Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
7500ce0c4a42420ae8e50c241974c891.exe
Resource
win7-20231215-en
General
-
Target
7500ce0c4a42420ae8e50c241974c891.exe
-
Size
1.3MB
-
MD5
7500ce0c4a42420ae8e50c241974c891
-
SHA1
be311f95a2af46db1366aca7c646c11d89454c18
-
SHA256
7f6fa7cb7c1b8bbc8ddc2f73960480f528250fac8842912520edf85b64924605
-
SHA512
007be785b20216cdae025af249b5a189735dfad746de44799432ab4233d338cc4ac131c0d3b9bcca7256b38bba21082ba571affe540cbf95a5e4526c5e6c5313
-
SSDEEP
24576:SREZ+/P4hfk7jxzh0r6tr+L4U+sufkCTEy7OMyuXl38r8U:SREnOYKrU4ZtfzTEyfw
Malware Config
Extracted
cybergate
v1.01.8
King
kingz.zapto.org:4578
CyberGate1
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Winbooter
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Owned?
-
message_box_title
CyberGate
-
password
420
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
2345.exewinupdate.exepid process 824 2345.exe 2580 winupdate.exe -
Loads dropped DLL 7 IoCs
Processes:
7500ce0c4a42420ae8e50c241974c891.exe2345.exewinupdate.exedw20.exepid process 2512 7500ce0c4a42420ae8e50c241974c891.exe 2512 7500ce0c4a42420ae8e50c241974c891.exe 824 2345.exe 2580 winupdate.exe 2580 winupdate.exe 2580 winupdate.exe 2600 dw20.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
2345.exedescription pid process target process PID 824 set thread context of 2580 824 2345.exe winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
7500ce0c4a42420ae8e50c241974c891.exe2345.exepid process 2512 7500ce0c4a42420ae8e50c241974c891.exe 2512 7500ce0c4a42420ae8e50c241974c891.exe 824 2345.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 2600 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7500ce0c4a42420ae8e50c241974c891.exe2345.exedescription pid process Token: SeDebugPrivilege 2512 7500ce0c4a42420ae8e50c241974c891.exe Token: SeDebugPrivilege 824 2345.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
7500ce0c4a42420ae8e50c241974c891.exe2345.execsc.exedescription pid process target process PID 2512 wrote to memory of 824 2512 7500ce0c4a42420ae8e50c241974c891.exe 2345.exe PID 2512 wrote to memory of 824 2512 7500ce0c4a42420ae8e50c241974c891.exe 2345.exe PID 2512 wrote to memory of 824 2512 7500ce0c4a42420ae8e50c241974c891.exe 2345.exe PID 2512 wrote to memory of 824 2512 7500ce0c4a42420ae8e50c241974c891.exe 2345.exe PID 824 wrote to memory of 2896 824 2345.exe csc.exe PID 824 wrote to memory of 2896 824 2345.exe csc.exe PID 824 wrote to memory of 2896 824 2345.exe csc.exe PID 824 wrote to memory of 2896 824 2345.exe csc.exe PID 2896 wrote to memory of 2608 2896 csc.exe cvtres.exe PID 2896 wrote to memory of 2608 2896 csc.exe cvtres.exe PID 2896 wrote to memory of 2608 2896 csc.exe cvtres.exe PID 2896 wrote to memory of 2608 2896 csc.exe cvtres.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2580 824 2345.exe winupdate.exe PID 824 wrote to memory of 2600 824 2345.exe dw20.exe PID 824 wrote to memory of 2600 824 2345.exe dw20.exe PID 824 wrote to memory of 2600 824 2345.exe dw20.exe PID 824 wrote to memory of 2600 824 2345.exe dw20.exe PID 2512 wrote to memory of 1908 2512 7500ce0c4a42420ae8e50c241974c891.exe dw20.exe PID 2512 wrote to memory of 1908 2512 7500ce0c4a42420ae8e50c241974c891.exe dw20.exe PID 2512 wrote to memory of 1908 2512 7500ce0c4a42420ae8e50c241974c891.exe dw20.exe PID 2512 wrote to memory of 1908 2512 7500ce0c4a42420ae8e50c241974c891.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7500ce0c4a42420ae8e50c241974c891.exe"C:\Users\Admin\AppData\Local\Temp\7500ce0c4a42420ae8e50c241974c891.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\2345.exe"C:\Users\Admin\AppData\Local\Temp\2345.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7qt4dcoe.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4432.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4431.tmp"4⤵PID:2608
-
C:\Users\Admin\AppData\Roaming\winupdate.exeC:\Users\Admin\AppData\Roaming\winupdate.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5123⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2600 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 14002⤵PID:1908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7qt4dcoe.dllFilesize
5KB
MD5098767412968a9ef08dc7482a941dbdf
SHA18f2daa6a6ee8fb07792545e88ff8e0a6548a9a42
SHA256c4edfc8e0e2ce71641693f8396ec8bfb11e33272a473f86f32488ccce85f96c6
SHA512d2f4bb57caa5079263514f2bbc2f203935896326d4b3b9b9e24ee2a3f7d5e65a16a7d6e94d491a38ba7ffc514a2e0215c83261e39a9849e52b7da84da161096b
