Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
08-04-2024 22:37
General
-
Target
42BE3BED9261FBAE0A0AED767EBD88C0.exe
-
Size
202KB
-
MD5
42be3bed9261fbae0a0aed767ebd88c0
-
SHA1
6630748f26ac9e3a8d19cb43eeacd77d506b1808
-
SHA256
c1d29284b6d4ae244712dd49661841b36a6de2387cad6ab55388b22769151878
-
SHA512
bf522bb82bdee59a355043b0af17c42bf79b1d4e59120d3fb9ffcb96aad369d221b60af1106b29c51286a94d95ccfc80cc69421590c20a9984c73d61174a7c7b
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIGYcsD6RA5E3bKKiCf3e0kYrOV:QLV6Bta6dtJmakIM5gcs8A5ELiUfoZ
Malware Config
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\42BE3BED9261FBAE0A0AED767EBD88C0.exe"C:\Users\Admin\AppData\Local\Temp\42BE3BED9261FBAE0A0AED767EBD88C0.exe"2⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Microsoft\svchost.exe"C:\Windows\system32\Microsoft\svchost.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 5686⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5060 -ip 50601⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
221KB
MD53cb7bf855b54ba464c29178a1ce052cc
SHA118708b44365d1148cf4d928e1cc99343f5e0f4e6
SHA256310efa33ac845566bf68422f58407b7270353eb62cb04e7cd5c48571810c9faf
SHA512db09e5270ec6cb70773fa25a8c5ebb4c331ab4b0b1c44e8cefec29e862bf84d534ae030fd3dd954c11847efea8059a305cbef9933aa2aa1df4bbadd386589219
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
282KB
MD59b0975e52c196e91d4bee83ec4a2d950
SHA1e049054e78b39dbc0d0b69ae88e03a86bab502a2
SHA256cd3ad6a8b2816ffcb6e38662071a3304562543e735fc730852316838c3ffefce
SHA51291d38e6b53dac21ad2dd1010e86957a76d890efe8e9cc4dee55d03055a73a86764bd17b183d8c604d0ab7eae792d0cd6d5e5d74e7037200f9267da20db643751
-
C:\Users\Admin\AppData\Roaming\logs.datFilesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
memory/1344-85-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/1344-26-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/1344-86-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/1344-84-0x0000000003660000-0x0000000003661000-memory.dmpFilesize
4KB
-
memory/1344-25-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/3116-152-0x00000000240D0000-0x0000000024130000-memory.dmpFilesize
384KB
-
memory/4316-21-0x0000000024010000-0x0000000024070000-memory.dmpFilesize
384KB
-
memory/4316-81-0x0000000024070000-0x00000000240D0000-memory.dmpFilesize
384KB
-
memory/4548-8-0x0000000001810000-0x0000000001820000-memory.dmpFilesize
64KB
-
memory/4548-0-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/4548-7-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/4548-2-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/4548-9-0x0000000001810000-0x0000000001820000-memory.dmpFilesize
64KB
-
memory/4548-1-0x0000000001810000-0x0000000001820000-memory.dmpFilesize
64KB