Analysis

  • max time kernel
    180s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 08:58

General

  • Target

    4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe

  • Size

    477KB

  • MD5

    09d2422a5358c2e3dcc9f47d87c19a4c

  • SHA1

    b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40

  • SHA256

    4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78

  • SHA512

    ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

  • SSDEEP

    12288:uZ2zkPaCxa19PWMsnwjWtrp7bxYoDZlrAS8:uZOkl4WXltrp7FR1AS8

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

åÐ åæ ÇáãÞÓæã

C2

mohammad2010.no-ip.biz:100

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    foldar

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Molebox Virtualization software 2 IoCs

    Detects file using Molebox Virtualization software.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2832
      • C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe
        "C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          PID:764
        • C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe
          "C:\Users\Admin\AppData\Local\Temp\4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78.exe"
          3⤵
          • Checks computer location settings
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1136
          • C:\Windows\SysWOW64\foldar\windows.exe
            "C:\Windows\system32\foldar\windows.exe"
            4⤵
            • Executes dropped EXE
            PID:2540
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 608
              5⤵
              • Program crash
              PID:5108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2540 -ip 2540
      1⤵
        PID:224

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

              Filesize

              229KB

              MD5

              4f632f71edbb00ea9c46f8bf4846a3f3

              SHA1

              a9f3199344b4583567aea525ce732c8c483b98e6

              SHA256

              dee6864f9e0ba0c3c43e3212e1aa1861000d9a9cb567e06a1989d33f94118bb6

              SHA512

              5c45bd3f493411d81f0b65ca438d88662dc6c073c4c1c3f8de3c0efd4607e57304585e46182303939508624a231bda51c12082ed44c9bfde9e7e575988947ab2

            • C:\Windows\SysWOW64\foldar\windows.exe

              Filesize

              477KB

              MD5

              09d2422a5358c2e3dcc9f47d87c19a4c

              SHA1

              b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40

              SHA256

              4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78

              SHA512

              ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

            • C:\Windows\SysWOW64\foldar\windows.exe

              Filesize

              477KB

              MD5

              09d2422a5358c2e3dcc9f47d87c19a4c

              SHA1

              b1fa7525b3ec27dd1c3e57ee112ca8aff5ee7e40

              SHA256

              4d8525a98032c327853458453b5d45084bf289323202a79b547a9efb84505d78

              SHA512

              ce31609690fbfd516b109bdc46ba110fd1591f943ad318c3e9c0566cd029d4daec01e946b00998df968eed61aa36d7212a3c09444493131569f24288dae92355

            • memory/764-144-0x0000000024080000-0x00000000240E2000-memory.dmp

              Filesize

              392KB

            • memory/764-147-0x0000000024080000-0x00000000240E2000-memory.dmp

              Filesize

              392KB

            • memory/1136-156-0x00000000240F0000-0x0000000024152000-memory.dmp

              Filesize

              392KB

            • memory/1136-153-0x00000000240F0000-0x0000000024152000-memory.dmp

              Filesize

              392KB

            • memory/1136-162-0x00000000240F0000-0x0000000024152000-memory.dmp

              Filesize

              392KB

            • memory/2540-159-0x0000000000400000-0x0000000000497000-memory.dmp

              Filesize

              604KB

            • memory/2540-160-0x0000000000640000-0x0000000000693000-memory.dmp

              Filesize

              332KB

            • memory/2540-161-0x0000000000400000-0x0000000000497000-memory.dmp

              Filesize

              604KB

            • memory/3820-134-0x0000000000400000-0x0000000000497000-memory.dmp

              Filesize

              604KB

            • memory/3820-150-0x00000000240F0000-0x0000000024152000-memory.dmp

              Filesize

              392KB

            • memory/3820-154-0x0000000002250000-0x00000000022A3000-memory.dmp

              Filesize

              332KB

            • memory/3820-141-0x0000000024080000-0x00000000240E2000-memory.dmp

              Filesize

              392KB

            • memory/3820-155-0x0000000000400000-0x0000000000497000-memory.dmp

              Filesize

              604KB

            • memory/3820-132-0x0000000000400000-0x0000000000497000-memory.dmp

              Filesize

              604KB

            • memory/3820-133-0x0000000002250000-0x00000000022A3000-memory.dmp

              Filesize

              332KB

            • memory/3820-136-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB