Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2023, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe
Resource
win7-20220812-en
General
-
Target
aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe
-
Size
597KB
-
MD5
a7cf3a9a2608091aeefd3b028f6c8212
-
SHA1
773f38e2676c57f2b70754aca0a0ddc0e3b3861f
-
SHA256
aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745
-
SHA512
22ab8c3f06bfc3ce4cb1c886b9fec218cc8a6245c6adc96ac16308a5bdb3ae02fc7ab5437a87182b3d00074009219f1814b84e4b3b1b2a6ebfa38000bfb3185f
-
SSDEEP
12288:p7JRNRtfWDuCIe0A/RDwtOkNglXrOS8OmARzFmInZkUb/G//MM3trzpHw0:ptO6+f/5wtmxrOS8zOZkWuB
Malware Config
Extracted
cybergate
v1.18.0 - Crack Version
1
hobolicker.servebeer.com:569
Y0108IAWI27L0C
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
giblets1880
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1136 svchost.exe 4744 svchost.exe -
resource yara_rule behavioral2/memory/1136-147-0x0000000010410000-0x0000000010482000-memory.dmp upx behavioral2/memory/1136-153-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/4744-156-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/4744-158-0x0000000010490000-0x0000000010502000-memory.dmp upx behavioral2/memory/4744-160-0x0000000010490000-0x0000000010502000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msvcnp .exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msvcnp .exe cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcnp = "C:\\Users\\Admin\\AppData\\Roaming\\msvcnp .exe" aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2052 set thread context of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4744 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe Token: SeBackupPrivilege 4744 svchost.exe Token: SeRestorePrivilege 4744 svchost.exe Token: SeDebugPrivilege 4744 svchost.exe Token: SeDebugPrivilege 4744 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1400 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 82 PID 2052 wrote to memory of 1400 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 82 PID 2052 wrote to memory of 1400 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 82 PID 1400 wrote to memory of 3436 1400 cmd.exe 84 PID 1400 wrote to memory of 3436 1400 cmd.exe 84 PID 1400 wrote to memory of 3436 1400 cmd.exe 84 PID 2052 wrote to memory of 4812 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 85 PID 2052 wrote to memory of 4812 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 85 PID 2052 wrote to memory of 4812 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 85 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 1136 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 86 PID 2052 wrote to memory of 4804 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 88 PID 2052 wrote to memory of 4804 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 88 PID 2052 wrote to memory of 4804 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 88 PID 2052 wrote to memory of 1448 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 87 PID 2052 wrote to memory of 1448 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 87 PID 2052 wrote to memory of 1448 2052 aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe 87 PID 3436 wrote to memory of 364 3436 wscript.exe 89 PID 3436 wrote to memory of 364 3436 wscript.exe 89 PID 3436 wrote to memory of 364 3436 wscript.exe 89 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91 PID 1136 wrote to memory of 4444 1136 svchost.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe"C:\Users\Admin\AppData\Local\Temp\aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "4⤵
- Drops startup file
PID:364
-
-
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe2⤵PID:4812
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:4444
-
-
C:\Windows\Temp\svchost.exe"C:\Windows\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe2⤵PID:1448
-
-
C:\Windows\Temp\svchost.exeC:\Windows\Temp\svchost.exe2⤵PID:4804
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD58e88f7ca977aab4c4957850affaf69dc
SHA17ce0df92852fda4c1884efda6d839d12d78f2181
SHA25685067be04b7974987b68c75d5bec4f1b87f03212b89ac3e2a5d1348d7586c670
SHA512624e53041bd1dca5e3496cb269004f63d3ba895b96eec4bf56d55370bd1288f7f712d90b3457cf8fe26f390441ce8c1af9612edba2cb3eba6bfdbe0918609c44
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
53B
MD51896de26a454df8628034ca3e0649905
SHA176b98d95a85d043539706b89194c46cf14464abe
SHA256d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208
SHA512ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2
-
Filesize
156B
MD56e11326aa89037c32d94aac927174738
SHA1002281bc47dab009f00ed9bfa898cb58605ac0c4
SHA256fe4445a81e9eca7f954f0a5233bed798ba654d39503776d410b071a768147808
SHA512423c6adb6d3cab2601607b813b1e6d48f60c7b3464f857d8e8f40b2445de1b7b66bc469c6367bd437c7896aec49ba87ab917ad919deeb713f1150c7764df21cf
-
Filesize
597KB
MD5a7cf3a9a2608091aeefd3b028f6c8212
SHA1773f38e2676c57f2b70754aca0a0ddc0e3b3861f
SHA256aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745
SHA51222ab8c3f06bfc3ce4cb1c886b9fec218cc8a6245c6adc96ac16308a5bdb3ae02fc7ab5437a87182b3d00074009219f1814b84e4b3b1b2a6ebfa38000bfb3185f
-
Filesize
597KB
MD5a7cf3a9a2608091aeefd3b028f6c8212
SHA1773f38e2676c57f2b70754aca0a0ddc0e3b3861f
SHA256aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745
SHA51222ab8c3f06bfc3ce4cb1c886b9fec218cc8a6245c6adc96ac16308a5bdb3ae02fc7ab5437a87182b3d00074009219f1814b84e4b3b1b2a6ebfa38000bfb3185f
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34