Analysis
-
max time kernel
151s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe
Resource
win10v2004-20220812-en
General
-
Target
4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe
-
Size
477KB
-
MD5
09d2422a5358c2e3dcc9f47d87c19a4c
-
SHA1
b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
-
SHA256
4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
-
SHA512
ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355
-
SSDEEP
12288:uZ2zkPaCxa19PWMsnwjWtrp7bxYoDZlrAS8:uZOkl4WXltrp7FR1AS8
Malware Config
Extracted
cybergate
2.6
åÐ åæ ÇáãÞÓæã
mohammad2010.no-ip.biz:100
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
foldar
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Molebox Virtualization software 4 IoCs
Detects file using Molebox Virtualization software.
resource yara_rule behavioral1/files/0x0009000000013482-81.dat molebox behavioral1/files/0x0009000000013482-95.dat molebox behavioral1/files/0x0009000000013482-96.dat molebox behavioral1/files/0x0009000000013482-98.dat molebox -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\foldar\\windows.exe" 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\foldar\\windows.exe" 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe -
Executes dropped EXE 1 IoCs
pid Process 1836 windows.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126} 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126}\StubPath = "C:\\Windows\\system32\\foldar\\windows.exe Restart" 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23P1S1BR-F560-376J-LV8X-PNDLP3T3X126}\StubPath = "C:\\Windows\\system32\\foldar\\windows.exe" explorer.exe -
resource yara_rule behavioral1/memory/1816-65-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1816-74-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1972-79-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1972-82-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1816-86-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/1532-91-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/1532-94-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/1532-110-0x00000000240F0000-0x0000000024152000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 1532 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 1532 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\foldar\\windows.exe" 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\foldar\\windows.exe" 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\foldar\windows.exe 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe File opened for modification C:\Windows\SysWOW64\foldar\ 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe File created C:\Windows\SysWOW64\foldar\windows.exe 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe File opened for modification C:\Windows\SysWOW64\foldar\windows.exe 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1532 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1532 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe Token: SeDebugPrivilege 1532 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19 PID 1816 wrote to memory of 1400 1816 4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe 19
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\SysWOW64\foldar\windows.exe"C:\Windows\system32\foldar\windows.exe"4⤵
- Executes dropped EXE
PID:1836
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD54f632f71edbb00ea9c46f8bf4846a3f3
SHA1a9f3199344b4583567aea525ce732c8c483b98e6
SHA256dee6864f9e0ba0c3c43e3212e1aa1861000d9a9cb567e06a1989d33f94118bb6
SHA5125c45bd3f493411d81f0b65ca438d88662dc6c073c4c1c3f8de3c0efd4607e57304585e46182303939508624a231bda51c12082ed44c9bfde9e7e575988947ab2
-
Filesize
477KB
MD509d2422a5358c2e3dcc9f47d87c19a4c
SHA1b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA2564d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355
-
Filesize
477KB
MD509d2422a5358c2e3dcc9f47d87c19a4c
SHA1b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA2564d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355
-
Filesize
477KB
MD509d2422a5358c2e3dcc9f47d87c19a4c
SHA1b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA2564d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355
-
Filesize
477KB
MD509d2422a5358c2e3dcc9f47d87c19a4c
SHA1b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40
SHA2564d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78
SHA512ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355