Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
b226b8d544810c44eacfdd1dec799c8a.exe
Resource
win7-20240221-en
General
-
Target
b226b8d544810c44eacfdd1dec799c8a.exe
-
Size
711KB
-
MD5
b226b8d544810c44eacfdd1dec799c8a
-
SHA1
746c2736ce177d5500381968cd7d0cd6a27c13c7
-
SHA256
4c4b13c05adc12803a1fcdd0057c11b6b055bd09913cadbf272b43807e5a25fb
-
SHA512
2c0a6d10ed272ee4d2d341e7d12acba568a6a5b9946cc22306efe1eaefeba18621fcddce48ed10ec235d7ebd8496c1c76db7131bf7fa266252e69444413be3b3
-
SSDEEP
12288:FuZIB8jeLvUwZnWwYys49h+TmvzZfvHP/ZRKwmmOvi2AYOyC+tyeyGPDLEEmBvoI:FuZIamUr2HtZHXjOvnZC+tjyGDLEy/Ls
Malware Config
Extracted
cybergate
2.6
vítima
hockid.no-ip.biz:81
jajajaja..
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
60
-
injected_process
explorer.exe
-
install_dir
Win32
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run b226b8d544810c44eacfdd1dec799c8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\server.exe" b226b8d544810c44eacfdd1dec799c8a.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run b226b8d544810c44eacfdd1dec799c8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\server.exe" b226b8d544810c44eacfdd1dec799c8a.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{64218BE1-JH8W-43DM-356J-YVFNH5VI810K} b226b8d544810c44eacfdd1dec799c8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64218BE1-JH8W-43DM-356J-YVFNH5VI810K}\StubPath = "C:\\Windows\\Win32\\server.exe Restart" b226b8d544810c44eacfdd1dec799c8a.exe -
Processes:
resource yara_rule behavioral1/memory/1268-9-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1268-11-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1268-13-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1268-14-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1268-15-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1268-264-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Win32\\server.exe" b226b8d544810c44eacfdd1dec799c8a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Win32\\server.exe" b226b8d544810c44eacfdd1dec799c8a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exedescription pid Process procid_target PID 2068 set thread context of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 -
Drops file in Windows directory 2 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exedescription ioc Process File created C:\Windows\Win32\server.exe b226b8d544810c44eacfdd1dec799c8a.exe File opened for modification C:\Windows\Win32\server.exe b226b8d544810c44eacfdd1dec799c8a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exepid Process 1268 b226b8d544810c44eacfdd1dec799c8a.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exepid Process 1268 b226b8d544810c44eacfdd1dec799c8a.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exepid Process 2068 b226b8d544810c44eacfdd1dec799c8a.exe 2068 b226b8d544810c44eacfdd1dec799c8a.exe 2068 b226b8d544810c44eacfdd1dec799c8a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b226b8d544810c44eacfdd1dec799c8a.exeb226b8d544810c44eacfdd1dec799c8a.exedescription pid Process procid_target PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 2068 wrote to memory of 1268 2068 b226b8d544810c44eacfdd1dec799c8a.exe 28 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21 PID 1268 wrote to memory of 1196 1268 b226b8d544810c44eacfdd1dec799c8a.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\b226b8d544810c44eacfdd1dec799c8a.exe"C:\Users\Admin\AppData\Local\Temp\b226b8d544810c44eacfdd1dec799c8a.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\b226b8d544810c44eacfdd1dec799c8a.exe"C:\Users\Admin\AppData\Local\Temp\b226b8d544810c44eacfdd1dec799c8a.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:2044
-
-
-