Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-12-2024 01:40
General
-
Target
OP7_Atheuz/OP7_Injector.exe
-
Size
510KB
-
MD5
5694f7da1daedb0591c5f76a098e57ef
-
SHA1
10d34b602dc7efae4603725e15f80a3ae335c535
-
SHA256
ebd82554ff28e53d135a3be94c51879106eff01f511f6755cd7bf54ba3432096
-
SHA512
501df940a9be6d92b7dacb9bbacc5b782535d42e830b1f241447d0d5c716208ecd0096942c330b9770f685b7526f9e0a08dfd72a07d43572a49d5069d46cbd62
-
SSDEEP
12288:YMDRxxcZ8V9gYLpvr25Bm9Z/pUz6N0k8Cy2LVaP7D0:BZcZ8V97r2OXFoA
Malware Config
Extracted
cybergate
2.6
OPERATION7
polluelos.no-ip.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
system32
-
install_file
syystem32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Not compatible with SO
-
message_box_title
Atheuz V1
-
password
admin
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 12 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 845⤵
- Program crash
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"C:\Users\Admin\AppData\Local\Temp\OP7_Atheuz\OP7_Injector.exe"4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\system32\syystem32.exe"C:\Windows\system32\system32\syystem32.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\system32\syystem32.exe"C:\Windows\SysWOW64\system32\syystem32.exe"6⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
-
-
C:\Windows\SysWOW64\system32\syystem32.exe"C:\Windows\SysWOW64\system32\syystem32.exe"7⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\system32\syystem32.exe"C:\Users\Admin\AppData\Roaming\system32\syystem32.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\system32\syystem32.exe"C:\Users\Admin\AppData\Roaming\system32\syystem32.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2068 -ip 20681⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5025a23c7ba8ef978c313e501545f2cc0
SHA1dfdec075bd489434a59bf32c5bf5624a7502af31
SHA256bbacf6d8e5b6588e3163171327aac1e7425c80b432f96a9a872f7bf6fb3fc149
SHA5125b9d1e1a4ec815769741999be335845b0604df5ab389c2211a925df20071e69bab13ec7c266e3f1718823f1128686f8837b16c4af43feee141047c369a3299e7
-
Filesize
229KB
MD5d22ae3d7b3efbc99b42d3fbb22429ce7
SHA1302f0ac22c9335af0cea9d404c62191a0c648e2e
SHA256a957e978fc2b1d5706897cc6f7846fb27e601da192d60e805b86c2bd23671573
SHA512063f6060a71f8f4ac8a1b43f02a258be60992a822e13e05e1b0321964bfc5c112d6b350e7ef56a0d1f0bb05113d4692b5304c5d47a248f06b200cb49944affcb
-
Filesize
8B
MD52d81cdb95e2b07c308cce3ab849bcd91
SHA1ab4005363f2d898e579f52e6c902f83fa1e13ae4
SHA25637b7d8bfdaabe8019d8023f77234a0b7b4ce686ca704922159b79ee251f71fba
SHA51292384d02d4555c5481cef73fb8e8b4b8aaa08fff8641a6254ce94a440b50dde9976da99df826dcbeb9ad4acfe9b19e2daace1250dd2e85e5e8511942cfae2d4f
-
Filesize
8B
MD548f62af4fba5fae3b6e02abd046a40a6
SHA16c028a28964eed6ef27fac587073d4a22672c21c
