Analysis
-
max time kernel
148s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
ce1c3c105e6bf656c4ffeb926fc8d385.exe
Resource
win7-20240221-en
General
-
Target
ce1c3c105e6bf656c4ffeb926fc8d385.exe
-
Size
444KB
-
MD5
ce1c3c105e6bf656c4ffeb926fc8d385
-
SHA1
fce3650fbe53ed0c92741134fbac891b286d306a
-
SHA256
252f8c9c65403cf1cefcf451df1e05ab62f21f9db5c82ea1d921249a3c0b7198
-
SHA512
14180f3b5ef82436db5ff390aa36977fff6f2de27814bcd9ccf0a87cb32e9105b07b837f090e6a5b5e52a1e1cb0a2b95b616874475558cf378f315ae0e2c4a5f
-
SSDEEP
6144:aSrQm3SXav2Fsia14TTwF0zTqdGw+xvBwLnO5UgZ5JVNaH2:nQm3beFsiMOT7TqdSvBwj6FZQ
Malware Config
Extracted
cybergate
v1.07.5
JB0928
finders.hopto.org:425
F4167VHVC5S3N4
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Google Update
-
install_file
taskmgr.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Error - Application not supported on this operating system
-
message_box_title
Model Placement Application
-
password
knarf0909
-
regkey_hkcu
Google Update
-
regkey_hklm
Google Update
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ce1c3c105e6bf656c4ffeb926fc8d385.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Google Update\\taskmgr.exe" ce1c3c105e6bf656c4ffeb926fc8d385.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ce1c3c105e6bf656c4ffeb926fc8d385.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Google Update\\taskmgr.exe" ce1c3c105e6bf656c4ffeb926fc8d385.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{8S0871B8-6R33-T80P-EXVA-4337PV27A2LR} ce1c3c105e6bf656c4ffeb926fc8d385.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8S0871B8-6R33-T80P-EXVA-4337PV27A2LR}\StubPath = "C:\\Windows\\system32\\Google Update\\taskmgr.exe Restart" ce1c3c105e6bf656c4ffeb926fc8d385.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Windows\\system32\\Google Update\\taskmgr.exe" ce1c3c105e6bf656c4ffeb926fc8d385.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Windows\\system32\\Google Update\\taskmgr.exe" ce1c3c105e6bf656c4ffeb926fc8d385.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 ce1c3c105e6bf656c4ffeb926fc8d385.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Google Update\taskmgr.exe ce1c3c105e6bf656c4ffeb926fc8d385.exe File opened for modification C:\Windows\SysWOW64\Google Update\taskmgr.exe ce1c3c105e6bf656c4ffeb926fc8d385.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2508 set thread context of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2136 set thread context of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2508 wrote to memory of 2136 2508 ce1c3c105e6bf656c4ffeb926fc8d385.exe 28 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2136 wrote to memory of 2660 2136 ce1c3c105e6bf656c4ffeb926fc8d385.exe 29 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21 PID 2660 wrote to memory of 1212 2660 ce1c3c105e6bf656c4ffeb926fc8d385.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\ce1c3c105e6bf656c4ffeb926fc8d385.exe"C:\Users\Admin\AppData\Local\Temp\ce1c3c105e6bf656c4ffeb926fc8d385.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\ce1c3c105e6bf656c4ffeb926fc8d385.exe"C:\Users\Admin\AppData\Local\Temp\ce1c3c105e6bf656c4ffeb926fc8d385.exe"3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\ce1c3c105e6bf656c4ffeb926fc8d385.exe"C:\Users\Admin\AppData\Local\Temp\ce1c3c105e6bf656c4ffeb926fc8d385.exe"4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵PID:2112
-
-
-
-