Analysis
-
max time kernel
152s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06-12-2022 12:35
General
-
Target
d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08.exe
-
Size
408KB
-
MD5
02d2246e8490d5026ce27d3879968442
-
SHA1
1d1970a37196baa1e8c757e1aa9942fc5ad3d16d
-
SHA256
d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08
-
SHA512
c05eeab9cc7584f5950d76a89b44de528b8049d4b354fb62f2984468940b195b8f1834d34473cf843200f5786ef1ae8a9de392b04ed921bc51f1c2222be5e224
-
SSDEEP
12288:L0dCa+Taw6Z/+JKuzxQxqbJhX6XsrzwkzyhD:gdCa+ew6ZYKcrbJht9zy
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
Hacker
emree.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
smss
-
install_file
smss.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
123
-
regkey_hkcu
smss
-
regkey_hklm
smss
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08.exe"C:\Users\Admin\AppData\Local\Temp\d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08.exeC:\Users\Admin\AppData\Local\Temp\d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08.exe2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\smss\smss.exe"C:\Windows\system32\smss\smss.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\smss\smss.exeC:\Windows\SysWOW64\smss\smss.exe5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD516dadff00df68c837f1a72903a4fca72
SHA1881ae86515d96a0f0e96909a189c9efc33a9be4a
SHA256ea7c2f033035f9579733051526646b2fb4a7ae385397f342787338b844085db2
SHA512a4aa5b04f8c539e775d370ad3d9921ba02875b2cbadfe336563412822a16aa484ba5864c1370bfbae87b6c33e740e30812fbea6de5278e3a6cdd06cc6bc76adc
-
C:\Windows\SYSTEM.INIFilesize
255B
MD5b1be4fd69bd8318555c13877531d0c28
SHA13aee1976c040da5dd8a0bda42d5b5db3cb4d75a6
SHA256ac50b2d2a47a11fd9fc2e5dc9f04fef7823d5e290a64bad9be479b89ce62cb13
SHA5124f8457c92a22272bf0b601ca08c3e4d8a39be21b98ea92953db846b8663e13d83829e3b8390ea90db9d932326185412af50f826baec4ef89f04a2d2526a8c4b0
-
C:\Windows\SysWOW64\smss\smss.exeFilesize
408KB
MD502d2246e8490d5026ce27d3879968442
SHA11d1970a37196baa1e8c757e1aa9942fc5ad3d16d
SHA256d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08
SHA512c05eeab9cc7584f5950d76a89b44de528b8049d4b354fb62f2984468940b195b8f1834d34473cf843200f5786ef1ae8a9de392b04ed921bc51f1c2222be5e224
-
C:\Windows\SysWOW64\smss\smss.exeFilesize
408KB
MD502d2246e8490d5026ce27d3879968442
SHA11d1970a37196baa1e8c757e1aa9942fc5ad3d16d
SHA256d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08
SHA512c05eeab9cc7584f5950d76a89b44de528b8049d4b354fb62f2984468940b195b8f1834d34473cf843200f5786ef1ae8a9de392b04ed921bc51f1c2222be5e224
-
C:\Windows\SysWOW64\smss\smss.exeFilesize
408KB
MD502d2246e8490d5026ce27d3879968442
SHA11d1970a37196baa1e8c757e1aa9942fc5ad3d16d
SHA256d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08
SHA512c05eeab9cc7584f5950d76a89b44de528b8049d4b354fb62f2984468940b195b8f1834d34473cf843200f5786ef1ae8a9de392b04ed921bc51f1c2222be5e224
-
\Windows\SysWOW64\smss\smss.exeFilesize
408KB
MD502d2246e8490d5026ce27d3879968442
SHA11d1970a37196baa1e8c757e1aa9942fc5ad3d16d
SHA256d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08
SHA512c05eeab9cc7584f5950d76a89b44de528b8049d4b354fb62f2984468940b195b8f1834d34473cf843200f5786ef1ae8a9de392b04ed921bc51f1c2222be5e224
-
\Windows\SysWOW64\smss\smss.exeFilesize
408KB
MD502d2246e8490d5026ce27d3879968442
SHA11d1970a37196baa1e8c757e1aa9942fc5ad3d16d
SHA256d86480796bd23d54e037d296ab001ce345b1f8e6ac72232b9340defc94d43e08
SHA512c05eeab9cc7584f5950d76a89b44de528b8049d4b354fb62f2984468940b195b8f1834d34473cf843200f5786ef1ae8a9de392b04ed921bc51f1c2222be5e224
-
memory/580-120-0x0000000003D30000-0x0000000004DBE000-memory.dmpFilesize
16.6MB
-
memory/580-114-0x0000000002E40000-0x0000000002E42000-memory.dmpFilesize
8KB
-
memory/580-121-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/580-123-0x0000000002E40000-0x0000000002E42000-memory.dmpFilesize
8KB
-
memory/580-73-0x0000000000000000-mapping.dmp
-
memory/580-75-0x0000000074621000-0x0000000074623000-memory.dmpFilesize
8KB
-
memory/580-81-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/580-82-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/580-124-0x0000000003D30000-0x0000000004DBE000-memory.dmpFilesize
16.6MB
-
memory/948-100-0x0000000000000000-mapping.dmp
-
memory/1012-112-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1012-105-0x0000000000455BD0-mapping.dmp
-
memory/1012-119-0x0000000001F30000-0x0000000002FBE000-memory.dmpFilesize
16.6MB
-
memory/1012-118-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1012-117-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1012-115-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/1012-113-0x0000000001F30000-0x0000000002FBE000-memory.dmpFilesize
16.6MB
-
memory/1012-110-0x0000000001F30000-0x0000000002FBE000-memory.dmpFilesize
16.6MB
-
memory/1012-109-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1268-70-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/1844-97-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1844-122-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1844-94-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/1844-86-0x0000000000000000-mapping.dmp
-
memory/1844-116-0x0000000002EC0000-0x0000000002EC2000-memory.dmpFilesize
8KB
-
memory/2024-76-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/2024-64-0x0000000000500000-0x0000000000502000-memory.dmpFilesize
8KB
-
memory/2024-63-0x0000000002010000-0x000000000309E000-memory.dmpFilesize
16.6MB
-
memory/2024-96-0x0000000002010000-0x000000000309E000-memory.dmpFilesize
16.6MB
-
memory/2024-62-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2024-65-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2024-95-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2024-56-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2024-89-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/2024-61-0x0000000002010000-0x000000000309E000-memory.dmpFilesize
16.6MB
-
memory/2024-59-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/2024-67-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/2024-60-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2024-57-0x0000000000455BD0-mapping.dmp