darkgate | 6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70

Resubmissions

20-09-2023 12:31

230920-pp6pcsac59 10

26-07-2023 13:48

230726-q34mlacc72 10

Analysis

max time kernel
159s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2023 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Project_1650464.msi
Size

1.8MB
MD5

247a8cc39384e93d258360a11381000f
SHA1

23893f035f8564dfea5030b9fdd54120d96072bb
SHA256

6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
SHA512

336eca9569c0072e92ce16743f47ba9d6be06390a196f8e81654d6a42642ff5c99e423bfed00a8396bb0b037d5b54df8c3bde53757646e7e1a204f3be271c998
SSDEEP

24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX

Score

10^/10

darkgate discovery stealer

Malware Config

Extracted

Family

darkgate

http://80.66.88.145

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

Autoit3.exeAcroRd32Info.exe

description	pid	process	target process
PID 1176 created 936	1176	Autoit3.exe	msiexec.exe
PID 460 created 3608	460	AcroRd32Info.exe	StartMenuExperienceHost.exe
PID 460 created 2388	460	AcroRd32Info.exe	svchost.exe

Drops startup file 1 IoCs

Processes:

AcroRd32Info.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hdfdaed.lnk AcroRd32Info.exe
Executes dropped EXE 1 IoCs

Processes:

Autoit3.exe

pid process

1176 Autoit3.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

2528 MsiExec.exe
2528 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

5000 ICACLS.EXE
1704 ICACLS.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hdfdaed.lnk	AcroRd32Info.exe

pid	process
1176	Autoit3.exe

pid	process
2528	MsiExec.exe
2528	MsiExec.exe

pid	process
5000	ICACLS.EXE
1704	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File created	C:\Windows\Installer\e597f38.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e597f38.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIAC06.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI819A.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIAC65.tmp	msiexec.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2544 5016 WerFault.exe VSTOInstaller.exe
548 5016 WerFault.exe VSTOInstaller.exe

pid	pid_target	process	target process
2544	5016	WerFault.exe	VSTOInstaller.exe
548	5016	WerFault.exe	VSTOInstaller.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d6f92995d065bd40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d6f92990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d6f9299000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d6f9299000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d6f929900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32Info.exemsinfo32.exeAutoit3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AcroRd32Info.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32Info.exe

Modifies registry class 1 IoCs

Processes:

StartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msiexec.exeAutoit3.exeAcroRd32Info.exemsinfo32.exe

