Analysis Overview
SHA256
4b60c647ac9d4582d43c4ca63186258809f380e8e9d7672ca996dbc8c0340f40
Threat Level: Known bad
The file CyberGate v3.4.2.2 Cracked.zip was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Modifies Installed Components in the registry
Adds policy Run key to start application
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Checks computer location settings
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-26 06:24
Signatures
Cybergate family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-26 06:24
Reported
2023-06-26 06:26
Platform
win10v2004-20230621-en
Max time kernel
83s
Max time network
87s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe
"C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\CyberGate_v3.4.2.2 Cracked by The Old Warrior.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 47.125.24.20.in-addr.arpa | udp |
| US | 20.189.173.9:443 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 126.130.241.8.in-addr.arpa | udp |
Files
memory/2684-133-0x0000000000400000-0x000000000140D000-memory.dmp
memory/2684-134-0x00000000758D0000-0x0000000075AE5000-memory.dmp
memory/2684-2072-0x00000000756D0000-0x0000000075870000-memory.dmp
memory/2684-3077-0x0000000075F80000-0x0000000075FFA000-memory.dmp
memory/2684-6670-0x0000000000400000-0x000000000140D000-memory.dmp
memory/2684-6671-0x0000000000400000-0x000000000140D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cnvB6B.tmp
| MD5 | c8bb6fe40d038b85a8464c23c8b03a39 |
| SHA1 | 16a42f14e8fc75f732ddfe561f01237241adcd0a |
| SHA256 | a6f0fd04ca2ae012d6fa72e027fc4ffd1043d611cf7f77aa17604647867a3fa0 |
| SHA512 | c25bd5b08e076546a48fdfdb09c75e66d170cb1e51a39ae21c77134ff68c2b9b3c173bca91404778a51adb983c64bd52dbe3c7338f1a6f36d5048b7788513f9c |
memory/2684-6676-0x0000000010000000-0x000000001018A000-memory.dmp
memory/2684-6677-0x0000000000400000-0x000000000140D000-memory.dmp
memory/2684-6678-0x0000000010000000-0x000000001018A000-memory.dmp
memory/2684-6686-0x0000000010000000-0x000000001018A000-memory.dmp
memory/2684-6687-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2684-6688-0x0000000000400000-0x000000000140D000-memory.dmp
memory/2684-6689-0x0000000010000000-0x000000001018A000-memory.dmp
memory/2684-6690-0x0000000001610000-0x0000000001611000-memory.dmp
memory/2684-6691-0x0000000000400000-0x000000000140D000-memory.dmp
memory/2684-6693-0x0000000000400000-0x000000000140D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-26 06:24
Reported
2023-06-26 06:25
Platform
win10v2004-20230621-en
Max time kernel
17s
Max time network
19s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
| N/A | N/A | C:\directory\CyberGate\install\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe
"C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 229.78.74.40.in-addr.arpa | udp |
| JP | 40.79.189.59:443 | tcp |
Files
memory/2540-136-0x0000000010410000-0x0000000010480000-memory.dmp
memory/2540-140-0x0000000010480000-0x00000000104F0000-memory.dmp
memory/2216-144-0x0000000000700000-0x0000000000701000-memory.dmp
memory/2216-145-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/2540-200-0x00000000104F0000-0x0000000010560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin2.txt
| MD5 | f8ea6b460cd968e4b12a3d7a57dda28f |
| SHA1 | abc2943337cfb876fe72dcc3684bbb12bb1ec638 |
| SHA256 | 5ce0400db7fea62d32f20e8a72c2e116c316a58e2b5575340a5097f4ffe46386 |
| SHA512 | 020aba30ef6fe4505db41c5e501b71f284c9a9f76ff8cfcd92604bc4c4383b17b912fc69e7248560e39df676e689ac70b117198415ff955f97bd440abf00d22b |
