Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 22:24
Behavioral task
behavioral1
Sample
97c37cb207301385c3bfb1ff3cdf0b4c.exe
Resource
win7-20231215-en
General
-
Target
97c37cb207301385c3bfb1ff3cdf0b4c.exe
-
Size
534KB
-
MD5
97c37cb207301385c3bfb1ff3cdf0b4c
-
SHA1
03e13a3161f2d66de62bfbe1aa187700a6befc4f
-
SHA256
bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae
-
SHA512
2506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281
-
SSDEEP
12288:QjkArEN249AyE/rbaMct4bO2/VhBqmvKhbAELLJilK09XQlGp/:LFE//Tct4bOsMRdjLlilKyQlGp/
Malware Config
Extracted
cybergate
2.5
vítima
127.0.0.1:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Online !
-
message_box_title
Eskay Coder
-
password
abcd1234
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
server.exeserver.exeserver.exepid Process 2848 server.exe 2708 server.exe 2752 server.exe -
Loads dropped DLL 2 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exeserver.exepid Process 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe 2848 server.exe -
Processes:
resource yara_rule behavioral1/memory/2528-0-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2944-3-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2944-7-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2528-8-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2944-5-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2944-10-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2944-11-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2944-13-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/files/0x002c000000014a45-17.dat upx behavioral1/memory/2944-19-0x00000000029B0000-0x0000000002A71000-memory.dmp upx behavioral1/memory/2848-24-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2944-36-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2848-42-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2708-43-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2708-44-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2708-46-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2752-63-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2752-291-0x0000000024010000-0x0000000024052000-memory.dmp upx behavioral1/memory/2708-292-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2752-332-0x0000000024010000-0x0000000024052000-memory.dmp upx -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2528-8-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2848-24-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2848-42-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exeserver.exedescription pid Process procid_target PID 2528 set thread context of 2944 2528 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2848 set thread context of 2708 2848 server.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exeserver.exepid Process 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe 2708 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid Process 2752 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
server.exedescription pid Process Token: SeDebugPrivilege 2752 server.exe Token: SeDebugPrivilege 2752 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exepid Process 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exe97c37cb207301385c3bfb1ff3cdf0b4c.exeserver.exeserver.exedescription pid Process procid_target PID 2528 wrote to memory of 2944 2528 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2528 wrote to memory of 2944 2528 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2528 wrote to memory of 2944 2528 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2528 wrote to memory of 2944 2528 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2528 wrote to memory of 2944 2528 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2528 wrote to memory of 2944 2528 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2528 wrote to memory of 2944 2528 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2944 wrote to memory of 2848 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe 29 PID 2944 wrote to memory of 2848 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe 29 PID 2944 wrote to memory of 2848 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe 29 PID 2944 wrote to memory of 2848 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe 29 PID 2848 wrote to memory of 2708 2848 server.exe 30 PID 2848 wrote to memory of 2708 2848 server.exe 30 PID 2848 wrote to memory of 2708 2848 server.exe 30 PID 2848 wrote to memory of 2708 2848 server.exe 30 PID 2944 wrote to memory of 1204 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe 9 PID 2848 wrote to memory of 2708 2848 server.exe 30 PID 2944 wrote to memory of 1204 2944 97c37cb207301385c3bfb1ff3cdf0b4c.exe 9 PID 2848 wrote to memory of 2708 2848 server.exe 30 PID 2848 wrote to memory of 2708 2848 server.exe 30 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31 PID 2708 wrote to memory of 2752 2708 server.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c.exe"C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c.exe"C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8B
MD52120e269d1eedbddb3fd6eac77fa3b4e
SHA11c7b35135789aa75a837b6f5ad96933c02c83250
SHA2565625a9026e9bc275b0770965cad71a62a1a7c2b2df0ece7bded40c5959c41bf4
SHA51223e3f26328895eff38fe04b1ebddc77e167eafab31f79224f93dfc118f45f7a0e00124b7358d3bf00914b7af6e28ec78f9a31505429fd8d19a62176f2697fbea
-
Filesize
189KB
MD5cbda8b80ab656059e1206fe80f9a25ca
SHA14eaf1ac53d31b41434b6cca408ce53ac28486e7c
SHA25659f5685c9db7baa7c8def05d175680ca1eee18bac5887b3952d8db230caa8587
SHA512493794700de6054acda381937ddbb71f8f7cac42e48d90dd278673e22f7bf1e99ac573f60d739530d8d4a1c7788de04a4a7cfbca66df61514e19895524d48161
-
Filesize
15B
MD54362e21af8686f5ebba224768d292a5b
SHA1504510a4d10e230dcd1605ab3342525b38a10933
SHA256b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3
SHA512f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850
-
Filesize
534KB
MD597c37cb207301385c3bfb1ff3cdf0b4c
SHA103e13a3161f2d66de62bfbe1aa187700a6befc4f
SHA256bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae
SHA5122506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281