darkgate | ceb8b96227f3fffeba164d7ace94391ec670e9187695b03ad7641c45349177cc

Analysis

max time kernel
195s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2023 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
Size

9.2MB
MD5

69f900118f985990f488121cd1cf5e2b
SHA1

33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
SHA256

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
SHA512

09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
SSDEEP

196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO

Score

10^/10

darkgate civilian1337 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
VPsTDMdPtonzYs
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

description	pid	Process	procid_target
PID 708 created 2240	708	Autoit3.exe	36
PID 708 created 3892	708	Autoit3.exe	50
PID 708 created 2404	708	Autoit3.exe	67
PID 708 created 4048	708	Autoit3.exe	48
PID 708 created 2404	708	Autoit3.exe	67
PID 3744 created 3728	3744	cmd.exe	51
PID 3744 created 4048	3744	cmd.exe	48
PID 3744 created 4656	3744	cmd.exe	108
PID 3744 created 2404	3744	cmd.exe	67
PID 3744 created 3728	3744	cmd.exe	51

Blocklisted process makes network request 7 IoCs

flow	pid	Process
56	3744	cmd.exe
57	3744	cmd.exe
58	3744	cmd.exe
59	3744	cmd.exe
60	3744	cmd.exe
61	3744	cmd.exe
62	3744	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffaedda.lnk	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3548	windbg.exe
708	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
2184	MsiExec.exe
3548	windbg.exe
2184	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1560	ICACLS.EXE
1748	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 708 set thread context of 3744	708	Autoit3.exe	112

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{2B99EF3E-10B9-44A2-AA7C-FA01E82FF4F3}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI4008.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI50E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50F2.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a3aa9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a3aa9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e909c866916b25070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e909c8660000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e909c866000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de909c866000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e909c86600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
864	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
624	msiexec.exe
624	msiexec.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
708	Autoit3.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe
3744	cmd.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3904	msiexec.exe
Token: SeSecurityPrivilege	624	msiexec.exe
Token: SeCreateTokenPrivilege	3904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3904	msiexec.exe
Token: SeLockMemoryPrivilege	3904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3904	msiexec.exe
Token: SeMachineAccountPrivilege	3904	msiexec.exe
Token: SeTcbPrivilege	3904	msiexec.exe
Token: SeSecurityPrivilege	3904	msiexec.exe
Token: SeTakeOwnershipPrivilege	3904	msiexec.exe
Token: SeLoadDriverPrivilege	3904	msiexec.exe
Token: SeSystemProfilePrivilege	3904	msiexec.exe
Token: SeSystemtimePrivilege	3904	msiexec.exe
Token: SeProfSingleProcessPrivilege	3904	msiexec.exe
Token: SeIncBasePriorityPrivilege	3904	msiexec.exe
Token: SeCreatePagefilePrivilege	3904	msiexec.exe
Token: SeCreatePermanentPrivilege	3904	msiexec.exe
Token: SeBackupPrivilege	3904	msiexec.exe
Token: SeRestorePrivilege	3904	msiexec.exe
Token: SeShutdownPrivilege	3904	msiexec.exe
Token: SeDebugPrivilege	3904	msiexec.exe
Token: SeAuditPrivilege	3904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3904	msiexec.exe
Token: SeChangeNotifyPrivilege	3904	msiexec.exe
Token: SeRemoteShutdownPrivilege	3904	msiexec.exe
Token: SeUndockPrivilege	3904	msiexec.exe
Token: SeSyncAgentPrivilege	3904	msiexec.exe
Token: SeEnableDelegationPrivilege	3904	msiexec.exe
Token: SeManageVolumePrivilege	3904	msiexec.exe
Token: SeImpersonatePrivilege	3904	msiexec.exe
Token: SeCreateGlobalPrivilege	3904	msiexec.exe
Token: SeBackupPrivilege	680	vssvc.exe
Token: SeRestorePrivilege	680	vssvc.exe
Token: SeAuditPrivilege	680	vssvc.exe
Token: SeBackupPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeBackupPrivilege	612	srtasks.exe
Token: SeRestorePrivilege	612	srtasks.exe
Token: SeSecurityPrivilege	612	srtasks.exe
Token: SeTakeOwnershipPrivilege	612	srtasks.exe
Token: SeBackupPrivilege	612	srtasks.exe
Token: SeRestorePrivilege	612	srtasks.exe
Token: SeSecurityPrivilege	612	srtasks.exe
Token: SeTakeOwnershipPrivilege	612	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3904	msiexec.exe
3904	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4656	OpenWith.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 612	624	msiexec.exe	97
PID 624 wrote to memory of 612	624	msiexec.exe	97
PID 624 wrote to memory of 2184	624	msiexec.exe	99
PID 624 wrote to memory of 2184	624	msiexec.exe	99
PID 624 wrote to memory of 2184	624	msiexec.exe	99
PID 2184 wrote to memory of 1560	2184	MsiExec.exe	100
PID 2184 wrote to memory of 1560	2184	MsiExec.exe	100
PID 2184 wrote to memory of 1560	2184	MsiExec.exe	100
PID 2184 wrote to memory of 4264	2184	MsiExec.exe	102
PID 2184 wrote to memory of 4264	2184	MsiExec.exe	102
PID 2184 wrote to memory of 4264	2184	MsiExec.exe	102
PID 2184 wrote to memory of 3548	2184	MsiExec.exe	104
PID 2184 wrote to memory of 3548	2184	MsiExec.exe	104
PID 2184 wrote to memory of 3548	2184	MsiExec.exe	104
PID 3548 wrote to memory of 708	3548	windbg.exe	105
PID 3548 wrote to memory of 708	3548	windbg.exe	105
PID 3548 wrote to memory of 708	3548	windbg.exe	105
PID 2184 wrote to memory of 1748	2184	MsiExec.exe	106
PID 2184 wrote to memory of 1748	2184	MsiExec.exe	106
PID 2184 wrote to memory of 1748	2184	MsiExec.exe	106
PID 708 wrote to memory of 1720	708	Autoit3.exe	109
PID 708 wrote to memory of 1720	708	Autoit3.exe	109
PID 708 wrote to memory of 1720	708	Autoit3.exe	109
PID 1720 wrote to memory of 864	1720	cmd.exe	111
PID 1720 wrote to memory of 864	1720	cmd.exe	111
PID 1720 wrote to memory of 864	1720	cmd.exe	111
PID 708 wrote to memory of 3744	708	Autoit3.exe	112
PID 708 wrote to memory of 3744	708	Autoit3.exe	112
PID 708 wrote to memory of 3744	708	Autoit3.exe	112
PID 708 wrote to memory of 3744	708	Autoit3.exe	112
PID 708 wrote to memory of 3744	708	Autoit3.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2240

