Overview

overview

10

Static

static

10

f58d67a10f...75.exe

windows7-x64

10

f58d67a10f...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe

  • Size

    2.0MB

  • MD5

    27c16af0dc1ca5114f02274e888859d3

  • SHA1

    4dd821ebcb09acbfd94178e36f120b761362b4a3

  • SHA256

    f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975

  • SHA512

    cea40e3fcf7cad69a9cb0aff50b3b6df65a499ce12ba883558a00aebb4e46a7ebc768dc44cb42315e9fe27755865ee313edc81b2157012c174de9076c46b54ab

  • SSDEEP

    24576:CzGZ0XTB9109be930wzdHkh6wFXRDZEZnTuZOklkQQfn+3CvzuvUBMclcLSwU:CaSB910Q3LzdHEPqZ+OzsSSvUmMcWwU

Score
10/10
cybergateponyvlccollectiondiscoveryevasionpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

pony

C2

http://coc.zz.vc/gate.php

Extracted

Family

cybergate

Version

2.6

Botnet

VLC

C2

ligtv.mooo.com:83

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    java

  • install_file

    update.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 8 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2152
      • C:\Users\Admin\AppData\Local\Temp\f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe
        "C:\Users\Admin\AppData\Local\Temp\f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
          "C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2144
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
          "C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe"
          3⤵
          • UAC bypass
          • Windows security bypass
          • Executes dropped EXE
          • Checks computer location settings
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4388
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe" /s MSWINSCK.OCX
            4⤵
            • Loads dropped DLL
            • Modifies registry class
            PID:3152
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
          "C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_win_path
          PID:756
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
          "C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe"
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4876
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:4224
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:4204
            • C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
              "C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe"
              4⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Drops file in Program Files directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:3460
              • C:\Program Files (x86)\java\update.exe
                "C:\Program Files (x86)\java\update.exe"
                5⤵
                • Executes dropped EXE
                PID:616
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 564
                  6⤵
                  • Program crash
                  PID:1424
          • C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
            "C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4796
            • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
              C:\Users\Public\Documents\Wondershare\NFWCHK.exe
              4⤵
              • Executes dropped EXE
              PID:3924
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 616 -ip 616
        1⤵
          PID:3104

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        3
        T1060

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        3
        T1089

        Modify Registry

        7
        T1112

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Email Collection

        2
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\java\update.exe
          Filesize

          290KB

          MD5

          f14836901e0c55968202cb3d80ed660a

          SHA1

          19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

          SHA256

          7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

          SHA512

          f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

          Download Submit
        • C:\Program Files (x86)\java\update.exe
          Filesize

          290KB

          MD5

          f14836901e0c55968202cb3d80ed660a

          SHA1

          19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

          SHA256

          7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

          SHA512

          f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
          Filesize

          219KB

          MD5

          0b60800a42e138e4b1d93889e09ea983

          SHA1

          c70abecd66083521d754d400a3960f2f41071769

          SHA256

          33eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3

          SHA512

          6a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles1.exe
          Filesize

          219KB

          MD5

          0b60800a42e138e4b1d93889e09ea983

          SHA1

          c70abecd66083521d754d400a3960f2f41071769

          SHA256

          33eebd8ee53639d65da114dcb16de4bcd511fa9c4f233cf19599b46614f92cb3

          SHA512

          6a0429ba2c1b3033bdec00d16cebdc0e2b11d105851df827790bb23102a3224f2e08a5816653c21031083b497d5b43d61c8806ae08f6900299e1b084fc9d236b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
          Filesize

          644KB

          MD5

          59404595db8d9749dfc0af4361cb0f64

          SHA1

          76b7c2ee39563c9d736abc48e3208d96ae30a547

          SHA256

          be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

          SHA512

          2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles2.exe
          Filesize

