Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    170s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 11:40

General

  • Target

    aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe

  • Size

    367KB

  • MD5

    57ee1776dcfc28eb2caf2161abf28222

  • SHA1

    f7f5b21bd964af0c7abd2b58cc67ab145958cd73

  • SHA256

    aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1

  • SHA512

    e5dedc86c8359959a640445402891c44169757979c4b2675c5a4fdbb8eb4691e326ead1dbc733964c515a730f508768e9dfdab69a7e86ea8f09adad7616f952e

  • SSDEEP

    6144:fu63+CQEg2GU/D6c27r2iCw/uQwDlUgFp9g+nTQw/pokXsl0U69do0HFY02Kt7Je:G65QD2+c2Zf/VClUgFXg+Tz/pSSUod9S

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

fud

C2

silent-hilll.no-ip.biz:81

silent-hilll.no-ip.biz:2000

silent-hilll.no-ip.biz:2010

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    msn.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123

  • regkey_hkcu

    win32

  • regkey_hklm

    win32

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:600
      • C:\Users\Admin\AppData\Local\Temp\aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe
        "C:\Users\Admin\AppData\Local\Temp\aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4248
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4516
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:2368
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1360
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:3224
              • C:\Windows\SysWOW64\install\msn.exe
                "C:\Windows\system32\install\msn.exe"
                5⤵
                • Executes dropped EXE
                PID:3984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

        Filesize

        229KB

        MD5

        3b29364d24fcfd28014c061fc647dc45

        SHA1

        cb8af848f73d0ddd7905676742d9a16bb3728a3a

        SHA256

        08531490f8ea8d98b4537a5d3f0254fe924c9e865309b82eba2164fab2c3e205

        SHA512

        0b1bf205e26c4e7400aa96c9b877e088a7c54d770f834f9892805a1c536efe3f469d2605c6f6621f04928f28c52765fd55e3df7095d0eb2bfccb3045f9bdfc5d

      • C:\Windows\SysWOW64\install\msn.exe

        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • C:\Windows\SysWOW64\install\msn.exe

        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/2368-151-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

      • memory/2368-148-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

      • memory/3224-166-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

      • memory/3224-163-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

      • memory/3224-161-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

      • memory/4248-137-0x00000000750A0000-0x0000000075651000-memory.dmp

        Filesize

        5.7MB

      • memory/4516-138-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/4516-153-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

      • memory/4516-145-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

      • memory/4516-158-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

      • memory/4516-140-0x0000000024010000-0x0000000024072000-memory.dmp

        Filesize

        392KB

      • memory/4516-162-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/4516-136-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/4516-135-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/4516-133-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB