Analysis
-
max time kernel
14s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 03:48
Static task
static1
Behavioral task
behavioral1
Sample
cd0758dec1928aa629d885bff2706a44.exe
Resource
win7-20240221-en
Errors
General
-
Target
cd0758dec1928aa629d885bff2706a44.exe
-
Size
426KB
-
MD5
cd0758dec1928aa629d885bff2706a44
-
SHA1
edce5dd5a851ecd08224f3be29c14c33f4deb4c6
-
SHA256
9f8af6bdca26bdb96fa44247f2f5cc09cb169d0a21de7397116fc4dca5ff7214
-
SHA512
400dbf5ec9f03d32ab7b489629892c3361a3f53e03495a7aeea70980267fbb929460dce3d08b195f7519d4e4f34f5e1d96050094c205fb0668bf2efb1b2c3c9f
-
SSDEEP
12288:sdnoRlFSAOlivyb1B1NRYEAimIkPBdi56a:hMAuJB1NRDmhda6a
Malware Config
Extracted
cybergate
2.6
KuRBaN
uzmanwbh.no-ip.org:15963
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
PORTLAR BASARIYLA KAPATILDI
-
message_box_title
PORT KAPAT
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cd0758dec1928aa629d885bff2706a44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" cd0758dec1928aa629d885bff2706a44.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cd0758dec1928aa629d885bff2706a44.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\svchost.exe" cd0758dec1928aa629d885bff2706a44.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72G27BNF-531J-G2K6-7TCV-51R37A2RM187}\StubPath = "C:\\Windows\\system32\\install\\svchost.exe Restart" cd0758dec1928aa629d885bff2706a44.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{72G27BNF-531J-G2K6-7TCV-51R37A2RM187} cd0758dec1928aa629d885bff2706a44.exe -
resource yara_rule behavioral1/memory/2280-566-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1488-867-0x00000000240F0000-0x0000000024152000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\svchost.exe" cd0758dec1928aa629d885bff2706a44.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\svchost.exe" cd0758dec1928aa629d885bff2706a44.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\install\svchost.exe cd0758dec1928aa629d885bff2706a44.exe File opened for modification C:\Windows\SysWOW64\install\svchost.exe cd0758dec1928aa629d885bff2706a44.exe File opened for modification C:\Windows\SysWOW64\install\ cd0758dec1928aa629d885bff2706a44.exe File created C:\Windows\SysWOW64\install\svchost.exe cd0758dec1928aa629d885bff2706a44.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3044 set thread context of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 2848 set thread context of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2784 cd0758dec1928aa629d885bff2706a44.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1488 cd0758dec1928aa629d885bff2706a44.exe Token: SeDebugPrivilege 1488 cd0758dec1928aa629d885bff2706a44.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2784 cd0758dec1928aa629d885bff2706a44.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3044 cd0758dec1928aa629d885bff2706a44.exe 2848 cd0758dec1928aa629d885bff2706a44.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 3044 wrote to memory of 2848 3044 cd0758dec1928aa629d885bff2706a44.exe 28 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2848 wrote to memory of 2784 2848 cd0758dec1928aa629d885bff2706a44.exe 29 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21 PID 2784 wrote to memory of 1368 2784 cd0758dec1928aa629d885bff2706a44.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\cd0758dec1928aa629d885bff2706a44.exe"C:\Users\Admin\AppData\Local\Temp\cd0758dec1928aa629d885bff2706a44.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\cd0758dec1928aa629d885bff2706a44.exeC:\Users\Admin\AppData\Local\Temp\cd0758dec1928aa629d885bff2706a44.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\cd0758dec1928aa629d885bff2706a44.exeC:\Users\Admin\AppData\Local\Temp\cd0758dec1928aa629d885bff2706a44.exe4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\cd0758dec1928aa629d885bff2706a44.exe"C:\Users\Admin\AppData\Local\Temp\cd0758dec1928aa629d885bff2706a44.exe"5⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\SysWOW64\install\svchost.exe"C:\Windows\system32\install\svchost.exe"6⤵PID:2420
-
C:\Windows\SysWOW64\install\svchost.exeC:\Windows\SysWOW64\install\svchost.exe7⤵PID:2020
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5ecb7e4283e86931a5c5c71c53ff49f74
SHA10bde9f5d08d5da996253996e690c239249f54de0
SHA256a5799cbda305d519d302e34c48b07b2ad60b7a422571574f001c87c84907f5e9
SHA5120dba0aad3d01d7fd28abcf46cedc5e8fbdbf84a17a48826104a88d9eece1cb6502317c679a4c2cb247599f6582a20fd5d521d0aec0141e9ddbda780af263f755
-
Filesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
Filesize
426KB
MD5cd0758dec1928aa629d885bff2706a44
SHA1edce5dd5a851ecd08224f3be29c14c33f4deb4c6
SHA2569f8af6bdca26bdb96fa44247f2f5cc09cb169d0a21de7397116fc4dca5ff7214
SHA512400dbf5ec9f03d32ab7b489629892c3361a3f53e03495a7aeea70980267fbb929460dce3d08b195f7519d4e4f34f5e1d96050094c205fb0668bf2efb1b2c3c9f