Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 13:06
Static task
static1
Behavioral task
behavioral1
Sample
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe
Resource
win7-20220812-en
General
-
Target
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe
-
Size
762KB
-
MD5
b2eefe4e8f12b0d2f927d0b239dec505
-
SHA1
9560742f312efe3d15b2b53af8a7dfd2578999aa
-
SHA256
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615
-
SHA512
c5115ea2264a035fbfb9bbc2d99d8c5d3845330b1cd8418198e7436ed54c4b9660c4323e6584d27fda17951083e62b3583cc7d9d25bff549616da61075e31d25
-
SSDEEP
12288:tZVgMTcs0TlFGavQkQGweh+Y+9r2pVEk25N71ZMp8DVL:tZ3OTqethOFTkM71ZMp8h
Malware Config
Extracted
cybergate
v1.02.0
Em
4V46CY5UO7E8EW
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDr
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
Crypted.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDr\\Svchost.exe" Crypted.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDr\\Svchost.exe" Crypted.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Crypted.exe -
Executes dropped EXE 3 IoCs
Processes:
Crypted.exeCrypted.exeSvchost.exepid process 2548 Crypted.exe 4832 Crypted.exe 2396 Svchost.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
Crypted.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O251NGYT-45OG-A1OW-1LM3-5W3AM07GS54B} Crypted.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O251NGYT-45OG-A1OW-1LM3-5W3AM07GS54B}\StubPath = "C:\\Windows\\system32\\WinDr\\Svchost.exe Restart" Crypted.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O251NGYT-45OG-A1OW-1LM3-5W3AM07GS54B} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O251NGYT-45OG-A1OW-1LM3-5W3AM07GS54B}\StubPath = "C:\\Windows\\system32\\WinDr\\Svchost.exe" explorer.exe -
Processes:
resource yara_rule behavioral2/memory/2548-137-0x0000000024010000-0x000000002406F000-memory.dmp upx behavioral2/memory/2548-142-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral2/memory/4780-145-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral2/memory/4780-146-0x0000000024070000-0x00000000240CF000-memory.dmp upx behavioral2/memory/2548-150-0x00000000240D0000-0x000000002412F000-memory.dmp upx behavioral2/memory/2548-156-0x0000000024130000-0x000000002418F000-memory.dmp upx behavioral2/memory/4832-159-0x0000000024130000-0x000000002418F000-memory.dmp upx behavioral2/memory/4832-160-0x0000000024130000-0x000000002418F000-memory.dmp upx behavioral2/memory/4780-163-0x0000000024070000-0x00000000240CF000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exeCrypted.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Crypted.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Crypted.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDr\\Svchost.exe" Crypted.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run Crypted.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDr\\Svchost.exe" Crypted.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Crypted.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe File opened for modification C:\Windows\assembly\Desktop.ini 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe -
Drops file in System32 directory 4 IoCs
Processes:
Crypted.exeCrypted.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WinDr\Svchost.exe Crypted.exe File opened for modification C:\Windows\SysWOW64\WinDr\Svchost.exe Crypted.exe File opened for modification C:\Windows\SysWOW64\WinDr\ Crypted.exe File created C:\Windows\SysWOW64\WinDr\Svchost.exe Crypted.exe -
Drops file in Windows directory 3 IoCs
Processes:
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exedescription ioc process File opened for modification C:\Windows\assembly 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe File created C:\Windows\assembly\Desktop.ini 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe File opened for modification C:\Windows\assembly\Desktop.ini 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3104 2396 WerFault.exe Svchost.exe -
Modifies registry class 1 IoCs
Processes:
Crypted.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Crypted.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Crypted.exepid process 2548 Crypted.exe 2548 Crypted.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Crypted.exepid process 4832 Crypted.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Crypted.exedescription pid process Token: SeDebugPrivilege 4832 Crypted.exe Token: SeDebugPrivilege 4832 Crypted.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Crypted.exepid process 2548 Crypted.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exeCrypted.exedescription pid process target process PID 5020 wrote to memory of 2548 5020 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe Crypted.exe PID 5020 wrote to memory of 2548 5020 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe Crypted.exe PID 5020 wrote to memory of 2548 5020 9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe Crypted.exe PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE PID 2548 wrote to memory of 2720 2548 Crypted.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe"C:\Users\Admin\AppData\Local\Temp\9be1feac562295e45501c83a2f8379d9d363c8b5025e3cb5a5d9afc87420c615.exe"2⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:4780 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\SysWOW64\WinDr\Svchost.exe"C:\Windows\system32\WinDr\Svchost.exe"5⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 5726⤵
- Program crash
PID:3104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2396 -ip 23961⤵PID:4700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
219KB
MD5cd2b078e8973e069e6268ec8868cb0eb
SHA19250de465565a33437ecd4734683fe69a11a31a6
SHA256f01c14ea8f3bbf36641c472b114e402b01c65b271a666836ce626acae93599cf
SHA512a44b7d174f460535332117a2eb7231adc9fb1581cc5235747a91b85757c267f07a806eb0ef8cb5c8ec017fe23860532b734314288ae5d52640fe99cfefcf950c
-
C:\Windows\SysWOW64\WinDr\Svchost.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
C:\Windows\SysWOW64\WinDr\Svchost.exeFilesize
280KB
MD515fb676aa563707ec65497f35cd59b6d
SHA173f9fd5c786118c121e8a83740493bbd4cf7abed
SHA2565dadc9a7edb470390238ea9fa17287033aa8f5efe26bf8580a80b6d52e75dd49
SHA512f475cb11f02f6ab754082599d9e2e0cf2c611f54b3d11b6f63dc2bf1e3f2611041aa38547b19b49fa5ad260e07710b1e2d276af967d1fc5fb22239228f980a98
-
memory/2396-161-0x0000000000000000-mapping.dmp
-
memory/2548-133-0x0000000000000000-mapping.dmp
-
memory/2548-137-0x0000000024010000-0x000000002406F000-memory.dmpFilesize
380KB
-
memory/2548-142-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/2548-156-0x0000000024130000-0x000000002418F000-memory.dmpFilesize
380KB
-
memory/2548-150-0x00000000240D0000-0x000000002412F000-memory.dmpFilesize
380KB
-
memory/4780-141-0x0000000000000000-mapping.dmp
-
memory/4780-146-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/4780-145-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/4780-163-0x0000000024070000-0x00000000240CF000-memory.dmpFilesize
380KB
-
memory/4832-154-0x0000000000000000-mapping.dmp
-
memory/4832-159-0x0000000024130000-0x000000002418F000-memory.dmpFilesize
380KB
-
memory/4832-160-0x0000000024130000-0x000000002418F000-memory.dmpFilesize
380KB
-
memory/5020-132-0x00007FFEE7580000-0x00007FFEE7FB6000-memory.dmpFilesize
10.2MB