Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 05:41
Static task
static1
Behavioral task
behavioral1
Sample
9f9339c367d8572866c94141e8db7022.exe
Resource
win7-20231215-en
General
-
Target
9f9339c367d8572866c94141e8db7022.exe
-
Size
368KB
-
MD5
9f9339c367d8572866c94141e8db7022
-
SHA1
3ea4a38b5821817eb59e6e79d4bb24206de9f810
-
SHA256
83ac06ee9ff9ede28a610601d821c9bcd3e39b43cc89e2aa95245243b8b1a4b3
-
SHA512
6a10084417b124fdb5e365ee3a38325f878870e5013e72cd8ffe0c386c49bc95b1deebbf90709e968f9582fafef1de4fe0b7fa3e63db933bac79c266076449f4
-
SSDEEP
6144:7zIMMMMMMMMMMMMMMMMMMMMMMyp0Z84PvV8CcCjngCmkWrkIs7z8rFrTQm9eapEU:gMMMMMMMMMMMMMMMMMMMMMMOu3cCjckm
Malware Config
Extracted
cybergate
2.6
vítima
aprendiz30.no-ip.org:2000
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
teste.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
win32
-
regkey_hklm
win32
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
9f9339c367d8572866c94141e8db7022.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9f9339c367d8572866c94141e8db7022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\teste.exe" 9f9339c367d8572866c94141e8db7022.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9f9339c367d8572866c94141e8db7022.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\teste.exe" 9f9339c367d8572866c94141e8db7022.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
9f9339c367d8572866c94141e8db7022.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O2E12818-KY00-CSES-6767-L1ILR5HENAVA} 9f9339c367d8572866c94141e8db7022.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O2E12818-KY00-CSES-6767-L1ILR5HENAVA}\StubPath = "C:\\Windows\\system32\\install\\teste.exe Restart" 9f9339c367d8572866c94141e8db7022.exe -
Processes:
resource yara_rule behavioral1/memory/2136-19-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2136-21-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2136-22-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2136-23-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2136-274-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9f9339c367d8572866c94141e8db7022.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\teste.exe" 9f9339c367d8572866c94141e8db7022.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\teste.exe" 9f9339c367d8572866c94141e8db7022.exe -
Drops file in System32 directory 2 IoCs
Processes:
9f9339c367d8572866c94141e8db7022.exedescription ioc Process File created C:\Windows\SysWOW64\install\teste.exe 9f9339c367d8572866c94141e8db7022.exe File opened for modification C:\Windows\SysWOW64\install\teste.exe 9f9339c367d8572866c94141e8db7022.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9f9339c367d8572866c94141e8db7022.exedescription pid Process procid_target PID 1704 set thread context of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
9f9339c367d8572866c94141e8db7022.exepid Process 2136 9f9339c367d8572866c94141e8db7022.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
9f9339c367d8572866c94141e8db7022.exepid Process 1704 9f9339c367d8572866c94141e8db7022.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f9339c367d8572866c94141e8db7022.exe9f9339c367d8572866c94141e8db7022.exedescription pid Process procid_target PID 1704 wrote to memory of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 PID 1704 wrote to memory of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 PID 1704 wrote to memory of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 PID 1704 wrote to memory of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 PID 1704 wrote to memory of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 PID 1704 wrote to memory of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 PID 1704 wrote to memory of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 PID 1704 wrote to memory of 2136 1704 9f9339c367d8572866c94141e8db7022.exe 28 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10 PID 2136 wrote to memory of 1224 2136 9f9339c367d8572866c94141e8db7022.exe 10
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\9f9339c367d8572866c94141e8db7022.exe"C:\Users\Admin\AppData\Local\Temp\9f9339c367d8572866c94141e8db7022.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\9f9339c367d8572866c94141e8db7022.exe"C:\Users\Admin\AppData\Local\Temp\9f9339c367d8572866c94141e8db7022.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2416
-
-
-