Analysis
-
max time kernel
55s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/01/2024, 14:47
Static task
static1
Behavioral task
behavioral1
Sample
4123bf29f1a36f8940272dfcfb9ab409.exe
Resource
win7-20231215-en
General
-
Target
4123bf29f1a36f8940272dfcfb9ab409.exe
-
Size
324KB
-
MD5
4123bf29f1a36f8940272dfcfb9ab409
-
SHA1
a2657ed954e37a6e39585c5e938fd610e9b71137
-
SHA256
de2f10468d57b9c055a4a4e829c09862f58707223042c80c79c5d17dd7cc30e6
-
SHA512
f108e8a48b2073624262015c12b6d1ef2d45fe5f1bd7496e20bbb7137eb59414fa61e6319c62c3a5d5cb93377e105cfeb796810c16ec66c5945e30e438c546e9
-
SSDEEP
6144:qhmTH1EWuzEwi9fYtR7Rfvb0JOPScVeb+jUtV6v6/aO5R:omH1EWuwtfYrRXb7VVeqAsSiyR
Malware Config
Extracted
cybergate
v1.18.0 - Crack Version
remote
tim0.dyndns.org:81
tim0.dyndns.org:82
N65I4020CC0882
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
.//
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
QWERTZ
Signatures
-
resource yara_rule behavioral1/memory/1636-19-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-23-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-32-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-33-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-38-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-26-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-24-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-20-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-18-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-17-0x0000000000450000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1636-1298-0x0000000000450000-0x00000000004C2000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows-Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Policies\\WinDefender.exe" 4123bf29f1a36f8940272dfcfb9ab409.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1652 set thread context of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 set thread context of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 set thread context of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 set thread context of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1636 vbc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1652 4123bf29f1a36f8940272dfcfb9ab409.exe Token: 33 1652 4123bf29f1a36f8940272dfcfb9ab409.exe Token: SeIncBasePriorityPrivilege 1652 4123bf29f1a36f8940272dfcfb9ab409.exe Token: SeBackupPrivilege 1636 vbc.exe Token: SeRestorePrivilege 1636 vbc.exe Token: SeDebugPrivilege 1636 vbc.exe Token: SeDebugPrivilege 1636 vbc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1636 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 16 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 1692 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 29 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2652 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 30 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31 PID 1652 wrote to memory of 2656 1652 4123bf29f1a36f8940272dfcfb9ab409.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4123bf29f1a36f8940272dfcfb9ab409.exe"C:\Users\Admin\AppData\Local\Temp\4123bf29f1a36f8940272dfcfb9ab409.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:1692
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:2652
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8B
MD5d3db92f97b262198b32502f378db9197
SHA1f0fcb55aaa3b82a5b717cfdd79d3ddf98ef69084
SHA2563bfb549230954d94d30acdd9dcc6679a4978d896b4f7e0dfe20daf5ab74f8fe4
SHA512c7cd0b416728ee57c3a1a1b74c02d9ab141dc8ab2007ff278c2d1ed9445dff50334d0953d8328b1e63bfb51f8da39435a0552b3bbfbf54b39ed9ea36ff5fbc87
-
Filesize
8B
MD5351fb1ebf58a97fdefc633599d94b9fc
SHA1c40bc1f7e5205e44e3fb3925c337baa636daea5d
SHA256a0389f7905361a2700f59aeb2c8fe38efbe56b9095bcea4426a6c259953acbd1
SHA512b8f9a9459e7622dbca7372d87801f368c1b7c03e18be0dfc075ca7f66600381aa897a9fe4b09e2d525df63a681bcd3ed237ca15245239b9f61ddf6f5aa6f72d0
-
Filesize
8B
MD52db65b2bdb5457fbb9bd29a3b9f881a9
SHA12e69ad9bb54278eaea701ce1fb79c4e4a90fde8f
SHA256c77667a282f544841479ea5fbac07b7571dfe841fd9cbb5298f4d2b3e427eb2a
SHA51228bc264dd717c32ddea130dd7ef6b1599b5e8752941be2c9a4891602a09443767aea9ed3da0037aa7ae249d37d34e8e07c7e76a3f77f993d9a06a396df0675c0
-
Filesize
8B
MD5f2ce80986cee1a9c6b19d54431c145c3
SHA1949d89ae79c9968b3470f444f9e93b10d6674ecd
SHA25696ba1e0dbcf267a65a23812a6b26f639adb7c363bc3b696ec5f1d2f2cc7bd507
SHA512cd81d77f55d8c63ead2d1a414e687a14b59ccbab4c3a44f0e5b1839e3443a31578b664958e3b83d7a28932c1cf1e2e5d62460f0dbaaa371fefed5227ceff82fb
-
Filesize
8B
MD5d84458921385bec14be9731531c871aa
SHA152af363b504ec1af2666746db448d2c8367c5821
SHA2569ab618e8eb5f2bbd15a8aecd10e5d6a85ef1abf5e31ab60d57eaeae37a5d1417
SHA512fdb25c2d0bb7f8b4287d4c4a89ae7ce7bce3bd9e9034bf653e65715c51b698b581a0b6820303f2fd501f5bce941d021524f8fa616f6792a4a75cd092ebdfc73b
-
Filesize
8B
MD534e6b6efad104593899fa5e03f5f0f10
SHA162bde9b36ef9b01ee5f14c56b88acbaf7635da0c
SHA25642bb0c2442f03b4418f7b3bee3469c796fcf376e7c87e869fe34470388446167
SHA5128b83e3c7e639d643e1676766c18795d8b293ad83bc3f5c7984a211519572c1a454d969295e95891470b13cf49d8fb9452414bc5f4ba213ee86d5360ce6485b01