10ee5aa8e99f480ad96fec1f0e8d207604f2579cc4639758b12ae7b3

                • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

                  Filesize

                  1000KB

                  MD5

                  29c7d8fc6d0a21a3e4242ba9aec82995

                  SHA1

                  58771c5694e43ce3194fbdca3740c55f5beadb01

                  SHA256

                  f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66

                  SHA512

                  dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55

                • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

                  Filesize

                  1000KB

                  MD5

                  29c7d8fc6d0a21a3e4242ba9aec82995

                  SHA1

                  58771c5694e43ce3194fbdca3740c55f5beadb01

                  SHA256

                  f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66

                  SHA512

                  dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55

                • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

                  Filesize

                  1000KB

                  MD5

                  29c7d8fc6d0a21a3e4242ba9aec82995

                  SHA1

                  58771c5694e43ce3194fbdca3740c55f5beadb01

                  SHA256

                  f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66

                  SHA512

                  dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55

                • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

                  Filesize

                  1000KB

                  MD5

                  29c7d8fc6d0a21a3e4242ba9aec82995

                  SHA1

                  58771c5694e43ce3194fbdca3740c55f5beadb01

                  SHA256

                  f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66

                  SHA512

                  dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55

                • C:\directory\Microsoft\Pluguin\Microsoft\Pluguin.exe

                  Filesize

                  1000KB

                  MD5

                  29c7d8fc6d0a21a3e4242ba9aec82995

                  SHA1

                  58771c5694e43ce3194fbdca3740c55f5beadb01

                  SHA256

                  f49175090c38eb659033c23371753a413ace8f848acf1ac9154ab4cdc4cf3c66

                  SHA512

                  dcfed255213ddb1a36c89e4d024e7ecd8a76e05c115f065fdf3c9ee3ab97b2a1fb05808f800c7127a68924e9ba2920c9f84343f03b012a35f30cc4a5b6d4fe55

                • memory/1056-164-0x0000000024010000-0x0000000024070000-memory.dmp

                  Filesize

                  384KB

                • memory/1056-154-0x0000000024010000-0x0000000024070000-memory.dmp

                  Filesize

                  384KB

                • memory/1056-148-0x0000000024010000-0x0000000024070000-memory.dmp

                  Filesize

                  384KB

                • memory/1648-165-0x0000020D684B0000-0x0000020D684B8000-memory.dmp

                  Filesize

                  32KB

                • memory/1648-192-0x0000020D69800000-0x0000020D69820000-memory.dmp

                  Filesize

                  128KB

                • memory/1648-193-0x0000020D69800000-0x0000020D69820000-memory.dmp

                  Filesize

                  128KB

                • memory/1648-196-0x0000020D6C040000-0x0000020D6C060000-memory.dmp

                  Filesize

                  128KB

                • memory/1648-203-0x0000020D6B9B0000-0x0000020D6B9D0000-memory.dmp

                  Filesize

                  128KB

                • memory/2108-133-0x00000000749C0000-0x0000000074F71000-memory.dmp

                  Filesize

                  5.7MB

                • memory/2108-132-0x00000000749C0000-0x0000000074F71000-memory.dmp

                  Filesize

                  5.7MB

                • memory/2108-137-0x00000000749C0000-0x0000000074F71000-memory.dmp

                  Filesize

                  5.7MB

                • memory/5076-145-0x0000000024010000-0x0000000024070000-memory.dmp

                  Filesize

                  384KB