Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
TS3HackToken.exe
Resource
win7-20231215-en
General
-
Target
TS3HackToken.exe
-
Size
405KB
-
MD5
6d5ccb56c9aa12c579d0f20fe1c9163a
-
SHA1
0fa7b41bf999f6d2e6b4caf6f1b2cf00acb7720d
-
SHA256
937c41971fded46ea59c6d248eca33fb494204541a6e5983f0f21b6bcd435710
-
SHA512
986abf3629c917890cc0ca232d5e287f55f497486e79db0d6fbd369afd443d883e4f5c5febaf3d6bb239e44300e407455734420b78a8a248a93bebd55ea9d365
-
SSDEEP
12288:KVUBLwLg2RgfLkz1qtrVyUX33w+mO9Hystr0py:KVUBf4ZKJ3w3y
Malware Config
Extracted
cybergate
v1.07.5
Victime
pedrologue.no-ip.org:81
5K1FQ4L182DDX0
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
windir
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Le bot Dofus n'est pas compatible avec votre Ordinateur actuel. Merci d'essayer de relancer le bot sur un nouvel ordinateur
-
message_box_title
INCOMPATIBLE
-
password
123456
-
regkey_hkcu
svchost.exe
-
regkey_hklm
svchost.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
svhost.exepid process 1496 svhost.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1496 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svhost.exedescription pid process target process PID 1496 set thread context of 5000 1496 svhost.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4980 5000 WerFault.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
TS3HackToken.exesvhost.exepid process 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 3560 TS3HackToken.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe 1496 svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TS3HackToken.exesvhost.exedescription pid process Token: SeDebugPrivilege 3560 TS3HackToken.exe Token: SeDebugPrivilege 1496 svhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
TS3HackToken.exesvhost.exedescription pid process target process PID 3560 wrote to memory of 1496 3560 TS3HackToken.exe svhost.exe PID 3560 wrote to memory of 1496 3560 TS3HackToken.exe svhost.exe PID 3560 wrote to memory of 1496 3560 TS3HackToken.exe svhost.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe PID 1496 wrote to memory of 5000 1496 svhost.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TS3HackToken.exe"C:\Users\Admin\AppData\Local\Temp\TS3HackToken.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5000 -ip 50001⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
405KB
MD56d5ccb56c9aa12c579d0f20fe1c9163a
SHA10fa7b41bf999f6d2e6b4caf6f1b2cf00acb7720d
SHA256937c41971fded46ea59c6d248eca33fb494204541a6e5983f0f21b6bcd435710
SHA512986abf3629c917890cc0ca232d5e287f55f497486e79db0d6fbd369afd443d883e4f5c5febaf3d6bb239e44300e407455734420b78a8a248a93bebd55ea9d365
-
memory/1496-11-0x00000000745C0000-0x0000000074B71000-memory.dmpFilesize
5.7MB
-
memory/1496-12-0x00000000745C0000-0x0000000074B71000-memory.dmpFilesize
5.7MB
-
memory/1496-16-0x00000000745C0000-0x0000000074B71000-memory.dmpFilesize
5.7MB
-
memory/1496-17-0x00000000016D0000-0x00000000016E0000-memory.dmpFilesize
64KB
-
memory/3560-0-0x00000000745C0000-0x0000000074B71000-memory.dmpFilesize
5.7MB
-
memory/3560-2-0x0000000001080000-0x0000000001090000-memory.dmpFilesize
64KB
-
memory/3560-1-0x00000000745C0000-0x0000000074B71000-memory.dmpFilesize
5.7MB
-
memory/3560-3-0x00000000745C0000-0x0000000074B71000-memory.dmpFilesize
5.7MB
-
memory/3560-14-0x00000000745C0000-0x0000000074B71000-memory.dmpFilesize
5.7MB
-
memory/5000-20-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/5000-21-0x0000000010000000-0x0000000010000000-memory.dmp