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2404

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 985F0FCFE8FC9E04138888F391220846
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1560
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:708
    - - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - \??\c:\windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Drops startup file
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3744
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fdbaddf\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\fdbaddf\dbcfgcd\ehafbhh

Filesize
170B

MD5
c5fae694017a5853bf4273024c96d805

SHA1
45ea0f9f11a970ced6cfd9148713fcbee70e4597

SHA256
12738cb05c68ddc0f3b2d03926b964024f0642ff8b786419538542606bd27d1b

SHA512
e687520caa505679e462ce8382bf52b7e0f8dd83ae0bbad71c4cbf24b971560affafba78bd70500ac669d975a74aef841f662c203c5f5726927c4f12d306ecd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files.cab

Filesize
8.9MB

MD5
3a4de3260c72e38f814cc2a7b2d42df7

SHA1
19458fb6838dd9d8be113b0b9983c7d77c12eb25

SHA256
411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7

SHA512
3493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\00001-337121377.png

Filesize
1.1MB

MD5
fd49f38e666f94abdbd9cc0bb842c29b

SHA1
36a00401a015d0719787d5a65c86784760ee93ff

SHA256
1f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f

SHA512
2fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\00002-337121378.png

Filesize
1.0MB

MD5
f68d2ca13e1268dd79e95591b976ec45

SHA1
588454301e3c25065349740573282145aa0a5c7b

SHA256
af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460

SHA512
a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\00003-337121379.png

Filesize
1.1MB

MD5
7dbe5e4b98d7601585cfb9697f265e0f

SHA1
da8477a2494b1436664c535d7c854bf778942a76

SHA256
c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288

SHA512
38e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\00004-337121380.png

Filesize
1.0MB

MD5
85da5b7fd4b6983fffe78853c5276c03

SHA1
49a68d92beabfdfce7b2939f35a7b3e4bdc2bc96

SHA256
ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba

SHA512
c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\00005-337121381.png

Filesize
1.0MB

MD5
602b44b5e0a94c61c7ae501966eb4fd5

SHA1
853f5c83bedd4523cb72ca127cc6c269ac99e2d9

SHA256
2e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3

SHA512
e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\00007-337121383.png

Filesize
1.1MB

MD5
9a40cf65a81a8f618a4f562e2494a557

SHA1
3b06e119cc017bbe99c06906779f40f2d04b08ad

SHA256
087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6

SHA512
745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\00008-337121384.png

Filesize
1.1MB

MD5
452b0afd9436be767a0ee61e98ef0356

SHA1
736f12f84f8af0bd04f5b207f31cba8dd359ae03

SHA256
0348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a

SHA512
2fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\data2.bin

Filesize
1.8MB

MD5
7673659bf664bd45a6f3c38b7d1c25d3

SHA1
a9b40ab4590b77887417ec33ecd061c98490176a

SHA256
41339e85c54f960b04039fd47df735c5ce78d99ede511364c8c8c2ad81f38c7d

SHA512
14ca50e20b3830765e8f116fc48ea49faabf3e7ede9f8768d5d0e70803d466ef506fe953f53057eb7e2f78009029d87b780c78127e1026b161bb095bf8c4ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\dataPicture.jpg

