Resubmissions
21-11-2023 07:49
231121-jn3cnadg6z 10Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2023 07:49
Behavioral task
behavioral1
Sample
darkgate.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
darkgate.exe
Resource
win10v2004-20231020-en
General
-
Target
darkgate.exe
-
Size
473KB
-
MD5
3f01158a510fa6c87565b40aa8ecd516
-
SHA1
7505dc832e0dc8412fa8150a6450fc2328f482fb
-
SHA256
e01cf9500da5d233d3f6e64f53933e9a2992c79273b73651a1ecbc6e9417bfeb
-
SHA512
f2e27ac78712599647bcef84683d4289b6cc80709eab7ed34ceb54f404e93c324dab5d9a2c29eac8c104df66842707397497f18f4fec09808bedb602836a5455
-
SSDEEP
12288:6IrqXlstKmmdtseWz9nwadGr7d4NysYs2iPR5hOAD5aaqnu3/tU2:6OksnmdtxWz9npdhNyY7R5RDh+uv7
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
Processes:
darkgate.exedescription pid process target process PID 3632 created 3780 3632 darkgate.exe StartMenuExperienceHost.exe PID 3632 created 4000 3632 darkgate.exe SearchApp.exe PID 3632 created 2328 3632 darkgate.exe sihost.exe PID 3632 created 3780 3632 darkgate.exe StartMenuExperienceHost.exe PID 3632 created 4000 3632 darkgate.exe SearchApp.exe PID 3632 created 2408 3632 darkgate.exe taskhostw.exe PID 3632 created 2328 3632 darkgate.exe sihost.exe PID 3632 created 4000 3632 darkgate.exe SearchApp.exe PID 3632 created 4000 3632 darkgate.exe SearchApp.exe PID 3632 created 3900 3632 darkgate.exe RuntimeBroker.exe PID 3632 created 3624 3632 darkgate.exe DllHost.exe PID 3632 created 3900 3632 darkgate.exe RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2748 3632 WerFault.exe darkgate.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
darkgate.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 darkgate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString darkgate.exe -
Modifies registry class 1 IoCs
Processes:
darkgate.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings darkgate.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
darkgate.exepid process 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe 3632 darkgate.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3780
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3624
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2408
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\darkgate.exe"C:\Users\Admin\AppData\Local\Temp\darkgate.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 8522⤵
- Program crash
PID:2748
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3632 -ip 36321⤵PID:4756