Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30/11/2022, 23:54
Static task
static1
Behavioral task
behavioral1
Sample
a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe
Resource
win7-20220901-en
General
-
Target
a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe
-
Size
382KB
-
MD5
b8c17ccca22fd21439330484d11b5afd
-
SHA1
63772570981db9602b2cba620890c805c48bec25
-
SHA256
a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c
-
SHA512
beb6454374c1a3d4071c231cccf53335518ea954c952413dd4946bf5acccc81b59c62c36073e99c5769038901069cd56e2d29537d201e3674f7da6f54db2e548
-
SSDEEP
6144:gkDhZbmvGrOk0IImGo3Br+BstcbTxnU0A+0eBj9V9O0bnH:ntAEOkDEu1mnU+jnpbn
Malware Config
Extracted
cybergate
v1.07.5
Cyber
lcode.no-ip.org:82
Updater
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
.//domains/steam.us.lt/public_html/v0.1/
-
ftp_interval
30
-
ftp_password
l37w9hukp6
-
ftp_port
21
-
ftp_server
steam.us.lt
-
ftp_username
steam
-
injected_process
explorer.exe
-
install_dir
Winlog
-
install_file
Winlogon.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tmpD949.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe" tmpD949.tmp.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tmpD949.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe" tmpD949.tmp.exe -
Executes dropped EXE 3 IoCs
pid Process 1820 tmpD949.tmp.exe 1008 tmpD949.tmp.exe 5092 Winlogon.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{653D22SH-21O8-B100-5130-V0PB0R55U5I4} tmpD949.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{653D22SH-21O8-B100-5130-V0PB0R55U5I4}\StubPath = "C:\\Windows\\system32\\Winlog\\Winlogon.exe Restart" tmpD949.tmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{653D22SH-21O8-B100-5130-V0PB0R55U5I4} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{653D22SH-21O8-B100-5130-V0PB0R55U5I4}\StubPath = "C:\\Windows\\system32\\Winlog\\Winlogon.exe" explorer.exe -
resource yara_rule behavioral2/files/0x000800000002317c-134.dat upx behavioral2/files/0x000800000002317c-135.dat upx behavioral2/memory/1820-136-0x0000000000400000-0x000000000049B000-memory.dmp upx behavioral2/memory/1820-138-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1820-143-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1616-146-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1616-147-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1820-148-0x0000000000400000-0x000000000049B000-memory.dmp upx behavioral2/memory/1820-150-0x00000000104F0000-0x0000000010555000-memory.dmp upx behavioral2/files/0x000800000002317c-155.dat upx behavioral2/files/0x0007000000023173-157.dat upx behavioral2/memory/1820-158-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/1008-159-0x0000000000400000-0x000000000049B000-memory.dmp upx behavioral2/memory/1008-162-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/1820-163-0x0000000000400000-0x000000000049B000-memory.dmp upx behavioral2/memory/1008-164-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/memory/1008-165-0x0000000000400000-0x000000000049B000-memory.dmp upx behavioral2/memory/1008-166-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral2/files/0x0007000000023173-168.dat upx behavioral2/memory/5092-169-0x0000000000400000-0x000000000049B000-memory.dmp upx behavioral2/memory/5092-171-0x0000000000400000-0x000000000049B000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation tmpD949.tmp.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tmpD949.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\Winlogon.exe" tmpD949.tmp.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run tmpD949.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\Winlogon.exe" tmpD949.tmp.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Winlog\Winlogon.exe tmpD949.tmp.exe File opened for modification C:\Windows\SysWOW64\Winlog\Winlogon.exe tmpD949.tmp.exe File opened for modification C:\Windows\SysWOW64\Winlog\Winlogon.exe tmpD949.tmp.exe File opened for modification C:\Windows\SysWOW64\Winlog\ tmpD949.