Filesize
159KB

MD5
008b295295c49c6d07161baff5f7212b

SHA1
f89d13817531957967be21327c8180a35960d04d

SHA256
9f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134

SHA512
6d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\msiwrapper.ini

Filesize
1KB

MD5
1c715572e3bc858c8ee1f739ebe6b297

SHA1
9245b5ce377df60ef50d3252b276ac8ab4f51639

SHA256
e9646fcebfeae29aecc11fba012d1472db2d7dc21568a323728e376ec404a0e4

SHA512
e911fda8e2a9df570c6be53c11b9ad4f0d4bc30189fe5855aa09145f94d13cc2713ee9644545edd6654f9ed62decc08b7fd1b5c3a71e9082c7bcd864bbb130c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\msiwrapper.ini

Filesize
1010B

MD5
b34a8a87002e261bfeb6165eb1ab1963

SHA1
09b0c6f441c7e5c41744bb6f0fbeae3fc1f0e7fb

SHA256
a2fbbe9b33d7144ecb46e21c19643b4edb009529cc8547ea5d03f48c40afb1eb

SHA512
5bd17442ada09aec7ea71fdd0146fae2e2881e35c489c69afeb640632a20cae75246a4bbb6fc9abef4da911270166348fc22eb76a3614e96443b63747f1d9151

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\msiwrapper.ini

Filesize
1KB

MD5
f64f84f89ea076ba7278c8cdedb2063e

SHA1
180d5f4f80a35e09d913c54149cb0006cce84fdd

SHA256
4d556c9fe13e4259f645b66f6a75d667b2ba2c837eec221ff4944f6d1d31d1ce

SHA512
350448687d4b043f7a3a8fded22cecfc2d5e06ad86c7d707f2d2c9ebdad2c72ed5d58b3d6ab9c5456bcac0b422aa2ac9c7906e21a2e29de3976ec59f020c4b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-469b9524-96a4-4451-b1de-461cc33db8ac\msiwrapper.ini

Filesize
1KB

MD5
f64f84f89ea076ba7278c8cdedb2063e

SHA1
180d5f4f80a35e09d913c54149cb0006cce84fdd

SHA256
4d556c9fe13e4259f645b66f6a75d667b2ba2c837eec221ff4944f6d1d31d1ce

SHA512
350448687d4b043f7a3a8fded22cecfc2d5e06ad86c7d707f2d2c9ebdad2c72ed5d58b3d6ab9c5456bcac0b422aa2ac9c7906e21a2e29de3976ec59f020c4b87

Download Submit
C:\Windows\Installer\MSI4008.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI4008.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI50F2.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI50F2.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
7691bee48455afb48cf5f9559015e0a5

SHA1
04e909bfc7d80570a72be3baf3caa8d6fec66ee4

SHA256
e63c436e6c241e13bb3a390e13831a038b48a9e5a37dfda3da2006da4a293c5f

SHA512
b4adf432e3642efce08cd445a4e8b06c5ee38da264aa450b54f2ebed4786342a4377bca34488cdb23bb986f7e9d59f3e023fe2917a58aef44491e327548ba68e

Download Submit
\??\Volume{66c809e9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f69ca97a-af7a-4670-9a98-593c9c3b0d97}_OnDiskSnapshotProp

Filesize
5KB

MD5
88222f35d1b15cb4ab3c60688787ef55

SHA1
bd943ca73c6c819bb83a6b9c42cf3cacfc8d5023

SHA256
7aa07bfa355794451466f03e14cf5c7919d5d21bf135d8f989570bc65128573f

SHA512
9219297b03c264a87f625f9175a3ba2196936ecf260345ca1c2f1d9f8bc254ed7772e487eefc2c6f53ace5146a958741a2a8743dbbf4e6ee54dead636c46db36

Download Submit
\??\c:\temp\hhddeff.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\??\c:\tmpa\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
memory/708-119-0x00000000017F0000-0x0000000001BF0000-memory.dmp

Filesize
4.0MB

Download
memory/708-120-0x0000000004B00000-0x0000000004E2A000-memory.dmp

Filesize
3.2MB

Download
memory/708-146-0x0000000004B00000-0x0000000004E2A000-memory.dmp

Filesize
3.2MB

Download
memory/708-144-0x0000000004B00000-0x0000000004E2A000-memory.dmp

Filesize
3.2MB

Download
memory/708-152-0x0000000004B00000-0x0000000004E2A000-memory.dmp

Filesize
3.2MB

Download
memory/708-147-0x0000000004B00000-0x0000000004E2A000-memory.dmp

Filesize
3.2MB

Download
memory/708-154-0x0000000004B00000-0x0000000004E2A000-memory.dmp

Filesize
3.2MB

Download
memory/708-150-0x00000000017F0000-0x0000000001BF0000-memory.dmp

Filesize
4.0MB

Download
memory/708-145-0x0000000004B00000-0x0000000004E2A000-memory.dmp

Filesize
3.2MB

Download
memory/3548-115-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3548-110-0x0000000002560000-0x0000000002660000-memory.dmp

Filesize
1024KB

Download
memory/3744-162-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-170-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-155-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-153-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-163-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-151-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-169-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-156-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-171-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-172-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-173-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-174-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-175-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3744-176-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download