C:\Users\Admin\AppData\Local\Temp\Admin8
| MD5 | 13eab812c78c8973c4835624e6c0d3cf |
| SHA1 | e4adad263ad256162af9b8398da3cd5aef4b3092 |
| SHA256 | b7be0d6f25b38613d997963809168224e5aa7549df18fcdc3b71d693fd71d801 |
| SHA512 | b64d750209a228dfd33feab7f29fb17eed5108073cc9f3d7658482f8cb55862e51a610246f56f7720829d3872ea9627df320b9c3603238320e0e59cd3d2c1bea |
memory/2216-278-0x00000000104F0000-0x0000000010560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 01aefe7b5a7c1627737371735d2714f1 |
| SHA1 | 6454d23e6ef2ae97f205ef357f2d8a1907a639cf |
| SHA256 | 211d0ac0b1ddd8dbfe3b0fd4e4483c19576ac6e36969d705e11451fc57b1ee1b |
| SHA512 | 3d62bf48fbd1203066f4e599977b9719538af5e9cd84df4a3a67c59ff1b532a96212d2ae8462b013b50fcc4f692c37c39ab61c1ad4bcd2476fe06dc4fd0311a5 |
C:\directory\CyberGate\install\server.exe
| MD5 | 193642d723ede4bbfc6243fdee330a46 |
| SHA1 | 7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7 |
| SHA256 | 022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85 |
| SHA512 | faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7b9d07b6d767fa2487594c83db76b164 |
| SHA1 | 12aa06b39ef87804b22f3cf32d79161386ef1d79 |
| SHA256 | a4d2692bc6abe15f636c237443af0158f56f62b9539b8f104d6342e1890d5f1c |
| SHA512 | c33c9ae0907a2c0b21c6069451779b3410c1ba3eba917a353a5fbce162d8f5caf72e65ef3027c70e13c0f2910b710e8edaf4148447c861161c1ecbd58bd9caf1 |
C:\directory\CyberGate\install\server.exe
| MD5 | 193642d723ede4bbfc6243fdee330a46 |
| SHA1 | 7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7 |
| SHA256 | 022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85 |
| SHA512 | faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed |
C:\directory\CyberGate\install\server.exe
| MD5 | 193642d723ede4bbfc6243fdee330a46 |
| SHA1 | 7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7 |
| SHA256 | 022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85 |
| SHA512 | faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 7b69b6d44607fb2a2cbfd647a8f592a0 |
| SHA1 | b0369006edcd8653036d48ad03d77c5aa0b67843 |
| SHA256 | df873d76452582dafbd3f6608b860796451b797d3ec4cf3dadb935fa543b0769 |
| SHA512 | c9ed8fdc2dd983f7d489cb2c9b8aa1898075adb7fc1e4316431b727afe1ac2efc4811dcd8af4f289116111c09c20f9d89feb0d35b04dce848238745e5055ba33 |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | f7534c9e71f8d48ab4b11eadd0b1c808 |
| SHA1 | 1e5e837724e7a799c82e36eb74c75bced16e6062 |
| SHA256 | ae1e3c2702433eb81d6688ee87350cdf2be6c2ff444993095f191d5ca40c26f2 |
| SHA512 | 3a0b2dee44a83b204dfac834ddb4868395abf1ea09b44127cff17789e508d69fe1295d08d1bf73e2b5f304a9f662c479c3f4698fcd87ebd229ba36d4f76dee8f |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 229668c2fcaa626b8b1e83dc5532f8d2 |
| SHA1 | ce106476db7d97a15f8fe4eea2b65c4db6872a61 |
| SHA256 | 4f8a724876400db5213979a34b33abd983744a87e6ab67a82168d0142ce060b8 |
| SHA512 | d41b17642c942afcfa5f5ae7c21659538da18b20520b70f484ae54e5e5d37384d6e8b4df2545005df0f850dd614063d2b3e19ed3d51d2ceae2610c1f4df20a6b |
C:\Users\Admin\AppData\Local\Temp\Admin7
| MD5 | 408be7f1457433c36e817076281c04c1 |
| SHA1 | 23792832611a278d434e0e985490cf57a9903f8e |
| SHA256 | c4021ef34cf2454cf95a36a5e04502781e1c149ff75882a44df9c39c224cb4f0 |
| SHA512 | e1ebb1ccb4dc4278678096f7826b61fe42daa5cd54ac250ec479d32240126b9d84f93826c7a59370220cbec1a88f9138282e0ea548f9e442967d8236f0e6d885 |
memory/2216-1411-0x00000000104F0000-0x0000000010560000-memory.dmp