cybergate | 3bbd1d2936731f9ee97490a23c8e46a90e369281d264ebbc1bc4abd2f87dd86a

Modify Registry

Processes:

690bbdc7e3ed1098a103246cdd052b70.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	690bbdc7e3ed1098a103246cdd052b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\rundll\\rundll32.exe"	690bbdc7e3ed1098a103246cdd052b70.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	690bbdc7e3ed1098a103246cdd052b70.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\rundll\\rundll32.exe"	690bbdc7e3ed1098a103246cdd052b70.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

690bbdc7e3ed1098a103246cdd052b70.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2534A6Q0-ADLS-7XAJ-172N-7URR06AW832J}	690bbdc7e3ed1098a103246cdd052b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2534A6Q0-ADLS-7XAJ-172N-7URR06AW832J}\StubPath = "C:\\Windows\\system32\\rundll\\rundll32.exe Restart"	690bbdc7e3ed1098a103246cdd052b70.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1364-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1364-4-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1364-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1364-0-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1364-68-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4112-73-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1364-8-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1364-145-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/2716-143-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1648-172-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/1648-175-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4112-440-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/2716-1119-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

690bbdc7e3ed1098a103246cdd052b70.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rundll = "C:\\Windows\\system32\\rundll\\rundll32.exe"	690bbdc7e3ed1098a103246cdd052b70.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Windows\\system32\\rundll\\rundll32.exe"	690bbdc7e3ed1098a103246cdd052b70.exe

Drops file in System32 directory 2 IoCs

Processes:

690bbdc7e3ed1098a103246cdd052b70.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll\rundll32.exe	690bbdc7e3ed1098a103246cdd052b70.exe
File opened for modification	C:\Windows\SysWOW64\rundll\rundll32.exe	690bbdc7e3ed1098a103246cdd052b70.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

690bbdc7e3ed1098a103246cdd052b70.exe

description pid process target process

PID 1744 set thread context of 1364 1744 690bbdc7e3ed1098a103246cdd052b70.exe 690bbdc7e3ed1098a103246cdd052b70.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4124 1648 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

690bbdc7e3ed1098a103246cdd052b70.exe

pid process

1364 690bbdc7e3ed1098a103246cdd052b70.exe
1364 690bbdc7e3ed1098a103246cdd052b70.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

690bbdc7e3ed1098a103246cdd052b70.exe

pid process

1364 690bbdc7e3ed1098a103246cdd052b70.exe

description	pid	process	target process
PID 1744 set thread context of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe

pid	pid_target	process	target process
4124	1648	WerFault.exe	rundll32.exe

pid	process
1364	690bbdc7e3ed1098a103246cdd052b70.exe
1364	690bbdc7e3ed1098a103246cdd052b70.exe

pid	process
1364	690bbdc7e3ed1098a103246cdd052b70.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

690bbdc7e3ed1098a103246cdd052b70.exe690bbdc7e3ed1098a103246cdd052b70.exe

description	pid	process	target process
PID 1744 wrote to memory of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe
PID 1744 wrote to memory of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe
PID 1744 wrote to memory of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe
PID 1744 wrote to memory of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe
PID 1744 wrote to memory of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe
PID 1744 wrote to memory of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe
PID 1744 wrote to memory of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe
PID 1744 wrote to memory of 1364	1744	690bbdc7e3ed1098a103246cdd052b70.exe	690bbdc7e3ed1098a103246cdd052b70.exe
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE
PID 1364 wrote to memory of 3500	1364	690bbdc7e3ed1098a103246cdd052b70.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\690bbdc7e3ed1098a103246cdd052b70.exe
"C:\Users\Admin\AppData\Local\Temp\690bbdc7e3ed1098a103246cdd052b70.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\690bbdc7e3ed1098a103246cdd052b70.exe
"C:\Users\Admin\AppData\Local\Temp\690bbdc7e3ed1098a103246cdd052b70.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\690bbdc7e3ed1098a103246cdd052b70.exe
"C:\Users\Admin\AppData\Local\Temp\690bbdc7e3ed1098a103246cdd052b70.exe"
3⤵
PID:2716

C:\Windows\SysWOW64\rundll\rundll32.exe
"C:\Windows\system32\rundll\rundll32.exe"
4⤵
PID:1240

C:\Windows\SysWOW64\rundll\rundll32.exe
"C:\Windows\SysWOW64\rundll\rundll32.exe"
5⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 708
6⤵
- Program crash
PID:4124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:4008

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1648 -ip 1648
1⤵
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry