Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-12-2022 18:10
General
-
Target
12193c733668672c9e6b88abb40d99c1d22679d84d619666ffc1b0b5c974a453.exe
-
Size
784KB
-
MD5
851de3d0db1b2ffe29414cb75715473f
-
SHA1
cc645d4b3426d7073f02b1c4db6858c64e10997b
-
SHA256
12193c733668672c9e6b88abb40d99c1d22679d84d619666ffc1b0b5c974a453
-
SHA512
8a47fc7c739ddeae734896deb470e2282a37b574c19ca351d5b646df901475f3eda536161a0e80af0fb1c6a4db5fb9947618420be48584767daf622d5944b044
-
SSDEEP
12288:qX3RvFGVNZxSvfdFPBsojcerNjwS4TV13rYeAiS34nua3sB8ezehm/P:qXPuNeLB7rSbXkxihtk8G/
Malware Config
Extracted
cybergate
2.6
10
googleud7.dyndns-server.com:81
***MUTEX***
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
win64ini
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
1
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 7 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\12193c733668672c9e6b88abb40d99c1d22679d84d619666ffc1b0b5c974a453.exe"C:\Users\Admin\AppData\Local\Temp\12193c733668672c9e6b88abb40d99c1d22679d84d619666ffc1b0b5c974a453.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\12193c733668672c9e6b88abb40d99c1d22679d84d619666ffc1b0b5c974a453.exe"C:\Users\Admin\AppData\Local\Temp\12193c733668672c9e6b88abb40d99c1d22679d84d619666ffc1b0b5c974a453.exe"3⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\pass.txt4⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exe"C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exe"C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exe"C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exe"6⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵
- Modifies Installed Components in the registry
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exe"C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\win64ini\svchost.exe"C:\Windows\system32\win64ini\svchost.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\win64ini\svchost.exe"C:\Windows\system32\win64ini\svchost.exe"9⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\win64ini\svchost.exe"C:\Windows\system32\win64ini\svchost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD50a26abcc3540ad0383c3289473e6fea1
SHA1954768424d734662621ab6f34c1697dde5f10d8c
SHA256aaacc6ba6ef1468ea79ce5d57106e51a57963eab2bcf33d07cac710adc718a70
SHA5121257347d808022ed54b1f557a36e05ab0e8748332fd0b7e6a8af7082af10a99441d621c20e6ad770e7a9a19989bd381669038b4a4c084593468d03b7484f1d4d
-
C:\Users\Admin\AppData\Local\Temp\pass.txtFilesize
70B
MD594358c9cae9d607c92ec7abb690fd878
SHA175b0850e420c767372fb79bcb0e66d72b17b0928
SHA256a5c52ea19fff5d6036258543703dfb8d497146c4b733e739a2e6f72d81ea1fc0
SHA512011280ad139053c2b63162294f322e6f79ad35d3305ce83bda4620a6dc568e7d76e5f951d5b0c462cc3f2591cd7fd1bcf81518233404dc821f9defa8f3cefa21
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
C:\Users\Admin\AppData\Local\Temp\wT4TL34z7.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
C:\Windows\SysWOW64\win64ini\svchost.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
C:\Windows\SysWOW64\win64ini\svchost.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
C:\Windows\SysWOW64\win64ini\svchost.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
C:\Windows\SysWOW64\win64ini\svchost.exeFilesize
528KB
MD5211dbd8ff924d5c521bde7db76f5358a
SHA12a7025880684953184087537fad6b7e8f4565634
SHA2568800ca881f80dfaa3b73b8df14a45f7466db51dd05e48a385b76e4a14318727c
SHA512c664023d8d71fd7566241ee6e61dd87060effedd1bac85168a4edf3d13b15b5424620b50fa096daf98bd022811c1d867839374c6cceb191926a2bf13b62ecca2
-
memory/620-175-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/620-172-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/620-168-0x0000000000000000-mapping.dmp
-
memory/800-169-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/800-177-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/800-159-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/800-183-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/800-161-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/800-162-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/800-164-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/800-155-0x0000000000000000-mapping.dmp
-
memory/800-156-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/800-187-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1444-189-0x0000000000000000-mapping.dmp
-
memory/2548-139-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2548-146-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2548-135-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2548-134-0x0000000000000000-mapping.dmp
-
memory/3100-181-0x0000000000000000-mapping.dmp
-
memory/3100-208-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3100-186-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3100-188-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3324-141-0x0000000000000000-mapping.dmp
-
memory/3760-148-0x0000000000000000-mapping.dmp
-
memory/3760-149-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3760-152-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/3760-160-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4236-199-0x0000000000000000-mapping.dmp
-
memory/4236-205-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4236-203-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4236-206-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4236-207-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4580-140-0x0000000000000000-mapping.dmp
-
memory/4948-193-0x0000000000000000-mapping.dmp
-
memory/4948-204-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB