Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 05:07
Static task
static1
Behavioral task
behavioral1
Sample
a581d72969141b42897477345e484233.exe
Resource
win7-20240221-en
General
-
Target
a581d72969141b42897477345e484233.exe
-
Size
702KB
-
MD5
a581d72969141b42897477345e484233
-
SHA1
e77727a354f15339eae9cf9efc8fdb0ef72c7f1f
-
SHA256
ae59beaeb9671694f30bf3e945259f5fb9957c11c91e6737b59bafbb660b2cf4
-
SHA512
617db7a66c392791d643763a8bb62b7ff0c6d0c98dcfe840f42699c7a4a02f958fea3151baff7bed401270deb525960fe50eaad770d0fed8b9460e4ec16566c9
-
SSDEEP
6144:XQZMksZvWPR9XdpbHgO8WOEzEnEQSdmoDyIxgnOZ/bI4sqdb34bKnGtnwTkCAbYt:hJebN85EzEnHwYIinx4lbLEwTAz9boEI
Malware Config
Extracted
cybergate
2.6
vítima
axiaxi.zapto.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
a581d72969141b42897477345e484233.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a581d72969141b42897477345e484233.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" a581d72969141b42897477345e484233.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a581d72969141b42897477345e484233.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" a581d72969141b42897477345e484233.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
a581d72969141b42897477345e484233.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7051O6SC-KCAX-4UKG-VJB2-E511KD72P433} a581d72969141b42897477345e484233.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7051O6SC-KCAX-4UKG-VJB2-E511KD72P433}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" a581d72969141b42897477345e484233.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a581d72969141b42897477345e484233.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" a581d72969141b42897477345e484233.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" a581d72969141b42897477345e484233.exe -
Drops file in System32 directory 2 IoCs
Processes:
a581d72969141b42897477345e484233.exedescription ioc Process File created C:\Windows\SysWOW64\install\server.exe a581d72969141b42897477345e484233.exe File opened for modification C:\Windows\SysWOW64\install\server.exe a581d72969141b42897477345e484233.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a581d72969141b42897477345e484233.exedescription pid Process procid_target PID 2828 set thread context of 2592 2828 a581d72969141b42897477345e484233.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a581d72969141b42897477345e484233.exepid Process 2592 a581d72969141b42897477345e484233.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
a581d72969141b42897477345e484233.exepid Process 2592 a581d72969141b42897477345e484233.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a581d72969141b42897477345e484233.exepid Process 2828 a581d72969141b42897477345e484233.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a581d72969141b42897477345e484233.exea581d72969141b42897477345e484233.exedescription pid Process procid_target PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2828 wrote to memory of 2592 2828 a581d72969141b42897477345e484233.exe 28 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17 PID 2592 wrote to memory of 1204 2592 a581d72969141b42897477345e484233.exe 17
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\a581d72969141b42897477345e484233.exe"C:\Users\Admin\AppData\Local\Temp\a581d72969141b42897477345e484233.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\a581d72969141b42897477345e484233.exe"C:\Users\Admin\AppData\Local\Temp\a581d72969141b42897477345e484233.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2280
-
-
-