-
C:\Users\Admin\AppData\Local\Temp\RES4432.tmpFilesize
1KB
MD5aa9a562df1892a45685cc25b64a12f48
SHA17886f07714560f6655ee2e126d37fe433816f734
SHA25659e25ca34b5eaefa712191240be5906029b2085ffabadd19b7ccdd1e5ed030e8
SHA5121ccba8f8ca020a6c28ec0094ded4709a93cea7767c843e53f586087e7aaac8a9d85f845dda428551a872ae4e1f2817cbb7b44ae09d2fa0ec41302e220b2c29a2
-
\??\c:\Users\Admin\AppData\Local\Temp\7qt4dcoe.0.csFilesize
4KB
MD52216d197bc442e875016eba15c07a937
SHA137528e21ea3271b85d276c6bd003e6c60c81545d
SHA2562e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af
SHA5127d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f
-
\??\c:\Users\Admin\AppData\Local\Temp\7qt4dcoe.cmdlineFilesize
206B
MD5ec2034faaff27e335c9932057874c1f5
SHA149d214453f571063f04ad182051d955b728a659a
SHA25690cbfcab8fcaea338c83fee3a74db4fd82a59d2601af562b13ea6482cb778fb6
SHA512038f5a107ed9ae80830f819837aa0278f89b3ab9f96cfacf41e39ccbb53a4a55bed6ee59a14791115224b9057ea7e7f6e86cc9ad3155b9e3b7cc5b5e2936c471
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC4431.tmpFilesize
652B
MD54ded2928fc25cbfb2c3b146fd8aaada4
SHA1b22c5e6621719a1023cd2faa1e5201b1416ca3bd
SHA2566fd21ccb55e7d50a554242342f7860fc1d4ea9bd1296df2eec2e68a8d770f500
SHA5120e7f6efcaf9a425f26758a112395fdde60791e9121213e84319ddcaa3153461fd7b743029240629b41443b336ac175fcffedab26b9e52921b87dc0e2d0494578
-
\Users\Admin\AppData\Local\Temp\2345.exeFilesize
1.2MB
MD56f11b39eaff7f49386951fb80c5ea8e0
SHA16059a7b86042eefc0d0c289dafd7ab75ba056a1f
SHA256b8b2165d7b71895b660c335b133aa34db9ffbe36bd8abcd77f260a31a7045910
SHA5128f7c10910039e6822615907269432885d046a3c8fc58dab980e931c52aec51a4d0988976c6176ee93e99ce81c4c052137f967e6e62d8be64355dff2c769caa82
-
\Users\Admin\AppData\Local\Temp\2345.exeFilesize
418KB
MD55e74a7d82c882246b668ca91940b35c9
SHA1c5cd950a4f8bcf4dcbde2b1e5b5f825a5b35d0a9
SHA256b086879dfe7cc763984b4b5884beccc34ddead9d438e115c9bc044092fb36998
SHA512080126f82e1b8aa5a2dd898166b1aedd9c5607f81b805533220f593a0ea1f65d09960bffa1beb5e034d1066b0c9b835398dcc4a0f6693b312d8529517ccea7e2
-
\Users\Admin\AppData\Roaming\winupdate.exeFilesize
12KB
MD541304f17702b85c2dd8b737b3f814f84
SHA1cd37f2b770ad7cfe07b4d7e83e10158dd2e457c7
SHA256a696628b4e489ff49e7af05d46b8658ee206502deaf7b16cca36a54f4593ddbe
SHA512c5d1351ba0aed08586999014caa8271e491c0359bb42a444096dc161cc31e49b14d65a5daa4646066fe1dc3874528309dc9bd4022c6899eb94a278e798aeb46b
-
memory/824-16-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/824-14-0x0000000002050000-0x0000000002090000-memory.dmpFilesize
256KB
-
memory/824-13-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/824-85-0x0000000002050000-0x0000000002090000-memory.dmpFilesize
256KB
-
memory/824-84-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/1908-80-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/2512-2-0x0000000002200000-0x0000000002240000-memory.dmpFilesize
256KB
-
memory/2512-0-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/2512-83-0x0000000002200000-0x0000000002240000-memory.dmpFilesize
256KB
-
memory/2512-81-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/2512-1-0x00000000744B0000-0x0000000074A5B000-memory.dmpFilesize
5.7MB
-
memory/2580-33-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-73-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-51-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-49-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-52-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-62-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-60-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-64-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-69-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-71-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-37-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-39-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-41-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-66-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-58-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-76-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-78-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2580-45-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-43-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2580-35-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2600-74-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/2600-87-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB