Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 20:19
Behavioral task
behavioral1
Sample
Trojan-Ransom.Win32.Blocker.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
General
-
Target
Trojan-Ransom.Win32.Blocker.exe
-
Size
584KB
-
MD5
b60424fa1a6e4ed0deb5610101d5c31c
-
SHA1
b5d3467d8a377ba925d1ddcf0a26c1a077838d01
-
SHA256
ed4f4d1c793df2039ff33416bfa650a392492720fcd684bff997261f22f391d1
-
SHA512
4620d1d59d821ae7500af490c8ec0c83a4fe782891a15c2887eca76622e76700132dbeb54d0ffe5436d205399cea147de1f8484cf8a3ad98939fc3fcebb44daf
-
SSDEEP
12288:+j35Pjg+dio2pc9XmQipZ1VRqqqI250gBVz+v3+jH5p:+j35PjgKmcUpZ1VE1h5svujZp
Malware Config
Extracted
Family
cybergate
Version
v3.4.2.2
Botnet
reality2
C2
dnsupdater.cable-modem.org:21
Mutex
FA3H3JTR8MDWLL
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
ProgramData
-
install_file
chrome.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
tunisie33
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\ProgramData\\chrome.exe" Trojan-Ransom.Win32.Blocker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Trojan-Ransom.Win32.Blocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\ProgramData\\chrome.exe" Trojan-Ransom.Win32.Blocker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Trojan-Ransom.Win32.Blocker.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{32785T2B-3RP5-K637-16DE-BS8683XTM03X} Trojan-Ransom.Win32.Blocker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32785T2B-3RP5-K637-16DE-BS8683XTM03X}\StubPath = "C:\\ProgramData\\chrome.exe Restart" Trojan-Ransom.Win32.Blocker.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{32785T2B-3RP5-K637-16DE-BS8683XTM03X} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32785T2B-3RP5-K637-16DE-BS8683XTM03X}\StubPath = "C:\\ProgramData\\chrome.exe" explorer.exe -
resource yara_rule behavioral2/memory/4260-132-0x0000000000400000-0x00000000004D8000-memory.dmp upx behavioral2/memory/4620-136-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4260-135-0x0000000000400000-0x00000000004D8000-memory.dmp upx behavioral2/memory/4620-137-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4620-138-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4620-139-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4620-141-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral2/memory/4620-146-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/memory/4828-149-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/memory/4828-150-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/files/0x0006000000022f31-152.dat upx behavioral2/memory/4620-154-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral2/memory/4620-159-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral2/memory/3636-162-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral2/memory/3636-163-0x0000000010560000-0x00000000105D0000-memory.dmp upx behavioral2/memory/4620-164-0x0000000000400000-0x0000000000478000-memory.dmp upx behavioral2/memory/4828-165-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral2/memory/3636-166-0x0000000010560000-0x00000000105D0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Trojan-Ransom.Win32.Blocker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\ProgramData\\chrome.exe" Trojan-Ransom.Win32.Blocker.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run Trojan-Ransom.Win32.Blocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\ProgramData\\chrome.exe" Trojan-Ransom.Win32.Blocker.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4260 set thread context of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3636 explorer.exe Token: SeDebugPrivilege 3636 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4620 Trojan-Ransom.Win32.Blocker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4260 wrote to memory of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 PID 4260 wrote to memory of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 PID 4260 wrote to memory of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 PID 4260 wrote to memory of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 PID 4260 wrote to memory of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 PID 4260 wrote to memory of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 PID 4260 wrote to memory of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 PID 4260 wrote to memory of 4620 4260 Trojan-Ransom.Win32.Blocker.exe 80 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58 PID 4620 wrote to memory of 3044 4620 Trojan-Ransom.Win32.Blocker.exe 58
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵PID:788
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD5b60424fa1a6e4ed0deb5610101d5c31c
SHA1b5d3467d8a377ba925d1ddcf0a26c1a077838d01
SHA256ed4f4d1c793df2039ff33416bfa650a392492720fcd684bff997261f22f391d1
SHA5124620d1d59d821ae7500af490c8ec0c83a4fe782891a15c2887eca76622e76700132dbeb54d0ffe5436d205399cea147de1f8484cf8a3ad98939fc3fcebb44daf
-
Filesize
385KB
MD59b2702984014386353790b9b390581bd
SHA1a73ec7d25ebdbfb5904b31d82e456d1819ca9631
SHA256aa366ec1d800ef6709b50d33ed68d87c2248ac9cfeba0e66db1e0d7fcfa64093
SHA512bba614f44a4302a8880484ba82414de3deb70aeedfdd6186aed5bcfd745d5fa08f16f88b37dbea2a3aad2c37075751d203a6bee27a08347daef5cba7049f12c6