Analysis
-
max time kernel
169s -
max time network
233s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe
Resource
win7-20220812-en
General
-
Target
2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe
-
Size
328KB
-
MD5
0a61198a602ad05a7403de6af79fddd4
-
SHA1
83f3ed2c51f94c254726a50dc4d84c7220b9a456
-
SHA256
2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332
-
SHA512
2e9e4b78475e441279733e121f6298bb1687f40fc856824a1b5056128c299318d892b3153e352cc3b79e09899cf300f81324cdaeddde393f4761d99c7721b248
-
SSDEEP
6144:F4Yv4qWJz289Fl1UWLPeTpaJujNz3yNNXnN9QduZzzuY2j6zPIsgip:RNWfHjWTpaO+N96AZk2Isz
Malware Config
Extracted
cybergate
2.6
Tuzick
six17.no-ip.info:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
msconfig
-
install_file
msconfig.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msconfig\\msconfig.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\msconfig\\msconfig.exe" svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 1092 svchost.exe 1640 svchost.exe 764 msconfig.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W7WUW042-5R50-3W1F-NH3U-86EWKW84JJT5} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W7WUW042-5R50-3W1F-NH3U-86EWKW84JJT5}\StubPath = "C:\\Windows\\system32\\msconfig\\msconfig.exe Restart" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W7WUW042-5R50-3W1F-NH3U-86EWKW84JJT5} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W7WUW042-5R50-3W1F-NH3U-86EWKW84JJT5}\StubPath = "C:\\Windows\\system32\\msconfig\\msconfig.exe" explorer.exe -
resource yara_rule behavioral1/memory/1092-79-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1092-88-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/576-93-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/576-96-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1092-98-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/1092-106-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/1640-112-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/1640-116-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/1640-117-0x0000000024160000-0x00000000241C2000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 1092 svchost.exe 1640 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\msconfig\\msconfig.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\msconfig\\msconfig.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msconfig\ svchost.exe File created C:\Windows\SysWOW64\msconfig\msconfig.exe svchost.exe File opened for modification C:\Windows\SysWOW64\msconfig\msconfig.exe svchost.exe File opened for modification C:\Windows\SysWOW64\msconfig\msconfig.exe svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1456 set thread context of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1092 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1640 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1640 svchost.exe Token: SeDebugPrivilege 1640 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1092 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1092 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 27 PID 1456 wrote to memory of 1760 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 28 PID 1456 wrote to memory of 1760 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 28 PID 1456 wrote to memory of 1760 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 28 PID 1456 wrote to memory of 1760 1456 2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe 28 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15 PID 1092 wrote to memory of 1244 1092 svchost.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe"C:\Users\Admin\AppData\Local\Temp\2e3d785f82dc45a3f69323b5d05cdf3cef731f21333aa6437e6b2f20e0e26332.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\SysWOW64\msconfig\msconfig.exe"C:\Windows\system32\msconfig\msconfig.exe"5⤵
- Executes dropped EXE
PID:764
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"3⤵PID:1760
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD556af548c49acb7d314a228d49b2a2a32
SHA1b76d0c88560d8dd0744bceb19c627ba4122d64e0
SHA256f46d6b5b8d841fc784f503d9878ff7d7479f2e2b71556dd9c7b8d891d5b88234
SHA5126aa0523adce98440dbc119e229afe42e6f1cff6fbfe29e954d946d6efc106c7be9e5c696ece31bbd6678ccc84fd274a64b38401bf9b9af0def1368d0ecefa59c
-
Filesize
378B
MD5fa87c36e56bb1f03f973d0125e286a09
SHA1a47c79279865ad55be60eda927f6f0ad45053b7e
SHA256d79606af3b78ec19255b43ac4050b477ee82b2d0f857c3a691111cd9ea667afd
SHA512d867d6937551af2e4e9e18160312885be5659c0cd9f1c9ae112f2b6f887a31486700bb43567d6ef9c0070483c1233f5a5746af37c10b2d0fbc957c360318598a
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2