Analysis
-
max time kernel
169s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 01:17
Static task
static1
Behavioral task
behavioral1
Sample
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
Resource
win7-20220812-en
General
-
Target
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
-
Size
315KB
-
MD5
dcc256be852687239ff152f6d9a6e1b5
-
SHA1
c1944db712385819ebe9600739e3ccac7e031d30
-
SHA256
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f
-
SHA512
8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2
-
SSDEEP
6144:rz+W2anmpCY4A0863r6tZzpu+C8CKJVR05:rz+Kk3N6etZzpul8CKnO
Malware Config
Extracted
cybergate
v1.05.1
5
annonymous007.zapto.org:56120
I42OOP770AO448
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
0123456
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mvscavAP.exeSiaPort.exepid process 4308 mvscavAP.exe 3068 SiaPort.exe -
Processes:
resource yara_rule behavioral2/memory/4264-138-0x0000000010410000-0x0000000010471000-memory.dmp upx behavioral2/memory/4264-143-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/3460-146-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/3460-148-0x0000000010480000-0x00000000104E1000-memory.dmp upx behavioral2/memory/3460-163-0x0000000010480000-0x00000000104E1000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exemvscavAP.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation mvscavAP.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mvscavAP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe" mvscavAP.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exeSiaPort.exedescription pid process target process PID 3176 set thread context of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3068 set thread context of 3840 3068 SiaPort.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exemvscavAP.exeSiaPort.exepid process 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe 4308 mvscavAP.exe 3068 SiaPort.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exeAppLaunch.exemvscavAP.exeSiaPort.exedescription pid process Token: SeDebugPrivilege 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe Token: SeDebugPrivilege 3460 AppLaunch.exe Token: SeDebugPrivilege 3460 AppLaunch.exe Token: SeDebugPrivilege 4308 mvscavAP.exe Token: SeDebugPrivilege 3068 SiaPort.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exeAppLaunch.exedescription pid process target process PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 3176 wrote to memory of 4264 3176 f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe AppLaunch.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe PID 4264 wrote to memory of 1952 4264 AppLaunch.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe"C:\Users\Admin\AppData\Local\Temp\f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
315KB
MD5dcc256be852687239ff152f6d9a6e1b5
SHA1c1944db712385819ebe9600739e3ccac7e031d30
SHA256f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f
SHA5128fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exeFilesize
315KB
MD5dcc256be852687239ff152f6d9a6e1b5
SHA1c1944db712385819ebe9600739e3ccac7e031d30
SHA256f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f
SHA5128fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exeFilesize
6KB
MD5c203e138f460101f8af1314c0e817892
SHA113c2bc33e42e86e066d303b8596211d92a1a814e
SHA2561d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454
SHA512ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exeFilesize
6KB
MD5c203e138f460101f8af1314c0e817892
SHA113c2bc33e42e86e066d303b8596211d92a1a814e
SHA2561d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454
SHA512ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
222KB
MD537fcb6f30c7348187b8cba966a16f73b
SHA1aa61d17dd87449ff657490965cadc965fc0d543d
SHA2560d8a9a8fb8b84632f613b327e9aef424f7d3b8608dbf8f81a3d5c0036cf82858
SHA5120744a1ed1f257dfc5df018bb67753aaad53811899b4da7147e6bc60c0b12bc5bdb78410c43314608bd95deda90b6b4defae4b00392b5001e889adfcc34d2e59d
-
memory/824-149-0x0000000000000000-mapping.dmp
-
memory/3068-165-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3068-157-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3068-154-0x0000000000000000-mapping.dmp
-
memory/3176-162-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3176-132-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/3460-142-0x0000000000000000-mapping.dmp
-
memory/3460-148-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/3460-146-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/3460-163-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/3840-158-0x0000000000000000-mapping.dmp
-
memory/3840-161-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4264-143-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/4264-135-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4264-136-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4264-138-0x0000000010410000-0x0000000010471000-memory.dmpFilesize
388KB
-
memory/4264-134-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/4264-133-0x0000000000000000-mapping.dmp
-
memory/4308-156-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/4308-150-0x0000000000000000-mapping.dmp
-
memory/4308-164-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB