Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 22:37
Behavioral task
behavioral1
Sample
42BE3BED9261FBAE0A0AED767EBD88C0.exe
Resource
win7-20240221-en
General
-
Target
42BE3BED9261FBAE0A0AED767EBD88C0.exe
-
Size
202KB
-
MD5
42be3bed9261fbae0a0aed767ebd88c0
-
SHA1
6630748f26ac9e3a8d19cb43eeacd77d506b1808
-
SHA256
c1d29284b6d4ae244712dd49661841b36a6de2387cad6ab55388b22769151878
-
SHA512
bf522bb82bdee59a355043b0af17c42bf79b1d4e59120d3fb9ffcb96aad369d221b60af1106b29c51286a94d95ccfc80cc69421590c20a9984c73d61174a7c7b
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIGYcsD6RA5E3bKKiCf3e0kYrOV:QLV6Bta6dtJmakIM5gcs8A5ELiUfoZ
Malware Config
Extracted
cybergate
v1.02.1
Lammer
appdiscordgg.duckdns.org:81
appdiscordgg.duckdns.org:80
Pluguin
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
Microsoft
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
123
-
regkey_hkcu
Microsoft
-
regkey_hklm
Microsoft
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 784 server.exe -
Loads dropped DLL 2 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exepid process 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe -
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 42BE3BED9261FBAE0A0AED767EBD88C0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exepid process 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exepid process 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exedescription pid process Token: SeDebugPrivilege 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
42BE3BED9261FBAE0A0AED767EBD88C0.exedescription pid process target process PID 1888 wrote to memory of 784 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe server.exe PID 1888 wrote to memory of 784 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe server.exe PID 1888 wrote to memory of 784 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe server.exe PID 1888 wrote to memory of 784 1888 42BE3BED9261FBAE0A0AED767EBD88C0.exe server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42BE3BED9261FBAE0A0AED767EBD88C0.exe"C:\Users\Admin\AppData\Local\Temp\42BE3BED9261FBAE0A0AED767EBD88C0.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
282KB
MD59b0975e52c196e91d4bee83ec4a2d950
SHA1e049054e78b39dbc0d0b69ae88e03a86bab502a2
SHA256cd3ad6a8b2816ffcb6e38662071a3304562543e735fc730852316838c3ffefce
SHA51291d38e6b53dac21ad2dd1010e86957a76d890efe8e9cc4dee55d03055a73a86764bd17b183d8c604d0ab7eae792d0cd6d5e5d74e7037200f9267da20db643751
-
memory/1888-0-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1888-1-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1888-2-0x0000000001E40000-0x0000000001E80000-memory.dmpFilesize
256KB
-
memory/1888-7-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1888-8-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1888-9-0x0000000001E40000-0x0000000001E80000-memory.dmpFilesize
256KB