Analysis
-
max time kernel
50s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe
Resource
win10v2004-20221111-en
General
-
Target
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe
-
Size
2.0MB
-
MD5
0ce92ed77c07532a818e8604c582fcec
-
SHA1
eb0932f99b64a6cca7e1cd96c989ee14810b5dae
-
SHA256
287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59
-
SHA512
dba5affc0b225c2f1068da92ab516f38cc6daf2132134471fd732b08d563c0fb8cfb9607c374d98146af3a0b9f2521aa53e7a6ae95e6e885f114f8a80cb2ab67
-
SSDEEP
49152:l/DduN3sJM79Gg+DhRg9Wu/O0xFJog2wz:lrduNes8tY9Wu/fxTo2
Malware Config
Extracted
cybergate
v1.07.5
remote
spraslhivai.no-ip.info:12345
683LG4WHIT0W6R
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
1
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1092 intell.exe 1768 intell.exe 796 intell.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate intell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion intell.exe -
Loads dropped DLL 6 IoCs
pid Process 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 1092 intell.exe 1768 intell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1768 set thread context of 796 1768 intell.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C9D418C-6B4A-70FE-BB4B-94FFBB4B94FF}\TreatAs intell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C9D418C-6B4A-70FE-BB4B-94FFBB4B94FF}\TreatAs\ = "{64818D11-4F9B-11CF-86EA-00AA00B929E8}" intell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C9D418C-6B4A-70FE-BB4B-94FFBB4B94FF} intell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C9D418C-6B4A-70FE-BB4B-94FFBB4B94FF}\AutoConvertTo intell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C9D418C-6B4A-70FE-BB4B-94FFBB4B94FF}\AutoConvertTo\ = "{64818D11-4F9B-11CF-86EA-00AA00B929E8}" intell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C9D418C-6B4A-70FE-BB4B-94FFBB4B94FF}\Insertable intell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C9D418C-6B4A-70FE-BB4B-94FFBB4B94FF}\ProgID intell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C9D418C-6B4A-70FE-BB4B-94FFBB4B94FF}\ProgID\ = "PowerPoint.Slide.4" intell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1768 intell.exe Token: SeIncBasePriorityPrivilege 1768 intell.exe Token: 33 1768 intell.exe Token: SeIncBasePriorityPrivilege 1768 intell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1768 intell.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1092 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 27 PID 1672 wrote to memory of 1092 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 27 PID 1672 wrote to memory of 1092 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 27 PID 1672 wrote to memory of 1092 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 27 PID 1672 wrote to memory of 1092 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 27 PID 1672 wrote to memory of 1092 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 27 PID 1672 wrote to memory of 1092 1672 287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe 27 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1768 wrote to memory of 796 1768 intell.exe 30 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28 PID 1092 wrote to memory of 1768 1092 intell.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe"C:\Users\Admin\AppData\Local\Temp\287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\intell.exe"C:\Users\Admin\AppData\Local\Temp\intell.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\intell.exe"C:\Users\Admin\AppData\Local\Temp\intell.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\intell.EXE"C:\Users\Admin\AppData\Local\Temp\intell.EXE"4⤵
- Executes dropped EXE
PID:796
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189
-
Filesize
1.7MB
MD5cf589d524b8ea080275efbae7448a904
SHA1417a83d229bd6d53e445b1949faca63482cc0d5b
SHA2564f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a
SHA51294f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189