          644KB

          MD5

          59404595db8d9749dfc0af4361cb0f64

          SHA1

          76b7c2ee39563c9d736abc48e3208d96ae30a547

          SHA256

          be22db58c5f688bcb6f9f7f8474a48e036d21dea85518f5514f2227978e2599c

          SHA512

          2660fb00ed3f01ce65b2f0b57f8e3a4becfc9ffbaa402fcb9f287857d4035abf599c334305b0e4a97ded2e6006b3462aef8b03ab298826740f512dcb08310ff9

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
          Filesize

          81KB

          MD5

          1d8194a7572393ec1c123abdaa603b08

          SHA1

          6d57906c1e986dc3614b2e863320c66d28f27836

          SHA256

          51bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12

          SHA512

          c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles3.exe
          Filesize

          81KB

          MD5

          1d8194a7572393ec1c123abdaa603b08

          SHA1

          6d57906c1e986dc3614b2e863320c66d28f27836

          SHA256

          51bb673b478be9281b4ea14b67f97045fcce59446c8787160d3947431002fd12

          SHA512

          c2400f1930c4731a86e3b45d577cb23a10bda802a94f0fd7e50c059221c2ec75a49d15c7cbfdfb8eeee7c77ec76e88ae60e35a108156b328df03672e1d8daeae

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
          Filesize

          290KB

          MD5

          f14836901e0c55968202cb3d80ed660a

          SHA1

          19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

          SHA256

          7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

          SHA512

          f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
          Filesize

          290KB

          MD5

          f14836901e0c55968202cb3d80ed660a

          SHA1

          19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

          SHA256

          7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

          SHA512

          f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles4.exe
          Filesize

          290KB

          MD5

          f14836901e0c55968202cb3d80ed660a

          SHA1

          19201beb6461eaa9b5a5bd9d5a8d926fe9fba5a2

          SHA256

          7b27bbac7915bc63042354e0a849de269bde7885bf8863aa95af8cfad6c007ff

          SHA512

          f6829f4bec96b3587e909c7995dc6b7e44d2ae17ba513ac2ae8042ff6effa7400a24b45d1232c5c5699679f205c1bac536a4a56d000120c9f30b00ea82f3dfce

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
          Filesize

          757KB

          MD5

          7edfb48f6a937f5f3a28c822d2439ef1

          SHA1

          fc738054aa28a406e3cb7676594aec37cd0a96b2

          SHA256

          ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048

          SHA512

          41e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SystemFiles5.exe
          Filesize

          757KB

          MD5

          7edfb48f6a937f5f3a28c822d2439ef1

          SHA1

          fc738054aa28a406e3cb7676594aec37cd0a96b2

          SHA256

          ef42c03aa7d498c830de6a434f8ffb5eed00179283a8434dc355890ccf30c048

          SHA512

          41e4e01b0787c0d2e807ac84c8b0001428592b3d811f6308fa7d24194ece4d1bd5f2978c43f65c5a62f29da9ec2fe697a6bddbb181fd932a2fcf02169df34daa

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
          Filesize

          229KB

          MD5

          810f6f6ae01221ad752cc4f8208b6975

          SHA1

          8ea3d1c787344a92cdde0b124ffbf3458f4aa9f9

          SHA256

          101bdc977e963978d57df8c4a84c5444bdb3674be77503d925793afa139d9155

          SHA512

          fff9785096e9ca5632ea043932aaadee3b8390ff09a8c02587bbfb1b94b382449ea04434a27fc76f895ca1003aa893008b5c4bb4d4400fac89641cb840cab464

          Download Submit
        • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
          Filesize

          6KB

          MD5

          b0ef777a6bd0ff0fcf941e530a565572

          SHA1

          faae7333444748167976448512179ab57d9ae560

          SHA256

          bdaae5a7c2a20a34f9c975508ffe79f94e2ce7db415b32f04dd876a07620d7b3

          SHA512

          04c958417f76eb74725c0c559ae00aa96fb2919ae7ee5840ba31b14537d7d17955095672b4e29353f78a37261c529510e132dc5c082281c65d021b9a3ffc8daf