SHA256f9a683b2c21be974569673958c6e3c4ec1c93ded516fba872ccd2979db20c282
SHA5125238ea78f33aaac2b5a04e230c4a46de5beb9842d7992263760bace27178177f85cd6dffc8bccb1004268641cc212abbd51e5c9a6de479bf8d881f8b63c9b307
-
Filesize
8B
MD5dac1a5cc7fae3ce762995672f6c84760
SHA14b4cc30a10e7a4105bc10fd3ddfdbf04dd3e67e0
SHA256e7234230c5a6f8d03f71f2141f7b4b87dca0b97697987412ee0bcc9ffdae5e68
SHA5120845bacf95c4c0ce35e54658e57cd9c5bee2eef1ac09a109e9b9483ea50d2c22f6ed5df945cc4d0da9d5bc82b0bbf9d735d5a6587d00f144a482a4babdff0157
-
Filesize
8B
MD523bfde1933dfe30f99739bfbcf56be95
SHA1df6c366d04a8065514edb15bc2ded3c47d48227c
SHA256a46701c855dc5d021622668e628e5ac82655dd218d59fb5def7cb65bca068f06
SHA51209f79848a3db8444d1f1ca1df7a4923e45510734a184824d676cb1efb977a5f7f82a80e3ba0048337b71e0225eeb9cd813ab6d3da0704e665ed6bd6f3e37fa21
-
Filesize
8B
MD580c21f105f3a10bf670617ee2127cbf1
SHA15922301622ccfa281d3c3a0e6389d7c2fb51637c
SHA2562cf523b3b654024a60b94e0bc9e22b933c0f3b88c71559a8c04c3189989eccd1
SHA512e09d7f2b09e001a52f386ba5e935ab1a0297ed82599eac743058c7d456cac20cb7d69494bad21e0ee6462b97080a5de35aa87926d5530e9dfb74a6ad4314c38a
-
Filesize
8B
MD5505d12b71a5eed5f40483c624b945213
SHA1896767223875d60708fbdb9c7ad1d181a7c29c6d
SHA25654aed37dd5c400bad24cf8beaa768d61afba2e69cfb0340a8fad612a9a5a7345
SHA5120f80c82ffaff2488178b25dd2eb2178affe7286a02d5535f87308babf68163bf6e577ebd0c3cb62c0b67909944d5b929c650e6ed7169f6e49cc4185dc717ca30
-
Filesize
8B
MD510f2f58e27c5c1e15f75da6d2cd61dc5
SHA1f8b4da4a141708484e2585c5c1e319d491401485
SHA256ce85d530ac645c23c0ff9434108a0929d6218c554e6bda6a2e6489125d6f216f
SHA512a4ff1de8053cec34a45b59c78150ce33b5e27d30fa1aed702b84bc6010b0721dbfe75f73f21e280c9bf95eea89e5c1d105ae27ac4b6f470c9d5865b07e2d026f
-
Filesize
8B
MD5fb6f58389a89158b2620874e31e57f64
SHA12fdfa0aa8349975047362cd8c519b964043d78f4
SHA25656eba0c70c6bf2ae6336afa9f26dc21234ab29e20ac47d32829fce609d244111
SHA512162d38024f5b2687c0c423fc6610f6609177d98735787c69ce6354e2cdd7c8eaee9e8370c5f2e3feeac3a52172bfcb64ab1d4cab71cfc248137fcebc0f1ce72b
-
Filesize
8B
MD548dd556447e893adf4401812b3885cf0
SHA1547855297e621ace40097748193806225b20882e
SHA25662ec2784db4840ad69905188b1001975f4654295c755b38cc6660023babafdad
SHA512d2f2006593950afdf46bc9f7f00fc81c84918823f7884a1658f1f2b6b8ecf0b4b0a8ec306c3951deea4be30c02b22ed31e0d7c85dae66f27091fda90e0e22c05
-
Filesize
8B
MD52df668891c2de3128e3f3ce248a3573d
SHA1bfd5582dceab77e25a60828895d5ee64e46f1d50
SHA2562213f558aece9d9e920303b7cce67c3c090dcec26a2af9ebab7d8bebe15d6c9f
SHA512d6e06d277926cb0379cc4153ea610c0a04d30c788277f7787c91ac610b7650f54d1f5fd2d9e4aeadec213938745f3ff7facf743bac12dd66fbdcb1acf62d738c
-
Filesize
8B
MD543b41070a2809ff4b3755677eb808ec4
SHA1343bee7cdcf2fb7199c53ca4581642285203813d
SHA256b56400b7835b4e22147851fbf24c529344b8c885d5cb2e147846473be58269b5
