Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 22:24
Behavioral task
behavioral1
Sample
97c37cb207301385c3bfb1ff3cdf0b4c.exe
Resource
win7-20231215-en
General
-
Target
97c37cb207301385c3bfb1ff3cdf0b4c.exe
-
Size
534KB
-
MD5
97c37cb207301385c3bfb1ff3cdf0b4c
-
SHA1
03e13a3161f2d66de62bfbe1aa187700a6befc4f
-
SHA256
bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae
-
SHA512
2506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281
-
SSDEEP
12288:QjkArEN249AyE/rbaMct4bO2/VhBqmvKhbAELLJilK09XQlGp/:LFE//Tct4bOsMRdjLlilKyQlGp/
Malware Config
Extracted
cybergate
2.5
vítima
127.0.0.1:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Online !
-
message_box_title
Eskay Coder
-
password
abcd1234
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 97c37cb207301385c3bfb1ff3cdf0b4c.exe -
Executes dropped EXE 3 IoCs
Processes:
server.exeserver.exeserver.exepid Process 2748 server.exe 2512 server.exe 2248 server.exe -
Processes:
resource yara_rule behavioral2/memory/4328-0-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/1936-1-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/1936-4-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/4328-3-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/1936-6-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/files/0x0007000000023212-12.dat upx behavioral2/memory/2748-21-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/1936-22-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/2748-26-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/2248-36-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/2512-81-0x0000000024010000-0x0000000024052000-memory.dmp upx behavioral2/memory/2248-88-0x0000000024010000-0x0000000024052000-memory.dmp upx behavioral2/memory/2512-91-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/2248-137-0x0000000024010000-0x0000000024052000-memory.dmp upx -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4328-3-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/2748-21-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral2/memory/2748-26-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exeserver.exedescription pid Process procid_target PID 4328 set thread context of 1936 4328 97c37cb207301385c3bfb1ff3cdf0b4c.exe 86 PID 2748 set thread context of 2512 2748 server.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exeserver.exepid Process 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe 2512 server.exe 2512 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid Process 2248 server.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
server.exedescription pid Process Token: SeDebugPrivilege 2248 server.exe Token: SeDebugPrivilege 2248 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exepid Process 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
97c37cb207301385c3bfb1ff3cdf0b4c.exe97c37cb207301385c3bfb1ff3cdf0b4c.exeserver.exeserver.exedescription pid Process procid_target PID 4328 wrote to memory of 1936 4328 97c37cb207301385c3bfb1ff3cdf0b4c.exe 86 PID 4328 wrote to memory of 1936 4328 97c37cb207301385c3bfb1ff3cdf0b4c.exe 86 PID 4328 wrote to memory of 1936 4328 97c37cb207301385c3bfb1ff3cdf0b4c.exe 86 PID 4328 wrote to memory of 1936 4328 97c37cb207301385c3bfb1ff3cdf0b4c.exe 86 PID 4328 wrote to memory of 1936 4328 97c37cb207301385c3bfb1ff3cdf0b4c.exe 86 PID 4328 wrote to memory of 1936 4328 97c37cb207301385c3bfb1ff3cdf0b4c.exe 86 PID 1936 wrote to memory of 2748 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe 87 PID 1936 wrote to memory of 2748 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe 87 PID 1936 wrote to memory of 2748 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe 87 PID 1936 wrote to memory of 3524 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 1936 wrote to memory of 3524 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 1936 wrote to memory of 3524 1936 97c37cb207301385c3bfb1ff3cdf0b4c.exe 28 PID 2748 wrote to memory of 2512 2748 server.exe 88 PID 2748 wrote to memory of 2512 2748 server.exe 88 PID 2748 wrote to memory of 2512 2748 server.exe 88 PID 2748 wrote to memory of 2512 2748 server.exe 88 PID 2748 wrote to memory of 2512 2748 server.exe 88 PID 2748 wrote to memory of 2512 2748 server.exe 88 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89 PID 2512 wrote to memory of 2248 2512 server.exe 89
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c.exe"C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c.exe"C:\Users\Admin\AppData\Local\Temp\97c37cb207301385c3bfb1ff3cdf0b4c.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\dir\install\install\server.exe"C:\dir\install\install\server.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8B
MD532dca72b4839a0f6f4747bc216e81d10
SHA1ce50ab78443b85235a8356aab5b95e6dc68d176c
SHA256058d1a6953fb9b07405832de4f273297845a9f57fdaf8d533733961cda07ffe2
SHA5124447134c6c9320a3155981a89d443d7ec7bba0e9a6cb438f9afcb0fb9d6ae926a193d062f1b293dd2735dfba5b188c6524cf76e96a6cc4529bd6d89c699d64f4
-
Filesize
189KB
MD5cbda8b80ab656059e1206fe80f9a25ca
SHA14eaf1ac53d31b41434b6cca408ce53ac28486e7c
SHA25659f5685c9db7baa7c8def05d175680ca1eee18bac5887b3952d8db230caa8587
SHA512493794700de6054acda381937ddbb71f8f7cac42e48d90dd278673e22f7bf1e99ac573f60d739530d8d4a1c7788de04a4a7cfbca66df61514e19895524d48161
-
Filesize
15B
MD54362e21af8686f5ebba224768d292a5b
SHA1504510a4d10e230dcd1605ab3342525b38a10933
SHA256b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3
SHA512f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850
-
Filesize
534KB
MD597c37cb207301385c3bfb1ff3cdf0b4c
SHA103e13a3161f2d66de62bfbe1aa187700a6befc4f
SHA256bc0ad10f619cc510627d0f638255cce944c5c4a94d17674aa006132979260dae
SHA5122506be5915ba19ba98ea54c53b835cca910f613212afea7b4656ed2bd92fc12a2701fb899c79275cf57dd41d12c4a87ae0235a03c5da1ec870ed33402fabc281