Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
a52ee5952971f06207484b70ef4db701.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a52ee5952971f06207484b70ef4db701.exe
Resource
win10v2004-20240221-en
General
-
Target
a52ee5952971f06207484b70ef4db701.exe
-
Size
534KB
-
MD5
a52ee5952971f06207484b70ef4db701
-
SHA1
63b1fa086b655c080ee192568a431b8e6f909596
-
SHA256
8635fc5fba6998e0d41633828c656dc79898e5a5d3146c943ee35fde37c29946
-
SHA512
acef8ac8694f0b13a614681ac7163efc11b12a39e4bdbde83f5c3041545d00d6460bc65d5fe995f38e159de8394531f218b4a0e758157acdce4ebce096398f30
-
SSDEEP
12288:NopMmVHZUm1Cu0/2ufK/lGRgOUqmq9kR6lhKXGSR0mSuraB8B0/pGO:NSM+aWCuMRK/cRgOnmq9g61ura2BMGO
Malware Config
Extracted
cybergate
2.2
vítima
kgcd72.no-ip.biz:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a52ee5952971f06207484b70ef4db701.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" a52ee5952971f06207484b70ef4db701.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a52ee5952971f06207484b70ef4db701.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" a52ee5952971f06207484b70ef4db701.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YH5026H7-GKP1-E80M-HB8J-CL38WT01WK7V} a52ee5952971f06207484b70ef4db701.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YH5026H7-GKP1-E80M-HB8J-CL38WT01WK7V}\StubPath = "C:\\Windows\\install\\server.exe Restart" a52ee5952971f06207484b70ef4db701.exe -
Processes:
resource yara_rule behavioral1/memory/2588-72-0x0000000024010000-0x000000002404C000-memory.dmp upx behavioral1/memory/2464-303-0x0000000024050000-0x000000002408C000-memory.dmp upx behavioral1/memory/2464-341-0x0000000024050000-0x000000002408C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" a52ee5952971f06207484b70ef4db701.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" a52ee5952971f06207484b70ef4db701.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exedescription pid Process procid_target PID 1420 set thread context of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 -
Drops file in Windows directory 2 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exedescription ioc Process File opened for modification C:\Windows\install\server.exe a52ee5952971f06207484b70ef4db701.exe File created C:\Windows\install\server.exe a52ee5952971f06207484b70ef4db701.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exepid Process 2588 a52ee5952971f06207484b70ef4db701.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exepid Process 2464 a52ee5952971f06207484b70ef4db701.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exedescription pid Process Token: SeDebugPrivilege 2464 a52ee5952971f06207484b70ef4db701.exe Token: SeDebugPrivilege 2464 a52ee5952971f06207484b70ef4db701.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exepid Process 1420 a52ee5952971f06207484b70ef4db701.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a52ee5952971f06207484b70ef4db701.exea52ee5952971f06207484b70ef4db701.exedescription pid Process procid_target PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 1420 wrote to memory of 2588 1420 a52ee5952971f06207484b70ef4db701.exe 28 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29 PID 2588 wrote to memory of 2616 2588 a52ee5952971f06207484b70ef4db701.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a52ee5952971f06207484b70ef4db701.exe"C:\Users\Admin\AppData\Local\Temp\a52ee5952971f06207484b70ef4db701.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\a52ee5952971f06207484b70ef4db701.exeC:\Users\Admin\AppData\Local\Temp\a52ee5952971f06207484b70ef4db701.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\a52ee5952971f06207484b70ef4db701.exe"C:\Users\Admin\AppData\Local\Temp\a52ee5952971f06207484b70ef4db701.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5ee485c1b55df0ab0c11a450a33bf6ba7
SHA1ec242c55b842a194a87de635eb33376965e1204c
SHA256da032a05becb822e6d784e614f2c23e0fd174d91b40a95672e66f413d4642fce
SHA512665e94a5b6244275bd8c961930f1ee1eeba98aaed96bf3340ee4113f077b04f855ed858f8f8ac2cadcda1f4b1e98268428f9e44caf502677d86cbe2c19b62d15
-
Filesize
15B
MD586f3c87caff4d7973404ff22c664505b
SHA1245bc19c345bc8e73645cd35f5af640bc489da19
SHA256e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb
SHA5120940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024