SHA5124831dcfa78c6dd9105ebc87abbfeeef50873a7e184006715a41f859e3fb7a720afb98aec0ab3090d751d486a3e5b5fb298dac30c3dfa2c30ba95100835d6c0e1
-
Filesize
8B
MD5eeefc6701ea66b8bf535a6b5ea8990b3
SHA1a716242fe6b5e0d5ade77e45e1db598abe5355e7
SHA2561f7d9031968ff10949e9b82cae276a13dc44202c1872ace0890c31b122f1627d
SHA512196502a7b5ae79d7b73415e5a4814c386fe3cf8b19c5ff31d7432d560cb08c22a478d949531dbc316d55ef59546f0dbc1e7fecea27d16c7c74b09d3643d313a6
-
Filesize
8B
MD590abe137836475ba963b7a323dcba381
SHA1940337203dd6bc458c49c2b7e3ecb70fd426f6f4
SHA25698ec0e29f4f97b963414942c0d21c169d133dcdae11a58ac3290767c48dbeb24
SHA51277d06797d496b981b9411c2c5ef5d14aec3b85bc18615608c595cdfa6d3f63618e8367bf7c7e9a202629327054ff3007902f626aee8c2a8171211d55a0cf25d7
-
Filesize
8B
MD5b25511940a80eea4ed32e60b7dc9009e
SHA15edab5b1a603f544a5c2c61cf21615eaa09f5e1f
SHA256ada63d2a1beec14d368b08a86a22594d7034686bb426518706c0f2ae09b62da9
SHA512a2b141c2970851b78b60c3292c00332f818ec9c88d6409c7d86db316feaf883aceb82f52aafebc061d2b71e82e11da78ae6940c1920b3f0be6fcab91470f8aae
-
Filesize
8B
MD528481b6330304117e5ac8f862d073343
SHA1a1d5988118113fd40f772f3ec51b225e25906185
SHA25647f8ce4b38495455a313804092c82cb418629422021d400ac881d2b374476300
SHA512c031ea2d4f9ce03caa116e6a90de865ad407855d8717c4a88bc280ef79bb9156d2f7e595567f96bc032903e189cb05de088df8af9b4c3109d6a02ba1e308e14f
-
Filesize
8B
MD5c54c7cbff84a79bf1d430f3eea3cdd1e
SHA1ac27583bcc5daf3891b2a01c46dfda4b9642357c
SHA256d6535381395ff7f91323a597032cf6257b825bc8cade4b193eefca811bb40de2
SHA512a852fc9df733e2b111cfa23b264b6321b6fef4f3e8935d66a434f52f837b6d00c2bfa805d8940914d789525824a55bc8630df7fe2b9b93293b2fe661322afab9
-
Filesize
8B
MD57d6975f87d2dc521f293ba072bffb07b
SHA116506a861da3d0ce9778c6ccd6a9dfc810504166
SHA256f5207595fa65c672a69353955cb4c2bf98dcbf35c8b4bcc1e8d579badf5f9f08
SHA512f9161b919493285a2d57ffa94130b887b694bd3178a1bf03d7bb964e265c9e7c45e5b959f4ce28352482022f3083494f821e556f094aeaa4d3de91711ebc4f69
-
Filesize
8B
MD57680b10a370997d22aa0e2d94384aeaa
SHA1eff23f2c3c3c6683006adfe65380fc1edc507a68
SHA256a288e4b5f4ead234ef3dd705818a3c2d8cfbcf8e1402ef86a13f2f8bdfa5c395
SHA512bec4d9415b1fbebc2ad43aa2306dbb7d6b0dd425f4be3887a1b1fd9d945e9b0c454d03d679c37b3e8553bb73cc3b4f95d95bb7bff0408de1336b9bd1aef7199e
-
Filesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
Filesize
510KB
MD55694f7da1daedb0591c5f76a098e57ef
SHA110d34b602dc7efae4603725e15f80a3ae335c535
SHA256ebd82554ff28e53d135a3be94c51879106eff01f511f6755cd7bf54ba3432096
SHA512501df940a9be6d92b7dacb9bbacc5b782535d42e830b1f241447d0d5c716208ecd0096942c330b9770f685b7526f9e0a08dfd72a07d43572a49d5069d46cbd62
-
Filesize
220KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
392KB
-
Filesize
320KB
-
Filesize
392KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB