Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 07:36
Static task
static1
Behavioral task
behavioral1
Sample
a89895a682adb89b9c5a53b7b4460f89.exe
Resource
win7-20240221-en
General
-
Target
a89895a682adb89b9c5a53b7b4460f89.exe
-
Size
314KB
-
MD5
a89895a682adb89b9c5a53b7b4460f89
-
SHA1
1bf7ac08ad143069e863df711bda5736709be46f
-
SHA256
92cd541819f3c2bf9db8f6d16f9c8cd72f01e0453b8cf9d33d3a808776c0170b
-
SHA512
02f151b65f53fdc60ef505962255492fc371837c5b4ffd238d7de1c9cc7d54a19c44474917ed8562b45985b741527817ed40fa8d8deedc91b571e370a6105d88
-
SSDEEP
6144:yE+bey7+B5JGmrpQsK3FD2u270jupCJsCxCk:yE+ee+c92zkPaCx3
Malware Config
Extracted
cybergate
2.6
vítima
shalom.no-ip.org:1338
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
corrompeu
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
win32
-
regkey_hklm
win32
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
a89895a682adb89b9c5a53b7b4460f89.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a89895a682adb89b9c5a53b7b4460f89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" a89895a682adb89b9c5a53b7b4460f89.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a89895a682adb89b9c5a53b7b4460f89.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" a89895a682adb89b9c5a53b7b4460f89.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
a89895a682adb89b9c5a53b7b4460f89.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} a89895a682adb89b9c5a53b7b4460f89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" a89895a682adb89b9c5a53b7b4460f89.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a89895a682adb89b9c5a53b7b4460f89.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\server.exe" a89895a682adb89b9c5a53b7b4460f89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\win32 = "C:\\Windows\\system32\\install\\server.exe" a89895a682adb89b9c5a53b7b4460f89.exe -
Drops file in System32 directory 2 IoCs
Processes:
a89895a682adb89b9c5a53b7b4460f89.exedescription ioc Process File created C:\Windows\SysWOW64\install\server.exe a89895a682adb89b9c5a53b7b4460f89.exe File opened for modification C:\Windows\SysWOW64\install\server.exe a89895a682adb89b9c5a53b7b4460f89.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a89895a682adb89b9c5a53b7b4460f89.exedescription pid Process procid_target PID 2212 set thread context of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
a89895a682adb89b9c5a53b7b4460f89.exepid Process 2968 a89895a682adb89b9c5a53b7b4460f89.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a89895a682adb89b9c5a53b7b4460f89.exepid Process 2212 a89895a682adb89b9c5a53b7b4460f89.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a89895a682adb89b9c5a53b7b4460f89.exea89895a682adb89b9c5a53b7b4460f89.exedescription pid Process procid_target PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2212 wrote to memory of 2968 2212 a89895a682adb89b9c5a53b7b4460f89.exe 29 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22 PID 2968 wrote to memory of 1212 2968 a89895a682adb89b9c5a53b7b4460f89.exe 22
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\a89895a682adb89b9c5a53b7b4460f89.exe"C:\Users\Admin\AppData\Local\Temp\a89895a682adb89b9c5a53b7b4460f89.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\a89895a682adb89b9c5a53b7b4460f89.exeC:\Users\Admin\AppData\Local\Temp\a89895a682adb89b9c5a53b7b4460f89.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2140
-
-
-