Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 00:37
Static task
static1
Behavioral task
behavioral1
Sample
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
Resource
win7-20220901-en
General
-
Target
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe
-
Size
670KB
-
MD5
b0077bd93b27299296cd18dd55ba1274
-
SHA1
c5d5fa40ecef24140b9b04cb2f81326bb55cb710
-
SHA256
2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87
-
SHA512
02d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500
-
SSDEEP
12288:Jqg8d2RDvCYiJwa5FO7AnlxkqP03tbOY7ranR5/rieemCT3rrB96:og8lvvlxhMdbr7KR5TieBCjBA
Malware Config
Extracted
cybergate
v1.07.5
Tencent
symeon3melrich.no-ip.org:45010
danielclaudede.dyndns.org:13889
murazawahara.no-ip.info:7070
4F65LA3N53DH5P
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
ZBj2
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1512 QTTask.exe -
resource yara_rule behavioral1/memory/1656-96-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/1992-102-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/1992-105-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/1992-108-0x0000000010410000-0x0000000010475000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QuickTime Task = "C:\\Program Files (x86)\\Quicktime\\QTTask.exe" QTTask.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QTTask.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1512 set thread context of 1656 1512 QTTask.exe 35 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Quicktime\QTTask.exe 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe File opened for modification C:\Program Files (x86)\Quicktime\QTTask.exe 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 1512 QTTask.exe 1512 QTTask.exe 1512 QTTask.exe 1512 QTTask.exe 1512 QTTask.exe 1512 QTTask.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe Token: SeDebugPrivilege 1512 QTTask.exe Token: SeBackupPrivilege 1992 vbc.exe Token: SeRestorePrivilege 1992 vbc.exe Token: SeDebugPrivilege 1992 vbc.exe Token: SeDebugPrivilege 1992 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1128 wrote to memory of 2012 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 27 PID 1128 wrote to memory of 2012 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 27 PID 1128 wrote to memory of 2012 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 27 PID 1128 wrote to memory of 2012 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 27 PID 2012 wrote to memory of 940 2012 vbc.exe 29 PID 2012 wrote to memory of 940 2012 vbc.exe 29 PID 2012 wrote to memory of 940 2012 vbc.exe 29 PID 2012 wrote to memory of 940 2012 vbc.exe 29 PID 1128 wrote to memory of 1512 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 31 PID 1128 wrote to memory of 1512 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 31 PID 1128 wrote to memory of 1512 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 31 PID 1128 wrote to memory of 1512 1128 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe 31 PID 1512 wrote to memory of 788 1512 QTTask.exe 32 PID 1512 wrote to memory of 788 1512 QTTask.exe 32 PID 1512 wrote to memory of 788 1512 QTTask.exe 32 PID 1512 wrote to memory of 788 1512 QTTask.exe 32 PID 788 wrote to memory of 1556 788 vbc.exe 34 PID 788 wrote to memory of 1556 788 vbc.exe 34 PID 788 wrote to memory of 1556 788 vbc.exe 34 PID 788 wrote to memory of 1556 788 vbc.exe 34 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1512 wrote to memory of 1656 1512 QTTask.exe 35 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 PID 1656 wrote to memory of 1992 1656 vbc.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0" 2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0" QTTask.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe"C:\Users\Admin\AppData\Local\Temp\2bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1128 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ulq-idlq.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EA9.tmp"3⤵PID:940
-
-
-
C:\Program Files (x86)\Quicktime\QTTask.exe"C:\Program Files (x86)\Quicktime\QTTask.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1512 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4bnzzioe.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24E0.tmp"4⤵PID:1556
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"5⤵PID:2028
