cybergate | 79f82ee9da61b74176144e3f9652bc495b5e59d8d51e3673de6ae2b090642d11

Modify Registry

Processes:

e1244933acb430852b20d1432e928d75.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe"	e1244933acb430852b20d1432e928d75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e1244933acb430852b20d1432e928d75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe"	e1244933acb430852b20d1432e928d75.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e1244933acb430852b20d1432e928d75.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

e1244933acb430852b20d1432e928d75.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{51U04V2F-85C2-6TRY-065W-N1KY43Y7T0Y3}	e1244933acb430852b20d1432e928d75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51U04V2F-85C2-6TRY-065W-N1KY43Y7T0Y3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe Restart"	e1244933acb430852b20d1432e928d75.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1912-5-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1912-7-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1912-6-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1912-4-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1912-2-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1304-543-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1912-627-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/3004-840-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1912-842-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2016-1144-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1304-2643-0x00000000318D0000-0x00000000318DD000-memory.dmp	upx
behavioral1/memory/2016-2734-0x00000000318F0000-0x00000000318FD000-memory.dmp	upx
behavioral1/memory/1304-2733-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/2016-2743-0x00000000318F0000-0x00000000318FD000-memory.dmp	upx
behavioral1/memory/2016-2742-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/3004-2879-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral1/memory/1304-3445-0x00000000318D0000-0x00000000318DD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

e1244933acb430852b20d1432e928d75.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe"	e1244933acb430852b20d1432e928d75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\server.exe"	e1244933acb430852b20d1432e928d75.exe

Drops file in System32 directory 1 IoCs

Processes:

e1244933acb430852b20d1432e928d75.exe

description ioc process

File created C:\Windows\SysWOW64\svchost.exe\server.exe e1244933acb430852b20d1432e928d75.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e1244933acb430852b20d1432e928d75.exe

description pid process target process

PID 2024 set thread context of 1912 2024 e1244933acb430852b20d1432e928d75.exe e1244933acb430852b20d1432e928d75.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e1244933acb430852b20d1432e928d75.exe

pid process

1912 e1244933acb430852b20d1432e928d75.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e1244933acb430852b20d1432e928d75.exe

pid process

1912 e1244933acb430852b20d1432e928d75.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e1244933acb430852b20d1432e928d75.exe

pid process

2024 e1244933acb430852b20d1432e928d75.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchost.exe\server.exe	e1244933acb430852b20d1432e928d75.exe

description	pid	process	target process
PID 2024 set thread context of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe

pid	process
1912	e1244933acb430852b20d1432e928d75.exe

pid	process
1912	e1244933acb430852b20d1432e928d75.exe

pid	process
2024	e1244933acb430852b20d1432e928d75.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e1244933acb430852b20d1432e928d75.exee1244933acb430852b20d1432e928d75.exe

description	pid	process	target process
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 2024 wrote to memory of 1912	2024	e1244933acb430852b20d1432e928d75.exe	e1244933acb430852b20d1432e928d75.exe
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE
PID 1912 wrote to memory of 1144	1912	e1244933acb430852b20d1432e928d75.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\e1244933acb430852b20d1432e928d75.exe
"C:\Users\Admin\AppData\Local\Temp\e1244933acb430852b20d1432e928d75.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\e1244933acb430852b20d1432e928d75.exe
"C:\Users\Admin\AppData\Local\Temp\e1244933acb430852b20d1432e928d75.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\e1244933acb430852b20d1432e928d75.exe
"C:\Users\Admin\AppData\Local\Temp\e1244933acb430852b20d1432e928d75.exe"
4⤵
PID:3004

C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe"
5⤵
PID:2432

C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe\server.exe"
6⤵
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry