Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 14:19
Static task
static1
Behavioral task
behavioral1
Sample
bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe
Resource
win7-20220812-en
windows7-x64
2 signatures
150 seconds
General
-
Target
bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe
-
Size
307KB
-
MD5
36bfcf1de6ab97d9124036e38bfd4221
-
SHA1
985bb45e0e768a1f9d505580a27cd0a2e29e07c8
-
SHA256
bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694
-
SHA512
63c7631adf5813a32c62f9154a47ddbacec6cb75751c09c2e15f9f6ff315f6952763ce7965f3fd12569c3bcd80f9c6c4c6f24913c48c210ee680c7a44de684a9
-
SSDEEP
6144:rYd37RspU4qFr059JVp0grxFoY4KGv6xrcOlFdvLg0pFpSFhFWTbb:rY4TMr0lVpxr3oY4KEeYOlFdvLM/FAb
Malware Config
Extracted
Family
cybergate
Version
v1.11.0 - Public Version
Botnet
Cyber
C2
127.0.0.1:5444
freecoolstuff.dyndns.org:5444
Mutex
7J5Y7T56E0W1V7
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
qwr
-
install_file
AirCFG.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hklm
D-Link AirPlus G
Signatures
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{G88EB61L-7K46-R322-4IT3-EF378FIO10NK}\StubPath = "C:\\Windows\\qwr\\AirCFG.exe Restart" bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{G88EB61L-7K46-R322-4IT3-EF378FIO10NK} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{G88EB61L-7K46-R322-4IT3-EF378FIO10NK}\StubPath = "C:\\Windows\\qwr\\AirCFG.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{G88EB61L-7K46-R322-4IT3-EF378FIO10NK} bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe -
resource yara_rule behavioral2/memory/4088-139-0x0000000010410000-0x0000000010482000-memory.dmp upx behavioral2/memory/4088-144-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/1352-147-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/1352-150-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/4088-153-0x0000000010510000-0x0000000010582000-memory.dmp upx behavioral2/memory/4852-156-0x0000000010510000-0x0000000010582000-memory.dmp upx behavioral2/memory/4852-157-0x0000000010510000-0x0000000010582000-memory.dmp upx behavioral2/memory/4852-158-0x0000000010510000-0x0000000010582000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D-Link AirPlus G = "C:\\Windows\\qwr\\AirCFG.exe" bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 740 set thread context of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\qwr\AirCFG.exe bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe File opened for modification C:\Windows\qwr\AirCFG.exe bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe File opened for modification C:\Windows\qwr\AirCFG.exe explorer.exe File opened for modification C:\Windows\qwr\ explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4852 explorer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe Token: SeBackupPrivilege 1352 explorer.exe Token: SeRestorePrivilege 1352 explorer.exe Token: SeBackupPrivilege 4852 explorer.exe Token: SeRestorePrivilege 4852 explorer.exe Token: SeDebugPrivilege 4852 explorer.exe Token: SeDebugPrivilege 4852 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 740 wrote to memory of 3328 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 79 PID 740 wrote to memory of 3328 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 79 PID 740 wrote to memory of 3328 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 79 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 740 wrote to memory of 4088 740 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 80 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25 PID 4088 wrote to memory of 2484 4088 bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe 25
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe"C:\Users\Admin\AppData\Local\Temp\bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exebbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe3⤵PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exebbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD5b32ba59d4637e3d4647417eeed95a4b9
SHA196a50d6c8055bd417b650f5b03c7fa99466e4ee9
SHA256faa5e430ed97fd2b522b795b8964d966fa5f29b6a19ec7c0c41f90bac081e4a7
SHA5122774cbd676504c85fde8342ce69793dae9eab4530424683a34f73e91c192fc769aee8e9e0e831d4826a890d67ea797a5ac8138bcbcdc85f288664aa69c9c329e
-
Filesize
307KB
MD536bfcf1de6ab97d9124036e38bfd4221
SHA1985bb45e0e768a1f9d505580a27cd0a2e29e07c8
SHA256bbaedbee7b6bd515adcd8e7f6bf585d8e5fc9fb7369de21158efb27ca293f694
SHA51263c7631adf5813a32c62f9154a47ddbacec6cb75751c09c2e15f9f6ff315f6952763ce7965f3fd12569c3bcd80f9c6c4c6f24913c48c210ee680c7a44de684a9