cybergate | c612c5a50499a052fad2e859f91527e5008fc5044da80e095774ae342ea60ca8

Modify Registry

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6887df54f455b1d9b464a6aef08eb0b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	6887df54f455b1d9b464a6aef08eb0b8.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6887df54f455b1d9b464a6aef08eb0b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	6887df54f455b1d9b464a6aef08eb0b8.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{T0S6PGMX-7TJ8-2Y3Y-7A2S-854OH171SBS7}	6887df54f455b1d9b464a6aef08eb0b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{T0S6PGMX-7TJ8-2Y3Y-7A2S-854OH171SBS7}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	6887df54f455b1d9b464a6aef08eb0b8.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1884 server.exe
Loads dropped DLL 2 IoCs

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe

pid process

584 6887df54f455b1d9b464a6aef08eb0b8.exe
584 6887df54f455b1d9b464a6aef08eb0b8.exe

pid	process
1884	server.exe

pid	process
584	6887df54f455b1d9b464a6aef08eb0b8.exe
584	6887df54f455b1d9b464a6aef08eb0b8.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2112-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2112-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2112-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2112-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2112-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2112-10-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2112-6-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2112-4-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2112-313-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1556-357-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1556-353-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/584-312-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/2112-20-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral1/memory/1556-360-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/584-1169-0x0000000010480000-0x00000000104E1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe"	6887df54f455b1d9b464a6aef08eb0b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe"	6887df54f455b1d9b464a6aef08eb0b8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe

description pid process target process

PID 1984 set thread context of 2112 1984 6887df54f455b1d9b464a6aef08eb0b8.exe 6887df54f455b1d9b464a6aef08eb0b8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe

pid process

2112 6887df54f455b1d9b464a6aef08eb0b8.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe

description pid process

Token: SeDebugPrivilege 584 6887df54f455b1d9b464a6aef08eb0b8.exe
Token: SeDebugPrivilege 584 6887df54f455b1d9b464a6aef08eb0b8.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe

pid process

1984 6887df54f455b1d9b464a6aef08eb0b8.exe

description	pid	process	target process
PID 1984 set thread context of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe

pid	process
2112	6887df54f455b1d9b464a6aef08eb0b8.exe

description	pid	process
Token: SeDebugPrivilege	584	6887df54f455b1d9b464a6aef08eb0b8.exe
Token: SeDebugPrivilege	584	6887df54f455b1d9b464a6aef08eb0b8.exe

pid	process
1984	6887df54f455b1d9b464a6aef08eb0b8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6887df54f455b1d9b464a6aef08eb0b8.exe6887df54f455b1d9b464a6aef08eb0b8.exe

description	pid	process	target process
PID 1984 wrote to memory of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe
PID 1984 wrote to memory of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe
PID 1984 wrote to memory of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe
PID 1984 wrote to memory of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe
PID 1984 wrote to memory of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe
PID 1984 wrote to memory of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe
PID 1984 wrote to memory of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe
PID 1984 wrote to memory of 2112	1984	6887df54f455b1d9b464a6aef08eb0b8.exe	6887df54f455b1d9b464a6aef08eb0b8.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe
PID 2112 wrote to memory of 2060	2112	6887df54f455b1d9b464a6aef08eb0b8.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\6887df54f455b1d9b464a6aef08eb0b8.exe
"C:\Users\Admin\AppData\Local\Temp\6887df54f455b1d9b464a6aef08eb0b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\6887df54f455b1d9b464a6aef08eb0b8.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\6887df54f455b1d9b464a6aef08eb0b8.exe
"C:\Users\Admin\AppData\Local\Temp\6887df54f455b1d9b464a6aef08eb0b8.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2060

C:\directory\CyberGate\install\server.exe
1⤵
PID:1556

C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
1⤵
- Executes dropped EXE
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry