cybergate | 170b0b2f1444fc216b0d5e4905a0441053c41927eb85d91dc03ee5c8c1735279

Modify Registry

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44e6a17304e6f70010f378b1ddb272c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\Pluguin.exe"	44e6a17304e6f70010f378b1ddb272c3.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44e6a17304e6f70010f378b1ddb272c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\Pluguin.exe"	44e6a17304e6f70010f378b1ddb272c3.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J117WMVM-32D1-5FCT-JK8F-E48807I25UR5}	44e6a17304e6f70010f378b1ddb272c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J117WMVM-32D1-5FCT-JK8F-E48807I25UR5}\StubPath = "C:\\Windows\\Microsoft\\Pluguin.exe Restart"	44e6a17304e6f70010f378b1ddb272c3.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3932-4-0x0000000024010000-0x0000000024070000-memory.dmp	upx
behavioral2/memory/3932-64-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/540-69-0x0000000024070000-0x00000000240D0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avgnt = "C:\\Windows\\Microsoft\\Pluguin.exe"	44e6a17304e6f70010f378b1ddb272c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avirnt = "C:\\Windows\\Microsoft\\Pluguin.exe"	44e6a17304e6f70010f378b1ddb272c3.exe

Drops file in Windows directory 2 IoCs

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	ioc	process
File created	C:\Windows\Microsoft\Pluguin.exe	44e6a17304e6f70010f378b1ddb272c3.exe
File opened for modification	C:\Windows\Microsoft\Pluguin.exe	44e6a17304e6f70010f378b1ddb272c3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

pid process

3932 44e6a17304e6f70010f378b1ddb272c3.exe
3932 44e6a17304e6f70010f378b1ddb272c3.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

pid process

3932 44e6a17304e6f70010f378b1ddb272c3.exe

pid	process
3932	44e6a17304e6f70010f378b1ddb272c3.exe
3932	44e6a17304e6f70010f378b1ddb272c3.exe

pid	process
3932	44e6a17304e6f70010f378b1ddb272c3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	pid	process	target process
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3932 wrote to memory of 3332	3932	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\44e6a17304e6f70010f378b1ddb272c3.exe
"C:\Users\Admin\AppData\Local\Temp\44e6a17304e6f70010f378b1ddb272c3.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\44e6a17304e6f70010f378b1ddb272c3.exe
"C:\Users\Admin\AppData\Local\Temp\44e6a17304e6f70010f378b1ddb272c3.exe"
3⤵
PID:4216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry