Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe
Resource
win7-20220812-en
General
-
Target
444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe
-
Size
2.4MB
-
MD5
8809a4a1ea93bd00e285537b667be695
-
SHA1
e188033f765e93fd006bbf7d24df90558c9b4e45
-
SHA256
444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e
-
SHA512
17d1606a8deaf0e5b27aa2ac79fba47ebd5c972f0675537ad8b4e90839b394f346cb0266382f6520e3a94c2735bbd001cd104f68e1961cf5c22d986cb665915a
-
SSDEEP
49152:+moLw7thjaodvMM+ZizIHcamGI+YJ3gYju9SFw5u:PoytA4UM+ZizIHcBGUJQg0+h
Malware Config
Extracted
cybergate
v1.07.5
KI
rhkrdlf.codns.com:8000
T574NUUW0H2LS1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
1234
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ windows.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ server.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" windows.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" windows.exe -
Executes dropped EXE 3 IoCs
pid Process 2028 windows.exe 2232 foxserver.exe 5092 server.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7WP3FMV-DOYG-RY0J-7K6E-2K10R74L515N} windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7WP3FMV-DOYG-RY0J-7K6E-2K10R74L515N}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" windows.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7WP3FMV-DOYG-RY0J-7K6E-2K10R74L515N} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7WP3FMV-DOYG-RY0J-7K6E-2K10R74L515N}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe" explorer.exe -
resource yara_rule behavioral2/memory/2028-142-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/2028-147-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4924-150-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4924-151-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/2028-156-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral2/memory/3608-159-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral2/memory/3608-165-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral2/memory/4924-168-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/3608-170-0x00000000104F0000-0x0000000010555000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine server.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine windows.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2028 windows.exe 5092 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 756 5092 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2028 windows.exe 2028 windows.exe 2028 windows.exe 2028 windows.exe 5092 server.exe 5092 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3608 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 4924 explorer.exe Token: SeRestorePrivilege 4924 explorer.exe Token: SeBackupPrivilege 3608 explorer.exe Token: SeRestorePrivilege 3608 explorer.exe Token: SeDebugPrivilege 3608 explorer.exe Token: SeDebugPrivilege 3608 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2028 windows.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2232 foxserver.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4800 wrote to memory of 2028 4800 444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe 81 PID 4800 wrote to memory of 2028 4800 444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe 81 PID 4800 wrote to memory of 2028 4800 444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe 81 PID 4800 wrote to memory of 2232 4800 444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe 82 PID 4800 wrote to memory of 2232 4800 444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe 82 PID 4800 wrote to memory of 2232 4800 444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe 82 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54 PID 2028 wrote to memory of 2640 2028 windows.exe 54
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe"C:\Users\Admin\AppData\Local\Temp\444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\windows.exe"C:\windows.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3608 -
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 7726⤵
- Program crash
PID:756
-
-
-
-
-
C:\foxserver.exe"C:\foxserver.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5092 -ip 50921⤵PID:2440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD57c7261023415d682b52e200532aa2f24
SHA1312010f4675054e6fccf9a8beda19b42e34ad59d
SHA2564ea8a9572a8d02df1b899b285bf6c5aaf254bb393c37ed04301b42b195e020c3
SHA512d3a07fbcda8769623524e630e75c599e42bb09871c887898751b1548ee66b7347145b333fc4592e77c623e758a00d4ffb8884148b761c9c62f2b623679af8fb3
-
Filesize
1.0MB
MD5ee6444ed154169c95dbc9a7eb23e2f44
SHA11e78051c1a8312573b96685fd4b3b51b5733bc1a
SHA25674ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4
SHA512c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c
-
Filesize
3.3MB
MD521771115fc06f673950bc12c8af47b10
SHA1208c2b72cf3295fe2607bfde8082daee38a24ed3
SHA256ce9bae3731cb8398bccdeb7ea83b006ad2a1b8ec632d9c432fab0724583250c3
SHA5128b49408e41c7d5708e99900a79bbdbf7b042e84875b0b397c4691f73b0b4b3577babb6bec8a676454d197b1004fda804bf8625997a280a2a02a69ca5a437484a
-
Filesize
3.3MB
MD521771115fc06f673950bc12c8af47b10
SHA1208c2b72cf3295fe2607bfde8082daee38a24ed3
SHA256ce9bae3731cb8398bccdeb7ea83b006ad2a1b8ec632d9c432fab0724583250c3
SHA5128b49408e41c7d5708e99900a79bbdbf7b042e84875b0b397c4691f73b0b4b3577babb6bec8a676454d197b1004fda804bf8625997a280a2a02a69ca5a437484a
-
Filesize
1.0MB
MD5ee6444ed154169c95dbc9a7eb23e2f44
SHA11e78051c1a8312573b96685fd4b3b51b5733bc1a
SHA25674ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4
SHA512c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c
-
Filesize
1.0MB
MD5ee6444ed154169c95dbc9a7eb23e2f44
SHA11e78051c1a8312573b96685fd4b3b51b5733bc1a
SHA25674ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4
SHA512c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c
-
Filesize
1.0MB
MD5ee6444ed154169c95dbc9a7eb23e2f44
SHA11e78051c1a8312573b96685fd4b3b51b5733bc1a
SHA25674ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4
SHA512c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c