pid	process
1528	msiexec.exe
1528	msiexec.exe
1176	Autoit3.exe
1176	Autoit3.exe
1176	Autoit3.exe
1176	Autoit3.exe
460	AcroRd32Info.exe
460	AcroRd32Info.exe
460	AcroRd32Info.exe
460	AcroRd32Info.exe
460	AcroRd32Info.exe
460	AcroRd32Info.exe
5748	msinfo32.exe
5748	msinfo32.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	936	msiexec.exe
Token: SeSecurityPrivilege	1528	msiexec.exe
Token: SeCreateTokenPrivilege	936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	936	msiexec.exe
Token: SeLockMemoryPrivilege	936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	936	msiexec.exe
Token: SeMachineAccountPrivilege	936	msiexec.exe
Token: SeTcbPrivilege	936	msiexec.exe
Token: SeSecurityPrivilege	936	msiexec.exe
Token: SeTakeOwnershipPrivilege	936	msiexec.exe
Token: SeLoadDriverPrivilege	936	msiexec.exe
Token: SeSystemProfilePrivilege	936	msiexec.exe
Token: SeSystemtimePrivilege	936	msiexec.exe
Token: SeProfSingleProcessPrivilege	936	msiexec.exe
Token: SeIncBasePriorityPrivilege	936	msiexec.exe
Token: SeCreatePagefilePrivilege	936	msiexec.exe
Token: SeCreatePermanentPrivilege	936	msiexec.exe
Token: SeBackupPrivilege	936	msiexec.exe
Token: SeRestorePrivilege	936	msiexec.exe
Token: SeShutdownPrivilege	936	msiexec.exe
Token: SeDebugPrivilege	936	msiexec.exe
Token: SeAuditPrivilege	936	msiexec.exe
Token: SeSystemEnvironmentPrivilege	936	msiexec.exe
Token: SeChangeNotifyPrivilege	936	msiexec.exe
Token: SeRemoteShutdownPrivilege	936	msiexec.exe
Token: SeUndockPrivilege	936	msiexec.exe
Token: SeSyncAgentPrivilege	936	msiexec.exe
Token: SeEnableDelegationPrivilege	936	msiexec.exe
Token: SeManageVolumePrivilege	936	msiexec.exe
Token: SeImpersonatePrivilege	936	msiexec.exe
Token: SeCreateGlobalPrivilege	936	msiexec.exe
Token: SeBackupPrivilege	4728	vssvc.exe
Token: SeRestorePrivilege	4728	vssvc.exe
Token: SeAuditPrivilege	4728	vssvc.exe
Token: SeBackupPrivilege	1528	msiexec.exe
Token: SeRestorePrivilege	1528	msiexec.exe
Token: SeRestorePrivilege	1528	msiexec.exe
Token: SeTakeOwnershipPrivilege	1528	msiexec.exe
Token: SeRestorePrivilege	1528	msiexec.exe
Token: SeTakeOwnershipPrivilege	1528	msiexec.exe
Token: SeRestorePrivilege	1528	msiexec.exe
Token: SeTakeOwnershipPrivilege	1528	msiexec.exe
Token: SeBackupPrivilege	4160	srtasks.exe
Token: SeRestorePrivilege	4160	srtasks.exe
Token: SeSecurityPrivilege	4160	srtasks.exe
Token: SeTakeOwnershipPrivilege	4160	srtasks.exe
Token: SeRestorePrivilege	1528	msiexec.exe
Token: SeTakeOwnershipPrivilege	1528	msiexec.exe
Token: SeBackupPrivilege	4160	srtasks.exe
Token: SeRestorePrivilege	4160	srtasks.exe
Token: SeSecurityPrivilege	4160	srtasks.exe
Token: SeTakeOwnershipPrivilege	4160	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

936 msiexec.exe
936 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

5272 StartMenuExperienceHost.exe

pid	process
936	msiexec.exe
936	msiexec.exe

pid	process
5272	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeAutoit3.exe

description	pid	process	target process
PID 1528 wrote to memory of 4160	1528	msiexec.exe	srtasks.exe
PID 1528 wrote to memory of 4160	1528	msiexec.exe	srtasks.exe
PID 1528 wrote to memory of 2528	1528	msiexec.exe	MsiExec.exe
PID 1528 wrote to memory of 2528	1528	msiexec.exe	MsiExec.exe
PID 1528 wrote to memory of 2528	1528	msiexec.exe	MsiExec.exe
PID 2528 wrote to memory of 5000	2528	MsiExec.exe	ICACLS.EXE
PID 2528 wrote to memory of 5000	2528	MsiExec.exe	ICACLS.EXE
PID 2528 wrote to memory of 5000	2528	MsiExec.exe	ICACLS.EXE
PID 2528 wrote to memory of 3232	2528	MsiExec.exe	EXPAND.EXE
PID 2528 wrote to memory of 3232	2528	MsiExec.exe	EXPAND.EXE
PID 2528 wrote to memory of 3232	2528	MsiExec.exe	EXPAND.EXE
PID 2528 wrote to memory of 1176	2528	MsiExec.exe	Autoit3.exe
PID 2528 wrote to memory of 1176	2528	MsiExec.exe	Autoit3.exe
PID 2528 wrote to memory of 1176	2528	MsiExec.exe	Autoit3.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe
PID 1176 wrote to memory of 460	1176	Autoit3.exe	AcroRd32Info.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3608

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"
2⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 484
3⤵
- Program crash
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 504
3⤵
- Program crash
PID:548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5748

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Project_1650464.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:936

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EDC7550A3E1FBC04D3EDA32DC368D7C9
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:5000

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:3232

C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\files\Autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\files\Autoit3.exe" UGtZgHHT.au3
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:1704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5016 -ip 5016
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5016 -ip 5016
1⤵
PID:4100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hgbfcek\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\hgbfcek\decgebd\fafkecf

