cybergate | a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97

Modify Registry

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windowss\\systema.dlll"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\windowss\\systema.dlll"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exevbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5T551R1X-V762-R12W-70O6-J451HI4CXE16}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5T551R1X-V762-R12W-70O6-J451HI4CXE16}\StubPath = "C:\\Windows\\windowss\\systema.dlll"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5T551R1X-V762-R12W-70O6-J451HI4CXE16}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5T551R1X-V762-R12W-70O6-J451HI4CXE16}\StubPath = "C:\\Windows\\windowss\\systema.dlll Restart"	vbc.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3416-134-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3416-136-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3416-137-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3416-139-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/3416-141-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3416-146-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4912-149-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4912-152-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3416-154-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3416-159-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3416-163-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/1708-162-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1708-164-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1708-165-0x0000000004900000-0x000000000494B000-memory.dmp	upx
behavioral2/memory/1708-166-0x0000000004950000-0x000000000499B000-memory.dmp	upx
behavioral2/memory/1708-167-0x00000000049A0000-0x00000000049EB000-memory.dmp	upx
behavioral2/memory/1708-168-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windowss\\systema.dlll"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windowss\\systema.dlll"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe

description	pid	process	target process
PID 2448 set thread context of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe

Drops file in Windows directory 4 IoCs

Processes:

vbc.exevbc.exe

description	ioc	process
File created	C:\Windows\windowss\systema.dlll	vbc.exe
File opened for modification	C:\Windows\windowss\systema.dlll	vbc.exe
File opened for modification	C:\Windows\windowss\systema.dlll	vbc.exe
File opened for modification	C:\Windows\windowss\	vbc.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vbc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	vbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	vbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vbc.exe

Modifies registry class 2 IoCs

Processes:

vbc.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exevbc.exe

pid	process
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
3416	vbc.exe
3416	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

1708 vbc.exe

pid	process
1708	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
Token: SeDebugPrivilege	1708	vbc.exe
Token: SeDebugPrivilege	1708	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

3416 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1312 OpenWith.exe

pid	process
3416	vbc.exe

pid	process
1312	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exevbc.exe

description	pid	process	target process
PID 2448 wrote to memory of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe
PID 2448 wrote to memory of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe
PID 2448 wrote to memory of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe
PID 2448 wrote to memory of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe
PID 2448 wrote to memory of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe
PID 2448 wrote to memory of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe
PID 2448 wrote to memory of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe
PID 2448 wrote to memory of 3416	2448	a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe	vbc.exe
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE
PID 3416 wrote to memory of 3060	3416	vbc.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe
"C:\Users\Admin\AppData\Local\Temp\a4b42568472f4760b7546fddbb45dbf34f0a0c3de9ee55c80e1740b37249ea97.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:4912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:4840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

3

Privilege Escalation

Defense Evasion

Modify Registry

3

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery