Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 16:23 UTC

General

  • Target

    b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe

  • Size

    506KB

  • MD5

    88fa1b50e7dd8da0fcfa2677abed4970

  • SHA1

    e615141b3dc528816c5220d66fc6a7b2c2936bfb

  • SHA256

    b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937

  • SHA512

    681573bd0908f64bcd84b3314f0c4fe280e1f71d9afeab4cf8810480ed96306bee93a1d4f11f6b56b32a78f79881868ebcfa08176edec3fe74f582c84edd297a

  • SSDEEP

    12288:MZuNqaVCO9llzrGiyeWnWmzClPqwUVz6VN+mC9oZ:MkNqa99llnKdndzyqwUx6/+59o

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

RemoteShidpromo

C2

shidpromo.no-ip.biz:999

Mutex

RRP65PRVV4H476

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3020
      • C:\Users\Admin\AppData\Local\Temp\b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe
        "C:\Users\Admin\AppData\Local\Temp\b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4840
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
            4⤵
              PID:4520
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3320
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\auditpol.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\auditpol.exe"
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2504
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\usbmon.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\usbmon.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              PID:992
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                5⤵
                  PID:820

        Network

        • flag-unknown
          DNS
          164.2.77.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          164.2.77.40.in-addr.arpa
          IN PTR
          Response
        • flag-unknown
          DNS
          7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
          Remote address:
          8.8.8.8:53
          Request
          7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
          IN PTR
          Response
        • flag-unknown
          DNS
          shidpromo.no-ip.biz
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          shidpromo.no-ip.biz
          IN A
          Response
        • 93.184.221.240:80
          322 B
          7
        • 40.74.98.195:443
          322 B
          7
        • 104.80.225.205:443
          322 B
          7
        • 93.184.221.240:80
          322 B
          7
        • 93.184.221.240:80
          322 B
          7
        • 93.184.221.240:80
          322 B
          7
        • 40.126.31.71:443
          260 B
          5
        • 52.242.97.97:443
          260 B
          5
        • 93.184.221.240:80
          260 B
          5
        • 93.184.221.240:80
          260 B
          5
        • 93.184.221.240:80
          260 B
          5
        • 8.8.8.8:53
          164.2.77.40.in-addr.arpa
          dns
          70 B
          144 B
          1
          1

          DNS Request

          164.2.77.40.in-addr.arpa

        • 8.8.8.8:53
          7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa
          dns
          118 B
          204 B
          1
          1

          DNS Request

          7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

        • 8.8.8.8:53
          shidpromo.no-ip.biz
          dns
          explorer.exe
          65 B
          125 B
          1
          1

          DNS Request

          shidpromo.no-ip.biz

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

          Filesize

          385KB

          MD5

          46d9d5e9cc925b53ed7ede1147efbb7a

          SHA1

          4d0c3ce9e247388eff0cb389be9bc4aa480b7d64

          SHA256

          74aaebf4431ea6a5ea61c1f68603d011b3babc75bb3075a558cb11eb65724f4d

          SHA512

          13e57a57f6bd6a84c03d5338b453a767cf8c341068ef95d59f32856f8c73de8bbb7cdbc73d35001cf6cd69d51e8acefd22cd48feb51720ee85c97ba3558147f7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\auditpol.exe

          Filesize

          10KB

          MD5

          006b7551025451e83b2c17cac08d8a88

          SHA1

          de5cdfbca11d8a4ba59e3ca78f45bb9212789fd3

          SHA256

          deea3927e5d400e23768ff5ca49079266d3d1dfcfbbc1fb94bd00bcb7b997637

          SHA512

          e85135b4a2823842062d7fe7a47ab99a47d790c949812acb89467887721ac4420eac385a0a0d6efe176f672c18a0cce88fc2f9868b979428edaa07c0eda67bf6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\auditpol.exe

          Filesize

          10KB

          MD5

          006b7551025451e83b2c17cac08d8a88

          SHA1

          de5cdfbca11d8a4ba59e3ca78f45bb9212789fd3

          SHA256

          deea3927e5d400e23768ff5ca49079266d3d1dfcfbbc1fb94bd00bcb7b997637

          SHA512

          e85135b4a2823842062d7fe7a47ab99a47d790c949812acb89467887721ac4420eac385a0a0d6efe176f672c18a0cce88fc2f9868b979428edaa07c0eda67bf6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\usbmon.exe

          Filesize

          506KB

          MD5

          88fa1b50e7dd8da0fcfa2677abed4970

          SHA1

          e615141b3dc528816c5220d66fc6a7b2c2936bfb

          SHA256

          b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937

          SHA512

          681573bd0908f64bcd84b3314f0c4fe280e1f71d9afeab4cf8810480ed96306bee93a1d4f11f6b56b32a78f79881868ebcfa08176edec3fe74f582c84edd297a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\usbmon.exe

          Filesize

          506KB

          MD5

          88fa1b50e7dd8da0fcfa2677abed4970

          SHA1

          e615141b3dc528816c5220d66fc6a7b2c2936bfb

          SHA256

          b6cf902530ad4e155121db7b320fd49b9b0000a28b0222b4ad2b745b0d0ff937

          SHA512

          681573bd0908f64bcd84b3314f0c4fe280e1f71d9afeab4cf8810480ed96306bee93a1d4f11f6b56b32a78f79881868ebcfa08176edec3fe74f582c84edd297a

        • memory/820-173-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

        • memory/820-172-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

        • memory/992-162-0x00000000753F0000-0x00000000759A1000-memory.dmp

          Filesize

          5.7MB

        • memory/992-166-0x00000000753F0000-0x00000000759A1000-memory.dmp

          Filesize

          5.7MB

        • memory/2504-160-0x00000000753F0000-0x00000000759A1000-memory.dmp

          Filesize

          5.7MB

        • memory/2504-164-0x00000000753F0000-0x00000000759A1000-memory.dmp

          Filesize

          5.7MB

        • memory/2808-132-0x00000000753F0000-0x00000000759A1000-memory.dmp

          Filesize

          5.7MB

        • memory/2808-133-0x00000000753F0000-0x00000000759A1000-memory.dmp

          Filesize

          5.7MB

        • memory/2808-167-0x00000000753F0000-0x00000000759A1000-memory.dmp

          Filesize

          5.7MB

        • memory/3320-152-0x00000000104F0000-0x0000000010560000-memory.dmp

          Filesize

          448KB

        • memory/3320-157-0x00000000104F0000-0x0000000010560000-memory.dmp

          Filesize

          448KB

        • memory/3320-165-0x00000000104F0000-0x0000000010560000-memory.dmp

          Filesize

          448KB

        • memory/4840-140-0x0000000010410000-0x0000000010480000-memory.dmp

          Filesize

          448KB

        • memory/4840-163-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

        • memory/4840-136-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

        • memory/4840-137-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

        • memory/4840-138-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

        • memory/4840-135-0x0000000000400000-0x0000000000471000-memory.dmp

          Filesize

          452KB

        • memory/4840-144-0x0000000010480000-0x00000000104F0000-memory.dmp

          Filesize

          448KB

        • memory/4840-149-0x00000000104F0000-0x0000000010560000-memory.dmp

          Filesize

          448KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.