Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

cc60c09fa4...54.exe

windows7-x64

10

cc60c09fa4...54.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 07:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354.exe

  • Size

    1.1MB

  • MD5

    1ab84840a608d243cc351d8a3a40d2b6

  • SHA1

    607b229d480589c21ba617121bfb4beb11c87d57

  • SHA256

    cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354

  • SHA512

    362c52a4e4f9c53e7aecc3c2f94adf15e6abeb1305464cd7ba6720f163d02af4534f5773292162c7c294e6179ee672601f47cd86f458207a95cde0ce98869dbf

  • SSDEEP

    24576:b1dlZo5l+LyKX/8vL3t/2g576R54en9n0CDU/36hRcDRIJcw0lu/24Xow:b1dlZol+LlXOhU04aCY/3QaRIJcyuhw

Score
10/10
cybergatemorenaaevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

morenaa

C2

morenaa.no-ip.org:80

morenaa.no-ip.org:81

morenaa.no-ip.org:82

morenaa.no-ip.org:2000
Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • ftp_password

    ªš÷Öº+Þ

  • ftp_port

    21

  • ftp_server

    ftp.webcindario.com

  • ftp_username

    ftp_user

  • injected_process

    explorer.exe

  • install_dir

    windll32

  • install_file

    win32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1220
      • C:\Users\Admin\AppData\Local\Temp\cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354.exe
        "C:\Users\Admin\AppData\Local\Temp\cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Extracted\spy-net encryptado.exe
          "C:\Extracted\spy-net encryptado.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:632
          • C:\Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe
            4⤵
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1472
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
              • Modifies Installed Components in the registry
              PID:2008
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
                PID:1328
              • C:\Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe
                "C:\Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks whether UAC is enabled
                • Drops file in Windows directory
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:1000
                • C:\Windows\windll32\win32.exe
                  "C:\Windows\windll32\win32.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:1836
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:320

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Extracted\j.jpg
        Filesize

        747KB

        MD5

        963c729465ac6ca040fcc036de87b496

        SHA1

        98650b0723976a5f7ac9dc9d54100537cd296cad

        SHA256

        8ae9457ea0fbfd500e962e56fc964ab2460975c3c07dcd22e5c1fcd7dde98baf

        SHA512

        a81bda3ce8a2823465eceac564183437b5f8df5ffc0bf33e6710ce5b801fec25a1347dabce88c190bfe8be87cffa71c96b55de664a5f93eee8e79519772c6819

        Download Submit

      • C:\Extracted\spy-net encryptado.exe
        Filesize

        394KB

        MD5

        6fa7ade462e02f8527aafe65530f7873

        SHA1

        b03a59b3613d37aba606411db8006053360ecbe1

        SHA256

        b160d1795a5eb053b5e9cfe22697fa0292484dc35d7039fa91c4a2fa7a06ad35

        SHA512

        c894c9a3f86a58e46a416214e11353f0dfbf978ebee308952ac3bc5c464021fe12c9f1d273e992e2531fd5a3959b5f9cc22f2f3bf337dbc3cf5e9936ec63bb34

        Download Submit

      • C:\Extracted\spy-net encryptado.exe
        Filesize

        394KB

        MD5

        6fa7ade462e02f8527aafe65530f7873

        SHA1

        b03a59b3613d37aba606411db8006053360ecbe1

        SHA256

        b160d1795a5eb053b5e9cfe22697fa0292484dc35d7039fa91c4a2fa7a06ad35

        SHA512

        c894c9a3f86a58e46a416214e11353f0dfbf978ebee308952ac3bc5c464021fe12c9f1d273e992e2531fd5a3959b5f9cc22f2f3bf337dbc3cf5e9936ec63bb34

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        229KB

        MD5

        34868c7036e0e186118fe2920dfb51b7

        SHA1

        9693604ab06646674a1dab490a18f8002bf8cafe

        SHA256

        96e231c463ac07faa32e41ba324778b6892dc62811beac1bbea78062116c788a

        SHA512

        025b58e8c06d9835f5772ff6e6ad1130c9bb9c29fe9795017bea536db0faa85ab3b05d4004329f89a10381e33d3484b114ff518bec64cfdf2ca73104f98e6b88

        Download Submit

      • C:\Windows\windll32\win32.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • C:\Windows\windll32\win32.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • \Extracted\spy-net encryptado.exe
        Filesize

        394KB

        MD5

        6fa7ade462e02f8527aafe65530f7873

        SHA1

        b03a59b3613d37aba606411db8006053360ecbe1

        SHA256

        b160d1795a5eb053b5e9cfe22697fa0292484dc35d7039fa91c4a2fa7a06ad35

        SHA512

        c894c9a3f86a58e46a416214e11353f0dfbf978ebee308952ac3bc5c464021fe12c9f1d273e992e2531fd5a3959b5f9cc22f2f3bf337dbc3cf5e9936ec63bb34

        Download Submit

      • \Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • \Users\Admin\AppData\Local\Temp\AruEZbyzDsaXzh\iexplore.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • \Windows\windll32\win32.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • memory/632-74-0x0000000074240000-0x00000000747EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/632-61-0x0000000074240000-0x00000000747EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1000-112-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1000-114-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1000-118-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1220-83-0x0000000024010000-0x0000000024072000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1472-72-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1472-89-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1472-73-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1472-63-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1472-80-0x0000000024010000-0x0000000024072000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1472-64-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1472-99-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1472-66-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1472-77-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1472-67-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1472-107-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1472-113-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2008-94-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2008-88-0x0000000073D91000-0x0000000073D93000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2008-97-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download