Analysis
-
max time kernel
152s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 17:08
Static task
static1
Behavioral task
behavioral1
Sample
425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe
-
Size
440KB
-
MD5
820c11a1dccc96169392bb5a0b1863fc
-
SHA1
da4fd4b09a69de34770b4e10c81d5149544031d8
-
SHA256
425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2
-
SHA512
84dd22748ecc1d378749032fb68779640e404de0c969f6a984d7e36de95fa5ee8d6eff0fbee9b04aa60cf9ffc3f8837f0a1ea4096ac061ae9fb9a24f752c477c
-
SSDEEP
12288:CV2pOwh2ILEc/kdUA9iCOd/wCzINCJUSuPac7ax5CrhjuwoPi:jrh5LEagXiCOvzIMJUdYgj5K
Malware Config
Extracted
Family
cybergate
Version
v3.4.2.2
Botnet
xXx
C2
sidactionorg.no-ip.org:1040
Mutex
YR0GPGWO353P54
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
10080
-
ftp_password
aEiJv^fPL`M^hT>3[M
-
ftp_port
21
-
ftp_server
sidactionorg.esy.es
-
ftp_username
u838635477.callofduty3300
-
injected_process
svchost.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
true
-
message_box_caption
Welcome Thank You For Download
-
message_box_title
INFO NWES
-
password
123
Signatures
-
resource yara_rule behavioral1/memory/2000-80-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral1/memory/1952-85-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral1/memory/1952-86-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral1/memory/1952-89-0x0000000010410000-0x0000000010480000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe" 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1692 set thread context of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe Token: SeDebugPrivilege 1952 applaunch.exe Token: SeDebugPrivilege 1952 applaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 1692 wrote to memory of 2000 1692 425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe 28 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29 PID 2000 wrote to memory of 1952 2000 applaunch.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe"C:\Users\Admin\AppData\Local\Temp\425f0b2bb38b28715866b29ebbf584e02f8dbc32d71072fa3f9a9b1d0f4a68e2.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5b4281d9fd3a1ce0050156077125b6407
SHA1fb98d771626c31aca29a63ae059507c85d612b0c
SHA256612cedbaba34163acd7941a5378d4c766ec03ccec320a69c61c9a34a38ec651c
SHA512f37f1911c077aa0f4ce1160a640ee8a2194b44269b2d347b1bde9412d1c26e735baded1e8c967cbcbcd936ebdfeb39bbf6117415682e06550763e098817ea8f4