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
670KB
MD5b0077bd93b27299296cd18dd55ba1274
SHA1c5d5fa40ecef24140b9b04cb2f81326bb55cb710
SHA2562bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87
SHA51202d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500
-
Filesize
670KB
MD5b0077bd93b27299296cd18dd55ba1274
SHA1c5d5fa40ecef24140b9b04cb2f81326bb55cb710
SHA2562bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87
SHA51202d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500
-
Filesize
495KB
MD57e5f8efa69eb9cc7aad9bcb260a3aa6e
SHA1736845afa1f7c721fef72ba8e90bb3148dda4fd3
SHA256bd695709c27bfc8eb641fc76b3388665e1e77151563a1eeebe82a3671787b169
SHA5129ac8394dc7b6f36fb264f4e0116935ff39eed9da7e4ab73d2f2f97891d9d91dc8c02ae09e6a6488a16690c3bfdd6b2361f9cb43e1da66b9291c34b2bda2d0566
-
Filesize
276B
MD50cc9dc57d595e8e52aae58c85d49d09d
SHA17eace804adc9557f086830c008ae6b31593b9f6e
SHA2568fb32b45a22a002a6796bbed858e54ff5f18c3003c9341920d87f98b7378ec09
SHA512a4a3be0aba32e2efab9d5d6053a997d933422454853e755197975c713c0d88cab77e87fd2fd88c3093ef657532a0c3a94d4525484050cc520a45f7be2289bb11
-
Filesize
828KB
MD521647ff67d4bbc17d6eebe35d6920e95
SHA1162c4644b6ae0012e343641a3b57cb96125fecd7
SHA256f968ff986d220a185513cfa22218cbe57db3673e0b0adb95f5d4083876d911ad
SHA5125efd88c9cedacb1b3a1ef95f0ec698dabb78bf473b6975eaab41163839bcda11c07643268ab47bd4e50272bb432eb68635de1c910909a14af2b32aa04974a8f9
-
Filesize
225KB
MD5808875e359b28814b60dea4ea691903d
SHA1396c48f1346c1fe954a2225f22d8e79ab2cb72a3
SHA2564f896bc5cb22c597ceea4d554a970a6696361df57bb06e01b55f77403fdf1868
SHA512b0d3bc9eb03cac4d779ce305aacbcc4b4f383560ebc81115552ddc88d9cf0237c42655b518fe79d81079a6e4720884d14c2ffc4e8212f26eb647901172e52f03
-
Filesize
1KB
MD55bf8ef842905b1a851800129f5a8a18d
SHA147fd3877959e80416bae613836689994c27f6b14
SHA2564a7a1aad0d49020e79b1146e9496dc283ec0ed1530c7bdaffdea5df6ff3bdef3
SHA512d2b4568e39fde32d2d7ddf95331f45af4411b7f333069f68cd208d1d4b3e0c430d2e53c7496e54c592cba156ab81c6367e76f0621e6ed4f572c75b5eb624df6a
-
Filesize
1KB
MD55c16dd173ed2b11768506e587ea91c83
SHA1380839679399cdda3135b2acba23a739f230fbc1
SHA2569b4c18665ba25a4169934ac94dc72e15ac60fc6f468d51071a440c6d00f16110
SHA512de4236de7af88e1e36502b419a990709a9208e0e66494ad472db5e39f96583876f823efc61df06170d94e1da96b90588267dac5a6cf216da25619a809115b469
-
Filesize
495KB
MD57e5f8efa69eb9cc7aad9bcb260a3aa6e
SHA1736845afa1f7c721fef72ba8e90bb3148dda4fd3
SHA256bd695709c27bfc8eb641fc76b3388665e1e77151563a1eeebe82a3671787b169
SHA5129ac8394dc7b6f36fb264f4e0116935ff39eed9da7e4ab73d2f2f97891d9d91dc8c02ae09e6a6488a16690c3bfdd6b2361f9cb43e1da66b9291c34b2bda2d0566
-
Filesize
276B
MD520f8cc6ec3aef1c1dbb7ba74305c49da
SHA1f071b4a91183cceb991c2a53a24eee71a5164613
SHA2560cb1649bff702bb3d3055178d709b879db8d482c72bb6b26dbc53674034b6910
SHA5121f72a20a6da8a84f3e72883c8b196bedecf33ed8c276f565c37f19e711ec5c909b4288fbd38ab1fcfed137cda61e769c004c984e8d0e8e9b50042b99c68a9654
-
Filesize
828KB
MD517e43d393c8d35f0c7e048d33b7375dd
SHA12af608a8c494a4cad8ecea5aa532be700f480673
SHA25684590ba2ec174764d0c58029a6c4fb4b9970790f1f0e0dfa8c67a1c3f1b2cbf3
SHA512b38a8a1c21c28b5837b1f4a0dd1e4d3ec1bf77c7f4c8cebd0c34eb00ba0e959e7a0fb0bf3291306061f43ac97da717105d0b5c22ae3525bd3325226976486095
-
Filesize
652B
MD51d3e212789a4f0d8fecca7618325c975
SHA13577389009237c5a7eed3e0f3ac965fe8fcf08e1
SHA256075a6368434af7b75c3b2ab02bd11b5aaee4be846234d466d07ed30d8590b4a2
SHA512f7370b432aa77c345776bc06a2d0adc6477d0cb8b3ff84a0dc672ecf6669f7107706674028e46b111564a2ca34672f14b26a711bffc16e5ea4a00a53f6e30f73
-
Filesize
652B
MD5d853aedbf23fbe2aa294f219fc6c988c
SHA1567a5b06e303de9a89fb19aad22880509962dee7
SHA25673d89fd55a7ed88113f904f9ce3ce512071b872086d534fc75e0efae9dc06a4d
SHA51235f9887ad62b056113055d5d9327d5fb47358190d9b96f6fed70e4b1d3875416ca3330b49d0b90c5c6c344d083e25a4007e4780378dafc7838cae0ba02cd8622
-
Filesize
670KB
MD5b0077bd93b27299296cd18dd55ba1274
SHA1c5d5fa40ecef24140b9b04cb2f81326bb55cb710
SHA2562bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87
SHA51202d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500
-
Filesize
670KB
MD5b0077bd93b27299296cd18dd55ba1274
SHA1c5d5fa40ecef24140b9b04cb2f81326bb55cb710
SHA2562bade740e054594eed03cd6d5619a9e37fba63cbf8c4d944fbaeaf1a6737ba87
SHA51202d2cd9b233d819623399746487a4c02162d4d03b9e2aaefdb094ec868b8f19a7cd20c15e84b062ee8b8722759ec37c0b484f189a01239e062ace030caca1500