          Download Submit
        • C:\Users\Public\Documents\Wondershare\NFWCHK.exe
          Filesize

          6KB

          MD5

          b0ef777a6bd0ff0fcf941e530a565572

          SHA1

          faae7333444748167976448512179ab57d9ae560

          SHA256

          bdaae5a7c2a20a34f9c975508ffe79f94e2ce7db415b32f04dd876a07620d7b3

          SHA512

          04c958417f76eb74725c0c559ae00aa96fb2919ae7ee5840ba31b14537d7d17955095672b4e29353f78a37261c529510e132dc5c082281c65d021b9a3ffc8daf

          Download Submit
        • C:\Windows\SysWOW64\MSWINSCK.OCX
          Filesize

          105KB

          MD5

          9484c04258830aa3c2f2a70eb041414c

          SHA1

          b242a4fb0e9dcf14cb51dc36027baff9a79cb823

          SHA256

          bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

          SHA512

          9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          Download Submit
        • C:\Windows\SysWOW64\MSWINSCK.OCX
          Filesize

          105KB

          MD5

          9484c04258830aa3c2f2a70eb041414c

          SHA1

          b242a4fb0e9dcf14cb51dc36027baff9a79cb823

          SHA256

          bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

          SHA512

          9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          Download Submit
        • C:\Windows\SysWOW64\MSWINSCK.OCX
          Filesize

          105KB

          MD5

          9484c04258830aa3c2f2a70eb041414c

          SHA1

          b242a4fb0e9dcf14cb51dc36027baff9a79cb823

          SHA256

          bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

          SHA512

          9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

          Download Submit
        • memory/616-184-0x0000000000000000-mapping.dmp
          Download
        • memory/756-141-0x0000000000000000-mapping.dmp
          Download
        • memory/2144-187-0x0000000073C70000-0x0000000074221000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2144-158-0x0000000073C70000-0x0000000074221000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2144-189-0x0000000073C70000-0x0000000074221000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2144-134-0x0000000000000000-mapping.dmp
          Download
        • memory/3152-151-0x0000000000000000-mapping.dmp
          Download
        • memory/3460-188-0x0000000024160000-0x00000000241C2000-memory.dmp
          Filesize

          392KB

          Download
        • memory/3460-178-0x0000000000000000-mapping.dmp
          Download
        • memory/3460-186-0x0000000024160000-0x00000000241C2000-memory.dmp
          Filesize

          392KB

          Download
        • memory/3460-183-0x0000000024160000-0x00000000241C2000-memory.dmp
          Filesize

          392KB

          Download
        • memory/3924-152-0x0000000000000000-mapping.dmp
          Download
        • memory/3924-171-0x00007FFF3B3A0000-0x00007FFF3BDD6000-memory.dmp
          Filesize

          10.2MB

          Download
        • memory/4224-172-0x0000000024080000-0x00000000240E2000-memory.dmp
          Filesize

          392KB

          Download
        • memory/4224-168-0x0000000024080000-0x00000000240E2000-memory.dmp
          Filesize

          392KB

          Download
        • memory/4224-164-0x0000000000000000-mapping.dmp
          Download
        • memory/4388-137-0x0000000000000000-mapping.dmp
          Download
        • memory/4796-148-0x0000000000000000-mapping.dmp
          Download
        • memory/4876-174-0x00000000240F0000-0x0000000024152000-memory.dmp
          Filesize

          392KB

          Download
        • memory/4876-180-0x0000000024160000-0x00000000241C2000-memory.dmp
          Filesize

          392KB

          Download
        • memory/4876-145-0x0000000000000000-mapping.dmp
          Download
        • memory/4876-165-0x0000000024080000-0x00000000240E2000-memory.dmp
          Filesize

          392KB

          Download
        • memory/4876-160-0x0000000024010000-0x0000000024072000-memory.dmp
          Filesize

          392KB

          Download