Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 13:06
Static task
static1
Behavioral task
behavioral1
Sample
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe
Resource
win7-20220812-en
General
-
Target
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe
-
Size
762KB
-
MD5
b2eefe4e8f12b0d2f927d0b239dec505
-
SHA1
9560742f312efe3d15b2b53af8a7dfd2578999aa
-
SHA256
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615
-
SHA512
c5115ea2264a035fbfb9bbc2d99d8c5d3845330b1cd8418198e7436ed54c4b9660c4323e6584d27fda17951083e62b3583cc7d9d25bff549616da61075e31d25
-
SSDEEP
12288:tZVgMTcs0TlFGavQkQGweh+Y+9r2pVEk25N71ZMp8DVL:tZ3OTqethOFTkM71ZMp8h
Malware Config
Extracted
cybergate
v1.02.0
Em
4V46CY5UO7E8EW
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDr
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Crypted.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDr\\Svchost.exe" Crypted.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDr\\Svchost.exe" Crypted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Crypted.exe -
Executes dropped EXE 3 IoCs
Processes:
Crypted.exeCrypted.exeSvchost.exepid process 876 Crypted.exe 1056 Crypted.exe 1196 Svchost.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
Crypted.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O251NGYT-45OG-A1OW-1LM3-5W3AM07GS54B}\StubPath = "C:\\Windows\\system32\\WinDr\\Svchost.exe Restart" Crypted.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O251NGYT-45OG-A1OW-1LM3-5W3AM07GS54B} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O251NGYT-45OG-A1OW-1LM3-5W3AM07GS54B}\StubPath = "C:\\Windows\\system32\\WinDr\\Svchost.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O251NGYT-45OG-A1OW-1LM3-5W3AM07GS54B} Crypted.exe -
Processes:
resource yara_rule behavioral1/memory/876-63-0x0000000024010000-0x000000002406F000-memory.dmp upx behavioral1/memory/876-72-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral1/memory/1748-77-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral1/memory/1748-80-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral1/memory/876-82-0x00000000240D0000-0x000000002412F000-memory.dmp upx behavioral1/memory/876-90-0x0000000024130000-0x000000002418F000-memory.dmp upx behavioral1/memory/1056-95-0x0000000024130000-0x000000002418F000-memory.dmp upx behavioral1/memory/1056-96-0x0000000024130000-0x000000002418F000-memory.dmp upx behavioral1/memory/1056-102-0x0000000024130000-0x000000002418F000-memory.dmp upx -
Loads dropped DLL 3 IoCs
Processes:
Crypted.exeCrypted.exepid process 876 Crypted.exe 1056 Crypted.exe 1056 Crypted.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Crypted.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDr\\Svchost.exe" Crypted.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDr\\Svchost.exe" Crypted.exe -
Drops file in System32 directory 4 IoCs
Processes:
Crypted.exeCrypted.exedescription ioc process File created C:\Windows\SysWOW64\WinDr\Svchost.exe Crypted.exe File opened for modification C:\Windows\SysWOW64\WinDr\Svchost.exe Crypted.exe File opened for modification C:\Windows\SysWOW64\WinDr\Svchost.exe Crypted.exe File opened for modification C:\Windows\SysWOW64\WinDr\ Crypted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Crypted.exepid process 876 Crypted.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Crypted.exepid process 1056 Crypted.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Crypted.exedescription pid process Token: SeDebugPrivilege 1056 Crypted.exe Token: SeDebugPrivilege 1056 Crypted.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Crypted.exepid process 876 Crypted.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exeCrypted.exedescription pid process target process PID 1476 wrote to memory of 876 1476 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe Crypted.exe PID 1476 wrote to memory of 876 1476 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe Crypted.exe PID 1476 wrote to memory of 876 1476 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe Crypted.exe PID 1476 wrote to memory of 876 1476 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe Crypted.exe PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE PID 876 wrote to memory of 1380 876 Crypted.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe"C:\Users\Admin\AppData\Local\Temp\9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDr\Svchost.exe"C:\Windows\system32\WinDr\Svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
219KB
MD5cd2b078e8973e069e6268ec8868cb0eb
SHA19250de465565a33437ecd4734683fe69a11a31a6
SHA256f01c14ea8f3bbf36641c472b114e402b01c65b271a666836ce626acae93599cf
SHA512a44b7d174f460535332117a2eb7231adc9fb1581cc5235747a91b85757c267f07a806eb0ef8cb5c8ec017fe23860532b734314288ae5d52640fe99cfefcf950c
-
C:\Windows\SysWOW64\WinDr\Svchost.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
C:\Windows\SysWOW64\WinDr\Svchost.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
\Windows\SysWOW64\WinDr\Svchost.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
\Windows\SysWOW64\WinDr\Svchost.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
memory/876-63-0x0000000024010000-0x000000002406F000-memory.dmpFilesize
380KB
-
memory/876-57-0x0000000000000000-mapping.dmp
-
memory/876-72-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/876-90-0x0000000024130000-0x000000002418F000-memory.dmpFilesize
380KB
-
memory/876-82-0x00000000240D0000-0x000000002412F000-memory.dmpFilesize
380KB
-
memory/876-60-0x0000000074C11000-0x0000000074C13000-memory.dmpFilesize
8KB
-
memory/1056-102-0x0000000024130000-0x000000002418F000-memory.dmpFilesize
380KB
-
memory/1056-96-0x0000000024130000-0x000000002418F000-memory.dmpFilesize
380KB
-
memory/1056-95-0x0000000024130000-0x000000002418F000-memory.dmpFilesize
380KB
-
memory/1056-87-0x0000000000000000-mapping.dmp
-
memory/1196-99-0x0000000000000000-mapping.dmp
-
memory/1380-66-0x0000000024010000-0x000000002406F000-memory.dmpFilesize
380KB
-
memory/1476-54-0x000007FEF28F0000-0x000007FEF3313000-memory.dmpFilesize
10.1MB
-
memory/1476-55-0x000007FEEDE30000-0x000007FEEEEC6000-memory.dmpFilesize
16.6MB
-
memory/1476-56-0x0000000001F4A000-0x0000000001F69000-memory.dmpFilesize
124KB
-
memory/1476-59-0x0000000001F4A000-0x0000000001F69000-memory.dmpFilesize
124KB
-
memory/1748-69-0x0000000000000000-mapping.dmp
-
memory/1748-80-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/1748-77-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/1748-71-0x00000000745E1000-0x00000000745E3000-memory.dmpFilesize
8KB