Analysis
-
max time kernel
223s -
max time network
231s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
29-11-2022 04:22
General
-
Target
a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
-
Size
1009KB
-
MD5
b6c5e599872a6b86c8fbba1301d63f50
-
SHA1
1eed46990ec3b06598e9a192084d92b5243f0141
-
SHA256
a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8
-
SHA512
13532cd28443d69741d46bffc958ad412a5a9a57bce9adff29d9b6025cc65fbccc987a35a999b44c72db1ffb6640c681f57fef88ec71ec4a042c4c1873ee4840
-
SSDEEP
24576:Cs5Uf2NP6RaGAdsuGSg25Yg4FLh0zLAZAMjAl8oFN12LAI3mz:weNPVGSg25YgILheAXj2rPMUimz
Malware Config
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in System32 directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe"C:\Users\Admin\AppData\Local\Temp\a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe"C:\Users\Admin\AppData\Local\Temp\a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe"3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1605⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 1603⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446KB
MD5073158a39b6736aa09add65d9dd8f919
SHA1d4efb4aa1d706eb0c18c0c9e0c16989d80f7df79
SHA256cdc9bfa1840dfcbb8a784e5fc4bc0cc4c0ffc9af9fe6d9f991eca8b3a3da7b63
SHA5121edeebf570dab115bf415f4d6ac66908ce3d014c956427b8e2ad7f9ef6b658021c42e8c17ecc15b79ba50ca31b1d6466438266baf392cd89f5dd4b18ef45ceaa
-
Filesize
1009KB
MD5b6c5e599872a6b86c8fbba1301d63f50
SHA11eed46990ec3b06598e9a192084d92b5243f0141
SHA256a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8
SHA51213532cd28443d69741d46bffc958ad412a5a9a57bce9adff29d9b6025cc65fbccc987a35a999b44c72db1ffb6640c681f57fef88ec71ec4a042c4c1873ee4840
-
Filesize
1009KB
MD5b6c5e599872a6b86c8fbba1301d63f50
SHA11eed46990ec3b06598e9a192084d92b5243f0141
SHA256a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8
SHA51213532cd28443d69741d46bffc958ad412a5a9a57bce9adff29d9b6025cc65fbccc987a35a999b44c72db1ffb6640c681f57fef88ec71ec4a042c4c1873ee4840
-
Filesize
217KB
MD5e7b076521a10ca57795da88633e2c8b1
SHA16dd36ed247915415cb378dc966855e22cfda8ea7
SHA25616c007438342786f37e60eed126f08b8128ea4dfc5635abef9994e2c20847057
SHA5129f4215a0bf9450d13c01909e70cf45945a62d070c2b38e3b45acc747750b40c7072a135976e75c2d4565f13115f4a0368890dfc296b0d7299c43eae4472b3bcf
-
Filesize
1009KB
MD5b6c5e599872a6b86c8fbba1301d63f50
SHA11eed46990ec3b06598e9a192084d92b5243f0141
SHA256a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8
SHA51213532cd28443d69741d46bffc958ad412a5a9a57bce9adff29d9b6025cc65fbccc987a35a999b44c72db1ffb6640c681f57fef88ec71ec4a042c4c1873ee4840
-
Filesize
1009KB
MD5b6c5e599872a6b86c8fbba1301d63f50
SHA11eed46990ec3b06598e9a192084d92b5243f0141
SHA256a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8
SHA51213532cd28443d69741d46bffc958ad412a5a9a57bce9adff29d9b6025cc65fbccc987a35a999b44c72db1ffb6640c681f57fef88ec71ec4a042c4c1873ee4840
-
Filesize
1009KB
MD5b6c5e599872a6b86c8fbba1301d63f50
SHA11eed46990ec3b06598e9a192084d92b5243f0141
SHA256a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8
SHA51213532cd28443d69741d46bffc958ad412a5a9a57bce9adff29d9b6025cc65fbccc987a35a999b44c72db1ffb6640c681f57fef88ec71ec4a042c4c1873ee4840
-
Filesize
1009KB
MD5b6c5e599872a6b86c8fbba1301d63f50
SHA11eed46990ec3b06598e9a192084d92b5243f0141
SHA256a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8
SHA51213532cd28443d69741d46bffc958ad412a5a9a57bce9adff29d9b6025cc65fbccc987a35a999b44c72db1ffb6640c681f57fef88ec71ec4a042c4c1873ee4840
-
Filesize
1009KB
MD5b6c5e599872a6b86c8fbba1301d63f50
SHA11eed46990ec3b06598e9a192084d92b5243f0141
SHA256a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8
SHA51213532cd28443d69741d46bffc958ad412a5a9a57bce9adff29d9b6025cc65fbccc987a35a999b44c72db1ffb6640c681f57fef88ec71ec4a042c4c1873ee4840
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
392KB
-
Filesize
224KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
1.5MB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
392KB
-
Filesize
8KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
392KB
-
Filesize
1.5MB
-
Filesize
392KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
392KB
-
Filesize
392KB
