Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
87s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe
Resource
win10v2004-20221111-en
General
-
Target
b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe
-
Size
506KB
-
MD5
88fa1b50e7dd8da0fcfa2677abed4970
-
SHA1
e615141b3dc528816c5220d66fc6a7b2c2936bfb
-
SHA256
b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937
-
SHA512
681573bd0908f64bcd84b3314f0c4fe280e1f71d9afeab4cf8810480ed96306bee93a1d4f11f6b56b32a78f79881868ebcfa08176edec3fe74f582c84edd297a
-
SSDEEP
12288:MZuNqaVCO9llzrGiyeWnWmzClPqwUVz6VN+mC9oZ:MkNqa99llnKdndzyqwUx6/+59o
Malware Config
Extracted
cybergate
v3.4.2.2
RemoteShidpromo
shidpromo.no-ip.biz:999
RRP65PRVV4H476
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 960 auditpol.exe 572 usbmon.exe -
resource yara_rule behavioral1/memory/1648-89-0x0000000010410000-0x0000000010480000-memory.dmp upx behavioral1/memory/1648-93-0x0000000010480000-0x00000000104F0000-memory.dmp upx behavioral1/memory/1648-102-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral1/memory/1936-107-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral1/memory/1936-108-0x00000000104F0000-0x0000000010560000-memory.dmp upx behavioral1/memory/1936-134-0x00000000104F0000-0x0000000010560000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Standard Dynamic Printing Port Monitor = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\auditpol.exe" auditpol.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinDir\Svchost.exe AppLaunch.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2036 set thread context of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 572 set thread context of 868 572 usbmon.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 960 auditpol.exe 960 auditpol.exe 960 auditpol.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe 960 auditpol.exe 572 usbmon.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe Token: SeDebugPrivilege 960 auditpol.exe Token: SeDebugPrivilege 1936 explorer.exe Token: SeDebugPrivilege 1936 explorer.exe Token: SeDebugPrivilege 572 usbmon.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1648 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 1648 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 27 PID 2036 wrote to memory of 960 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 28 PID 2036 wrote to memory of 960 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 28 PID 2036 wrote to memory of 960 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 28 PID 2036 wrote to memory of 960 2036 b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe 28 PID 960 wrote to memory of 572 960 auditpol.exe 29 PID 960 wrote to memory of 572 960 auditpol.exe 29 PID 960 wrote to memory of 572 960 auditpol.exe 29 PID 960 wrote to memory of 572 960 auditpol.exe 29 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30 PID 1648 wrote to memory of 984 1648 AppLaunch.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe"C:\Users\Admin\AppData\Local\Temp\b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:984
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\auditpol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\auditpol.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\usbmon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\usbmon.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"5⤵PID:868
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD546d9d5e9cc925b53ed7ede1147efbb7a
SHA14d0c3ce9e247388eff0cb389be9bc4aa480b7d64
SHA25674aaebf4431ea6a5ea61c1f68603d011b3babc75bb3075a558cb11eb65724f4d
SHA51213e57a57f6bd6a84c03d5338b453a767cf8c341068ef95d59f32856f8c73de8bbb7cdbc73d35001cf6cd69d51e8acefd22cd48feb51720ee85c97ba3558147f7
-
Filesize
10KB
MD5006b7551025451e83b2c17cac08d8a88
SHA1de5cdfbca11d8a4ba59e3ca78f45bb9212789fd3
SHA256deea3927e5d400e23768ff5ca49079266d3d1dfcfbbc1fb94bd00bcb7b997637
SHA512e85135b4a2823842062d7fe7a47ab99a47d790c949812acb89467887721ac4420eac385a0a0d6efe176f672c18a0cce88fc2f9868b979428edaa07c0eda67bf6
-
Filesize
10KB
MD5006b7551025451e83b2c17cac08d8a88
SHA1de5cdfbca11d8a4ba59e3ca78f45bb9212789fd3
SHA256deea3927e5d400e23768ff5ca49079266d3d1dfcfbbc1fb94bd00bcb7b997637
SHA512e85135b4a2823842062d7fe7a47ab99a47d790c949812acb89467887721ac4420eac385a0a0d6efe176f672c18a0cce88fc2f9868b979428edaa07c0eda67bf6
-
Filesize
506KB
MD588fa1b50e7dd8da0fcfa2677abed4970
SHA1e615141b3dc528816c5220d66fc6a7b2c2936bfb
SHA256b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937
SHA512681573bd0908f64bcd84b3314f0c4fe280e1f71d9afeab4cf8810480ed96306bee93a1d4f11f6b56b32a78f79881868ebcfa08176edec3fe74f582c84edd297a
-
Filesize
506KB
MD588fa1b50e7dd8da0fcfa2677abed4970
SHA1e615141b3dc528816c5220d66fc6a7b2c2936bfb
SHA256b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937
SHA512681573bd0908f64bcd84b3314f0c4fe280e1f71d9afeab4cf8810480ed96306bee93a1d4f11f6b56b32a78f79881868ebcfa08176edec3fe74f582c84edd297a
-
Filesize
10KB
MD5006b7551025451e83b2c17cac08d8a88
SHA1de5cdfbca11d8a4ba59e3ca78f45bb9212789fd3
SHA256deea3927e5d400e23768ff5ca49079266d3d1dfcfbbc1fb94bd00bcb7b997637
SHA512e85135b4a2823842062d7fe7a47ab99a47d790c949812acb89467887721ac4420eac385a0a0d6efe176f672c18a0cce88fc2f9868b979428edaa07c0eda67bf6
-
Filesize
506KB
MD588fa1b50e7dd8da0fcfa2677abed4970
SHA1e615141b3dc528816c5220d66fc6a7b2c2936bfb
SHA256b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937
SHA512681573bd0908f64bcd84b3314f0c4fe280e1f71d9afeab4cf8810480ed96306bee93a1d4f11f6b56b32a78f79881868ebcfa08176edec3fe74f582c84edd297a