Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 11:30
Static task
static1
Behavioral task
behavioral1
Sample
b20431991f6e275f248da8f27cc59ba1.exe
Resource
win7-20240221-en
General
-
Target
b20431991f6e275f248da8f27cc59ba1.exe
-
Size
488KB
-
MD5
b20431991f6e275f248da8f27cc59ba1
-
SHA1
d699162d192404f5ba17afb4811f7833e616888b
-
SHA256
3c3b109b1af9de27f987099e80758258435ea12024f52908b3e7d7ad831cd6ac
-
SHA512
e77aa72caa5c7eb05870dd5b746f62471ef950aa5dc1dfc86926d2fcab984ac7373c74c8308aea8850af31e87d5de707791ee6d2258a0355426fdb52e54f0073
-
SSDEEP
6144:IQsvYmRAf2G7Rt6mkV1XPkmW2WAlaVZ46DuIK0adkeW3Ogp95iMtL19gfBhlce8v:I1vifj2laVy6xnx+AiMteBh65
Malware Config
Extracted
cybergate
2.6
vítima
bikini.no-ip.info:777
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
install
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run b20431991f6e275f248da8f27cc59ba1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" b20431991f6e275f248da8f27cc59ba1.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run b20431991f6e275f248da8f27cc59ba1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" b20431991f6e275f248da8f27cc59ba1.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{07P8O5MG-862C-3YO4-8MG1-KP645D4V46DR} b20431991f6e275f248da8f27cc59ba1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07P8O5MG-862C-3YO4-8MG1-KP645D4V46DR}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart" b20431991f6e275f248da8f27cc59ba1.exe -
Processes:
resource yara_rule behavioral1/memory/2772-2-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2772-4-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2772-5-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2772-6-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2772-318-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe" b20431991f6e275f248da8f27cc59ba1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe" b20431991f6e275f248da8f27cc59ba1.exe -
Drops file in System32 directory 2 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exedescription ioc Process File created C:\Windows\SysWOW64\install\svchost.exe b20431991f6e275f248da8f27cc59ba1.exe File opened for modification C:\Windows\SysWOW64\install\svchost.exe b20431991f6e275f248da8f27cc59ba1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exedescription pid Process procid_target PID 2004 set thread context of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exepid Process 2772 b20431991f6e275f248da8f27cc59ba1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exepid Process 2772 b20431991f6e275f248da8f27cc59ba1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exepid Process 2004 b20431991f6e275f248da8f27cc59ba1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b20431991f6e275f248da8f27cc59ba1.exeb20431991f6e275f248da8f27cc59ba1.exedescription pid Process procid_target PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2004 wrote to memory of 2772 2004 b20431991f6e275f248da8f27cc59ba1.exe 28 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21 PID 2772 wrote to memory of 1208 2772 b20431991f6e275f248da8f27cc59ba1.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\b20431991f6e275f248da8f27cc59ba1.exe"C:\Users\Admin\AppData\Local\Temp\b20431991f6e275f248da8f27cc59ba1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\b20431991f6e275f248da8f27cc59ba1.exeC:\Users\Admin\AppData\Local\Temp\b20431991f6e275f248da8f27cc59ba1.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2144
-
-
-