Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06-12-2022 10:15
General
-
Target
ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e.exe
-
Size
592KB
-
MD5
3dc6abde67be49266e4d9ba902a37f41
-
SHA1
97226fce30bf31d631450baeb9a369c0f5deceb8
-
SHA256
ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
-
SHA512
2b32e8aba4ccfe84c38644be49039796a102be9442fab7fd71383ff415e1d8f7c07c7822bf81c3e3d3a1df86a164a82cea7f1f8cf723c0761786af4d1809d4cb
-
SSDEEP
12288:2zDvAgGUUcagPY3OvuZpDV0VUdvOVS8EirXQFifXZrVZghQNp:2TY3OvuZ70RVS8RcdU
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
Hacker
emree.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
smss
-
install_file
smss.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123
-
regkey_hkcu
smss
-
regkey_hklm
smss
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e.exe"C:\Users\Admin\AppData\Local\Temp\ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e.EXEC:\Users\Admin\AppData\Local\Temp\ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e.EXE3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\smss\smss.exe"C:\Windows\system32\smss\smss.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\smss\smss.EXEC:\Windows\SysWOW64\smss\smss.EXE6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD5842d9222f9147d03eaeb1dcaca21fdf1
SHA1882f3f9875146fabb6e6c9cf734f199e1a1b0c1f
SHA25634650b01620ec31a235ca57913cf7907f6b85286c2596c73d3d370047c8d8efb
SHA512e606aefab4eec07dac6a8630b273b5469a592ed27bc1b8ace1cc0eb102137fccc85b28f504b927a95980b81e3f61a8b5ea8b4c4fbbd9fc01b4987f17f64c71e3
-
C:\Windows\SYSTEM.INIFilesize
255B
MD5f2e9be717a60dfbdc29abc21c3eb7a2b
SHA1944fec29cd5c7be62bd44a04c950e4f880aca0b9
SHA256d40cbbc68f9f5e2ef8e960c5eacdab471a123de188130f8a1c95bf814b820156
SHA512def3acfb0dd2b2334149ea8cbf0cfac17061d2bb90689d49baeea230b80424c4f7709c08bf571d7900f364cca6ea2f7f5310610b64f35490787bbedf4fc256bc
-
C:\Windows\SysWOW64\smss\smss.exeFilesize
592KB
MD53dc6abde67be49266e4d9ba902a37f41
SHA197226fce30bf31d631450baeb9a369c0f5deceb8
SHA256ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
SHA5122b32e8aba4ccfe84c38644be49039796a102be9442fab7fd71383ff415e1d8f7c07c7822bf81c3e3d3a1df86a164a82cea7f1f8cf723c0761786af4d1809d4cb
-
C:\Windows\SysWOW64\smss\smss.exeFilesize
592KB
MD53dc6abde67be49266e4d9ba902a37f41
SHA197226fce30bf31d631450baeb9a369c0f5deceb8
SHA256ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
SHA5122b32e8aba4ccfe84c38644be49039796a102be9442fab7fd71383ff415e1d8f7c07c7822bf81c3e3d3a1df86a164a82cea7f1f8cf723c0761786af4d1809d4cb
-
C:\Windows\SysWOW64\smss\smss.exeFilesize
660KB
MD54bd4c92b95a81b59bdd1a23454d47a9f
SHA1dd209e16577a79744441fe746639d1f4b205140b
SHA256cb3f48b4ef064985743abfaf5aa77b6e6f843f5fe4b92629b828c1a9dd67c938
SHA5129ca58b9d089a8944eebc1fb2702b3c159ba99bd333dbd5ec64587061b84b1dd9921b3d44cb8a6ccf5edf4a1920348ff57727eb0f9fa547b5eb9fc993af09d879
-
C:\Windows\SysWOW64\smss\smss.exeFilesize
592KB
MD53dc6abde67be49266e4d9ba902a37f41
SHA197226fce30bf31d631450baeb9a369c0f5deceb8
SHA256ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
SHA5122b32e8aba4ccfe84c38644be49039796a102be9442fab7fd71383ff415e1d8f7c07c7822bf81c3e3d3a1df86a164a82cea7f1f8cf723c0761786af4d1809d4cb
-
\Windows\SysWOW64\smss\smss.exeFilesize
592KB
MD53dc6abde67be49266e4d9ba902a37f41
SHA197226fce30bf31d631450baeb9a369c0f5deceb8
SHA256ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
SHA5122b32e8aba4ccfe84c38644be49039796a102be9442fab7fd71383ff415e1d8f7c07c7822bf81c3e3d3a1df86a164a82cea7f1f8cf723c0761786af4d1809d4cb
-
\Windows\SysWOW64\smss\smss.exeFilesize
592KB
MD53dc6abde67be49266e4d9ba902a37f41
SHA197226fce30bf31d631450baeb9a369c0f5deceb8
SHA256ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
SHA5122b32e8aba4ccfe84c38644be49039796a102be9442fab7fd71383ff415e1d8f7c07c7822bf81c3e3d3a1df86a164a82cea7f1f8cf723c0761786af4d1809d4cb
-
memory/740-117-0x0000000002DD0000-0x0000000002DD2000-memory.dmpFilesize
8KB
-
memory/740-82-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/740-122-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/740-74-0x0000000000000000-mapping.dmp
-
memory/740-76-0x00000000752E1000-0x00000000752E3000-memory.dmpFilesize
8KB
-
memory/740-83-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/1076-119-0x0000000000480000-0x00000000004DF000-memory.dmpFilesize
380KB
-
memory/1076-121-0x0000000000480000-0x00000000004B1000-memory.dmpFilesize
196KB
-
memory/1076-101-0x0000000000000000-mapping.dmp
-
memory/1108-128-0x0000000005480000-0x000000000650E000-memory.dmpFilesize
16.6MB
-
memory/1108-127-0x0000000002F10000-0x0000000002F12000-memory.dmpFilesize
8KB
-
memory/1108-126-0x0000000005480000-0x000000000650E000-memory.dmpFilesize
16.6MB
-
memory/1108-87-0x0000000000000000-mapping.dmp
-
memory/1108-118-0x0000000002F10000-0x0000000002F12000-memory.dmpFilesize
8KB
-
memory/1108-95-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1108-123-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1108-98-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1416-71-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1488-56-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1644-124-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1644-107-0x0000000000455BD0-mapping.dmp
-
memory/1644-120-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1644-111-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1644-112-0x0000000001DB0000-0x0000000002E3E000-memory.dmpFilesize
16.6MB
-
memory/1644-125-0x0000000001DB0000-0x0000000002E3E000-memory.dmpFilesize
16.6MB
-
memory/1644-114-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1644-116-0x0000000001DB0000-0x0000000002E3E000-memory.dmpFilesize
16.6MB
-
memory/1644-115-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1988-90-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1988-57-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1988-61-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1988-62-0x0000000001E20000-0x0000000002EAE000-memory.dmpFilesize
16.6MB
-
memory/1988-63-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1988-64-0x0000000001E20000-0x0000000002EAE000-memory.dmpFilesize
16.6MB
-
memory/1988-97-0x0000000001E20000-0x0000000002EAE000-memory.dmpFilesize
16.6MB
-
memory/1988-96-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1988-68-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1988-65-0x0000000001DB0000-0x0000000001DB2000-memory.dmpFilesize
8KB
-
memory/1988-66-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1988-77-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/1988-58-0x0000000000455BD0-mapping.dmp