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3136 5092 WerFault.exe 88 8 5092 WerFault.exe 88 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ tmpD949.tmp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1820 tmpD949.tmp.exe 1820 tmpD949.tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1008 tmpD949.tmp.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2040 a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe Token: SeBackupPrivilege 1616 explorer.exe Token: SeRestorePrivilege 1616 explorer.exe Token: SeBackupPrivilege 1008 tmpD949.tmp.exe Token: SeRestorePrivilege 1008 tmpD949.tmp.exe Token: SeDebugPrivilege 1008 tmpD949.tmp.exe Token: SeDebugPrivilege 1008 tmpD949.tmp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1820 tmpD949.tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1820 2040 a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe 83 PID 2040 wrote to memory of 1820 2040 a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe 83 PID 2040 wrote to memory of 1820 2040 a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe 83 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39 PID 1820 wrote to memory of 2628 1820 tmpD949.tmp.exe 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe"C:\Users\Admin\AppData\Local\Temp\a5f6ddb0c13d00fe9194e6f58e4e0e6adb05acae621271ac91698c0dc13a6f4c.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\tmpD949.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD949.tmp.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:800
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD949.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD949.tmp.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\SysWOW64\Winlog\Winlogon.exe"C:\Windows\system32\Winlog\Winlogon.exe"5⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 5766⤵
- Program crash
PID:3136
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 5766⤵
- Program crash
PID:8
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5092 -ip 50921⤵PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5cb78d227de89af81c83b72e0e91baf41
SHA1a0ecaa698463eca18e92119368db176c639dfd72
SHA2565e55788e4212fcebe765eafa16009f63739604c44eea600c36b35b9321d8f3b5
SHA51201c8f0fe2f98761bbc9d2a2736c1636ae843dbe4e190277af9f43fe9a83f869d4ef590aab668a4440d562757d1a2078c3bb794aeacb77842fc90ba036f52fc08
-
Filesize
373KB
MD5bc8b1938ae921daf721e9c5899102534
SHA13e7bbc011dc3f2ebd512b5df35102cc056dc742a
SHA2562c98d4b8c7a570cf258342c9119ff720fea17be44fcd3b1abeebbecc3914fadd
SHA512b92b87480745cca4859f7d5de1f036b65df92f7004fd107784b20e9135bb241646c34a61b1eae4df13ea3c750bc403e2b6248ef1e360d6658bc7c684c44b2ebd
-
Filesize
373KB
MD5bc8b1938ae921daf721e9c5899102534
SHA13e7bbc011dc3f2ebd512b5df35102cc056dc742a
SHA2562c98d4b8c7a570cf258342c9119ff720fea17be44fcd3b1abeebbecc3914fadd
SHA512b92b87480745cca4859f7d5de1f036b65df92f7004fd107784b20e9135bb241646c34a61b1eae4df13ea3c750bc403e2b6248ef1e360d6658bc7c684c44b2ebd
-
Filesize
373KB
MD5bc8b1938ae921daf721e9c5899102534
SHA13e7bbc011dc3f2ebd512b5df35102cc056dc742a
SHA2562c98d4b8c7a570cf258342c9119ff720fea17be44fcd3b1abeebbecc3914fadd
SHA512b92b87480745cca4859f7d5de1f036b65df92f7004fd107784b20e9135bb241646c34a61b1eae4df13ea3c750bc403e2b6248ef1e360d6658bc7c684c44b2ebd
-
Filesize
373KB
MD5bc8b1938ae921daf721e9c5899102534
SHA13e7bbc011dc3f2ebd512b5df35102cc056dc742a
SHA2562c98d4b8c7a570cf258342c9119ff720fea17be44fcd3b1abeebbecc3914fadd
SHA512b92b87480745cca4859f7d5de1f036b65df92f7004fd107784b20e9135bb241646c34a61b1eae4df13ea3c750bc403e2b6248ef1e360d6658bc7c684c44b2ebd
-
Filesize
373KB
MD5bc8b1938ae921daf721e9c5899102534
SHA13e7bbc011dc3f2ebd512b5df35102cc056dc742a
SHA2562c98d4b8c7a570cf258342c9119ff720fea17be44fcd3b1abeebbecc3914fadd
SHA512b92b87480745cca4859f7d5de1f036b65df92f7004fd107784b20e9135bb241646c34a61b1eae4df13ea3c750bc403e2b6248ef1e360d6658bc7c684c44b2ebd