Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 19:59
Static task
static1
Behavioral task
behavioral1
Sample
ceefcf02c92ab1bb3042b882e9a6637e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ceefcf02c92ab1bb3042b882e9a6637e.exe
Resource
win10v2004-20240226-en
General
-
Target
ceefcf02c92ab1bb3042b882e9a6637e.exe
-
Size
1.6MB
-
MD5
ceefcf02c92ab1bb3042b882e9a6637e
-
SHA1
ac138746d5c3b5ca777cb4e7a057c6b84aaac76b
-
SHA256
08bbf2e4657271c35a06e2288aa82fdfa663e06b98f3f5189d8749f03e3d9ba4
-
SHA512
fcf0fd0099bec688db085d528de1c8a13a6cd13f023bf833260125d222482c7dbc84f24cd0db4a4a01149f67ecba5896e44df8ac7fcfd6f275759c3fc87ae316
-
SSDEEP
49152:sMsxm4qZKuScUmS7tehSJhSHjLh9ENTalbZR:sQU7uyhSvENmtf
Malware Config
Extracted
cybergate
2.7 Final
$TESTE$
ocaradepauhackert.no-ip.biz:2000
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
regditclean.ocx não registrada
-
message_box_title
error
-
password
abcd1234
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ceefcf02c92ab1bb3042b882e9a6637e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" ceefcf02c92ab1bb3042b882e9a6637e.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ceefcf02c92ab1bb3042b882e9a6637e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" ceefcf02c92ab1bb3042b882e9a6637e.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} ceefcf02c92ab1bb3042b882e9a6637e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" ceefcf02c92ab1bb3042b882e9a6637e.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\install\server.exe ceefcf02c92ab1bb3042b882e9a6637e.exe File opened for modification C:\Windows\SysWOW64\install\server.exe ceefcf02c92ab1bb3042b882e9a6637e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1736 set thread context of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 -
Program crash 1 IoCs
pid pid_target Process procid_target 4868 3096 WerFault.exe 94 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 1736 wrote to memory of 2272 1736 ceefcf02c92ab1bb3042b882e9a6637e.exe 92 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93 PID 2272 wrote to memory of 2556 2272 ceefcf02c92ab1bb3042b882e9a6637e.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exeC:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"3⤵PID:3096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 764⤵
- Program crash
PID:4868
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3096 -ip 30961⤵PID:4984