Filesize
129B

MD5
eadd9f3b0e30bdbbc9b5d037a6860574

SHA1
6cb87b57ca2ccd354f0af1fd195073e4b79a7cfd

SHA256
5cb85c9ae751aa436ae6f09dcb2bd2981af741e708812169dc3ad82394d33b09

SHA512
d872772c59d3d96b7637ffcd370144dd984d4957c337c5d142b59899ed9a09fab625ba83d606c5d9bda68e0c74c74a1267382d59257b18332eb042ebdf54e899

Download Submit
C:\ProgramData\hgbfcek\decgebd\fafkecf

Filesize
129B

MD5
eadd9f3b0e30bdbbc9b5d037a6860574

SHA1
6cb87b57ca2ccd354f0af1fd195073e4b79a7cfd

SHA256
5cb85c9ae751aa436ae6f09dcb2bd2981af741e708812169dc3ad82394d33b09

SHA512
d872772c59d3d96b7637ffcd370144dd984d4957c337c5d142b59899ed9a09fab625ba83d606c5d9bda68e0c74c74a1267382d59257b18332eb042ebdf54e899

Download Submit
C:\ProgramData\hgbfcek\dhfkkdf.au3

Filesize
764KB

MD5
6c3101a2e121e2735478ce95d667884a

SHA1
53b0cba2b3646b0564dca59a7a544aac0b94b599

SHA256
0e20531dc60c23dc5a8accdb47f00f56fa706b0507cd46534b902b6d5597c4aa

SHA512
00d4fe88e989b563fccf194357fa5e9ab1a4d9ca23e0898b4cd6d8010d189ce356f9ad8472d8ec97df3e2301d74febed727c1b0341e52a92862a9cc23d2e0cc5

Download Submit
C:\ProgramData\hgbfcek\dhfkkdf.au3

Filesize
764KB

MD5
6c3101a2e121e2735478ce95d667884a

SHA1
53b0cba2b3646b0564dca59a7a544aac0b94b599

SHA256
0e20531dc60c23dc5a8accdb47f00f56fa706b0507cd46534b902b6d5597c4aa

SHA512
00d4fe88e989b563fccf194357fa5e9ab1a4d9ca23e0898b4cd6d8010d189ce356f9ad8472d8ec97df3e2301d74febed727c1b0341e52a92862a9cc23d2e0cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\files.cab

Filesize
1.6MB

MD5
e7c3b16ed93b760546ae6756b12644da

SHA1
99b3b1af70b45b4b815a814f61f9b6e509cd3bb6

SHA256
659733a584c52078ac6b568dfb34a089bef2b3835a5ea737d32c1623a468b743

SHA512
b6eeaaeeb1f7c8335076075bc8033d5d4744544f3937eeaddcbef5f7ba257a64c20a47f8388c1e8f10c5821da8abe0683be8fd60c3e1a9aea25e4a705e2f8b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\files\UGtZgHHT.au3

Filesize
757KB

MD5
1b524d03b27b94906c1a87b207e08179

SHA1
8fbad6275708a69b764992b05126e053134fb9e9

SHA256
1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622

SHA512
1e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\msiwrapper.ini

Filesize
1KB

MD5
d7208ed75080378fb21b537cf811f691

SHA1
476ac437a83410697a023d7ad3e2ef9d7f3c99db

SHA256
5804f9c9caafb8678bb649c9b55532a3c4da500732012f65dd4fa859766cfa22

SHA512
83879b10d0e51dc8b54476c177944b31713cbf586e733d7f4bd4e45cff22414b4e2764dfca39745e610bb284248dee81c7797949293081ce3e313f4163484365

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\msiwrapper.ini

Filesize
1KB

MD5
da1af45f139100022a2f4853a05d41d5

SHA1
d33d2a120ba68d8722c23ab5378e24a4e5ca4172

SHA256
cda00d5bd9bfdc1391f2c09fe049f8d22ebaabf88c0aa0a725f89511d363920b

SHA512
06f8f4f5cdbeac7a4ce92baf3ab9dfd9b2d683be9e6691792f2e9e12fc05fe2ac3b5b0045811df5220db98d71e518c2780b135dcd2317270c764f5233c7ecc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\msiwrapper.ini

