Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 11:00
Static task
static1
Behavioral task
behavioral1
Sample
ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe
Resource
win7-20221111-en
General
-
Target
ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe
-
Size
294KB
-
MD5
625e39ec68c86460b163bf828773f2a8
-
SHA1
97a87451bec18344d3f57fc3543064c9038a8783
-
SHA256
ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b
-
SHA512
6850ec706ba44413346c20e39cd671b626dc2e0a53bd4080e8630028ba7007d04c4fc45060ac21ac5c41d812f7e3155169f6ead4d8392a000f472b5e6b94fd8d
-
SSDEEP
6144:s3Z60x6xG2DUxWGaEgxyDpUKrP1dIPgBw9zX1wYNfSEBtWWL:EZP6xrDUMNxy9UokL9zNaEBtxL
Malware Config
Extracted
cybergate
2.7 Beta 02
victime
farfouch-hacker.no-ip.biz:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Tempdecrypted.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Tempdecrypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" Tempdecrypted.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Tempdecrypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" Tempdecrypted.exe -
Executes dropped EXE 3 IoCs
Processes:
Tempdecrypted.exeTempdecrypted.exeserver.exepid process 4816 Tempdecrypted.exe 4852 Tempdecrypted.exe 3240 server.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Tempdecrypted.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} Tempdecrypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart" Tempdecrypted.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Tempdecrypted.exe upx C:\Users\Admin\AppData\Local\Tempdecrypted.exe upx behavioral2/memory/4816-140-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4816-142-0x0000000024010000-0x0000000024072000-memory.dmp upx C:\Users\Admin\AppData\Local\Tempdecrypted.exe upx behavioral2/memory/4816-148-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4852-151-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4816-152-0x0000000000400000-0x0000000000458000-memory.dmp upx C:\dir\install\install\server.exe upx C:\dir\install\install\server.exe upx behavioral2/memory/3240-157-0x0000000000400000-0x0000000000458000-memory.dmp upx behavioral2/memory/4852-158-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4852-159-0x0000000024080000-0x00000000240E2000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exeTempdecrypted.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Tempdecrypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4216 3240 WerFault.exe server.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Tempdecrypted.exepid process 4816 Tempdecrypted.exe 4816 Tempdecrypted.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Tempdecrypted.exepid process 4852 Tempdecrypted.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Tempdecrypted.exedescription pid process Token: SeDebugPrivilege 4852 Tempdecrypted.exe Token: SeDebugPrivilege 4852 Tempdecrypted.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exepid process 5060 ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exeTempdecrypted.exedescription pid process target process PID 5060 wrote to memory of 4816 5060 ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe Tempdecrypted.exe PID 5060 wrote to memory of 4816 5060 ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe Tempdecrypted.exe PID 5060 wrote to memory of 4816 5060 ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe Tempdecrypted.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe PID 4816 wrote to memory of 4788 4816 Tempdecrypted.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe"C:\Users\Admin\AppData\Local\Temp\ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Tempdecrypted.exe"C:\Users\Admin\AppData\Local\Tempdecrypted.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Tempdecrypted.exe"C:\Users\Admin\AppData\Local\Tempdecrypted.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 5765⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3240 -ip 32401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
230KB
MD5e36c7e764cc9f279e542522c0d75b4e5
SHA11db09a8c0ad3975264b88c660d6f82578201c590
SHA2568882bbfe54f833a6c0f225f45ec37da002e2c2dbfbc83c784700672087729e8f
SHA512c4ec5f7685631875e44b921ad7a2bc6ff827736f17728c82037c78e973a9d1b3f26c1b059a4f0b2c2d2810d798b678a97f21598fb549d2f3bed004effbf3575a
-
C:\Users\Admin\AppData\Local\Tempdecrypted.exeFilesize
277KB
MD5692ef0b811f0d3870a980485e56d1f64
SHA1912e771a698e902a7ff87f94b84adc1ae5feed68
SHA25649f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c
SHA512032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697
-
C:\Users\Admin\AppData\Local\Tempdecrypted.exeFilesize
277KB
MD5692ef0b811f0d3870a980485e56d1f64
SHA1912e771a698e902a7ff87f94b84adc1ae5feed68
SHA25649f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c
SHA512032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697
-
C:\Users\Admin\AppData\Local\Tempdecrypted.exeFilesize
277KB
MD5692ef0b811f0d3870a980485e56d1f64
SHA1912e771a698e902a7ff87f94b84adc1ae5feed68
SHA25649f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c
SHA512032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697
-
C:\dir\install\install\server.exeFilesize
277KB
MD5692ef0b811f0d3870a980485e56d1f64
SHA1912e771a698e902a7ff87f94b84adc1ae5feed68
SHA25649f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c
SHA512032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697
-
C:\dir\install\install\server.exeFilesize
277KB
MD5692ef0b811f0d3870a980485e56d1f64
SHA1912e771a698e902a7ff87f94b84adc1ae5feed68
SHA25649f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c
SHA512032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697
-
memory/3240-157-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3240-155-0x0000000000000000-mapping.dmp
-
memory/4816-148-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4816-152-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4816-142-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/4816-140-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4816-136-0x0000000000000000-mapping.dmp
-
memory/4852-146-0x0000000000000000-mapping.dmp
-
memory/4852-151-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4852-158-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4852-159-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/5060-132-0x0000000000400000-0x000000000040D150-memory.dmpFilesize
52KB
-
memory/5060-139-0x0000000000400000-0x000000000040D150-memory.dmpFilesize
52KB
-
memory/5060-133-0x0000000000400000-0x000000000040D150-memory.dmpFilesize
52KB