Filesize
1KB

MD5
da1af45f139100022a2f4853a05d41d5

SHA1
d33d2a120ba68d8722c23ab5378e24a4e5ca4172

SHA256
cda00d5bd9bfdc1391f2c09fe049f8d22ebaabf88c0aa0a725f89511d363920b

SHA512
06f8f4f5cdbeac7a4ce92baf3ab9dfd9b2d683be9e6691792f2e9e12fc05fe2ac3b5b0045811df5220db98d71e518c2780b135dcd2317270c764f5233c7ecc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-58dfda57-90e4-4d77-8185-27ff134d3328\msiwrapper.ini

Filesize
1KB

MD5
8104ee8b8e2fe8c206b20b02e101a728

SHA1
2e30186e0b38c9040d00e67169d8867c77a2d5d5

SHA256
a14d58e46ae9298efcfa4788eeb607573aba894f8224938557eb7f310d806065

SHA512
6ec611ca5b3dbc5a6881654b581a5ac12c32e8cf41d8e416c70a8fc367495beb8e7b566164190b83de9564b774d1ff8d8c28b72b7121a5a8abb9df9773cf287d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hdfdaed.lnk

Filesize
647B

MD5
431c86574e3d82b9e26573e21afcbd51

SHA1
b74477a31bb7d4a52049d2c47d23a420a092acde

SHA256
f37837904209f12f45a646151526ce3471b652c73ffdd3f8b3c35215c354fa19

SHA512
62d3bf289a01e03be954934f3010711ef835a14d970926f53ee26751616257d451e3f39a50d1d943bb2f269f06b953b930ba1ad1736f5e98a1c63e373709bf1b

Download Submit
C:\Windows\Installer\MSI819A.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI819A.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIAC65.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIAC65.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
d6697a016c56c8c762cc5930c20efb37

SHA1
3af56e7229d9554adcadfd3e0609ecdbc27d67ae

SHA256
f7ec730b426537ad153ae72e4c810f9273d19c308eeae822fbccd75d6f0e6659

SHA512
b4caf542cbcf9b12ecb2aefa28662c16d6013dcb39d2e67828bde4ebea22785f2e6101216b497a1e0da9a35fbeacc7238d0a22b61b492007294764f55adb24eb

Download Submit
\??\Volume{99926f1d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dba90611-9a4b-4d0f-b13a-0e578c8efbb4}_OnDiskSnapshotProp

Filesize
5KB

MD5
346356f0a19ca654c271e81f1753db81

SHA1
a927a9db7c6692262d589d000f0521ae8c4d1610

SHA256
7e4d4d3022cb1d8f0c06a204c549edec3581d0e2ec218a80a2d50513141875dd

SHA512
037a97d3ca0f111866e75a9c407c1fe9efd5cfd9cda21d8bef9daa0cb013ecd3ccbb5d73bb9b7f951b5e9dc66033b5bd65765ff7c1ae167284ee0d5e70ae46c4

Download Submit
\??\c:\temp\dhfkkdf.au3

Filesize
757KB

MD5
1b524d03b27b94906c1a87b207e08179

SHA1
8fbad6275708a69b764992b05126e053134fb9e9

SHA256
1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622

SHA512
1e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e

Download Submit
memory/460-673-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/460-722-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/460-86-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/460-85-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1176-674-0x00000000044C0000-0x0000000004699000-memory.dmp

Filesize
1.8MB

Download
memory/1176-100-0x00000000044C0000-0x0000000004699000-memory.dmp

Filesize
1.8MB

Download
memory/1176-96-0x00000000010A0000-0x00000000014A0000-memory.dmp

Filesize
4.0MB

Download
memory/1176-83-0x00000000044C0000-0x0000000004699000-memory.dmp

Filesize
1.8MB

Download
memory/1176-79-0x00000000044C0000-0x0000000004699000-memory.dmp

Filesize
1.8MB

Download
memory/1176-78-0x0000000003CA0000-0x0000000003D95000-memory.dmp

Filesize
980KB

Download
memory/1176-77-0x00000000010A0000-0x00000000014A0000-memory.dmp

Filesize
4.0MB

Download
memory/5016-712-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/5016-713-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/5016-1309-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/5016-1334-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/5748-1953-0x0000000010510000-0x000000001058E000-memory.dmp

Filesize
504KB

Download
memory/5748-1974-0x0000000010510000-0x000000001058E000-memory.dmp

Filesize
504KB

Download