darkgate | a2fb0011e13f5c32cc13c95f954e6197373a68a7e724d719304021052374e659

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2023 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
Size

1.8MB
MD5

247a8cc39384e93d258360a11381000f
SHA1

23893f035f8564dfea5030b9fdd54120d96072bb
SHA256

6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
SHA512

336eca9569c0072e92ce16743f47ba9d6be06390a196f8e81654d6a42642ff5c99e423bfed00a8396bb0b037d5b54df8c3bde53757646e7e1a204f3be271c998
SSDEEP

24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX

Score

10^/10

darkgate discovery stealer

Malware Config

Extracted

Family

darkgate

http://80.66.88.145

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
7891
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
bIWRRCGvGiXOga
internal_mutex
bbbGcB
minimum_disk
50
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs

description	pid	Process	procid_target
PID 4780 created 2236	4780	Autoit3.exe	16
PID 4780 created 2508	4780	Autoit3.exe	52
PID 4780 created 2508	4780	Autoit3.exe	52
PID 5716 created 3880	5716	Eula.exe	14
PID 5716 created 2508	5716	Eula.exe	52
PID 5716 created 2708	5716	Eula.exe	46
PID 5716 created 3692	5716	Eula.exe	39
PID 5716 created 4008	5716	Eula.exe	37
PID 5716 created 4592	5716	Eula.exe	23
PID 5716 created 3880	5716	Eula.exe	14
PID 5716 created 5676	5716	Eula.exe	111
PID 5716 created 2708	5716	Eula.exe	46
PID 5716 created 1676	5716	Eula.exe	109
PID 5716 created 4592	5716	Eula.exe	23
PID 5716 created 1676	5716	Eula.exe	109
PID 5716 created 1676	5716	Eula.exe	109

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ehdheeb.lnk	Eula.exe

Executes dropped EXE 1 IoCs

pid	Process
4780	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
216	MsiExec.exe
216	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1900	ICACLS.EXE
7096	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58aaa3.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE76E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC0A.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIE77F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58aaa3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006f5277fd0b2376700000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006f5277fd0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006f5277fd000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6f5277fd000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006f5277fd00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Eula.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Eula.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msinfo32.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2780	msiexec.exe
2780	msiexec.exe
4780	Autoit3.exe
4780	Autoit3.exe
4780	Autoit3.exe
4780	Autoit3.exe
4780	Autoit3.exe
4780	Autoit3.exe
4780	Autoit3.exe
4780	Autoit3.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
5716	Eula.exe
6488	msinfo32.exe
6488	msinfo32.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2448	msiexec.exe
Token: SeSecurityPrivilege	2780	msiexec.exe
Token: SeCreateTokenPrivilege	2448	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2448	msiexec.exe
Token: SeLockMemoryPrivilege	2448	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2448	msiexec.exe
Token: SeMachineAccountPrivilege	2448	msiexec.exe
Token: SeTcbPrivilege	2448	msiexec.exe
Token: SeSecurityPrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeLoadDriverPrivilege	2448	msiexec.exe
Token: SeSystemProfilePrivilege	2448	msiexec.exe
Token: SeSystemtimePrivilege	2448	msiexec.exe
Token: SeProfSingleProcessPrivilege	2448	msiexec.exe
Token: SeIncBasePriorityPrivilege	2448	msiexec.exe
Token: SeCreatePagefilePrivilege	2448	msiexec.exe
Token: SeCreatePermanentPrivilege	2448	msiexec.exe
Token: SeBackupPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeShutdownPrivilege	2448	msiexec.exe
Token: SeDebugPrivilege	2448	msiexec.exe
Token: SeAuditPrivilege	2448	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2448	msiexec.exe
Token: SeChangeNotifyPrivilege	2448	msiexec.exe
Token: SeRemoteShutdownPrivilege	2448	msiexec.exe
Token: SeUndockPrivilege	2448	msiexec.exe
Token: SeSyncAgentPrivilege	2448	msiexec.exe
Token: SeEnableDelegationPrivilege	2448	msiexec.exe
Token: SeManageVolumePrivilege	2448	msiexec.exe
Token: SeImpersonatePrivilege	2448	msiexec.exe
Token: SeCreateGlobalPrivilege	2448	msiexec.exe
Token: SeBackupPrivilege	3584	vssvc.exe
Token: SeRestorePrivilege	3584	vssvc.exe
Token: SeAuditPrivilege	3584	vssvc.exe
Token: SeBackupPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeBackupPrivilege	4456	srtasks.exe
Token: SeRestorePrivilege	4456	srtasks.exe
Token: SeSecurityPrivilege	4456	srtasks.exe
Token: SeTakeOwnershipPrivilege	4456	srtasks.exe
Token: SeBackupPrivilege	4456	srtasks.exe
Token: SeRestorePrivilege	4456	srtasks.exe
Token: SeSecurityPrivilege	4456	srtasks.exe
Token: SeTakeOwnershipPrivilege	4456	srtasks.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2448	msiexec.exe
2448	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4456	2780	msiexec.exe	100
PID 2780 wrote to memory of 4456	2780	msiexec.exe	100
PID 2780 wrote to memory of 216	2780	msiexec.exe	102
PID 2780 wrote to memory of 216	2780	msiexec.exe	102
PID 2780 wrote to memory of 216	2780	msiexec.exe	102
PID 216 wrote to memory of 1900	216	MsiExec.exe	103
PID 216 wrote to memory of 1900	216	MsiExec.exe	103
PID 216 wrote to memory of 1900	216	MsiExec.exe	103
PID 216 wrote to memory of 868	216	MsiExec.exe	105
PID 216 wrote to memory of 868	216	MsiExec.exe	105
PID 216 wrote to memory of 868	216	MsiExec.exe	105
PID 216 wrote to memory of 4780	216	MsiExec.exe	108
PID 216 wrote to memory of 4780	216	MsiExec.exe	108
PID 216 wrote to memory of 4780	216	MsiExec.exe	108
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109
PID 4780 wrote to memory of 1676	4780	Autoit3.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2236

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4592

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3692

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2508
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"
  2⤵
  PID:1676
- - C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:6488
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 52C4119E7F1F16209D4E9C3D49209179
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1900
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:868
- - C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\files\Autoit3.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\files\Autoit3.exe" UGtZgHHT.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4780
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:7096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aeehcfe\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\aeehcfe\bcgbfbc.au3

Filesize
768KB

MD5
688fa612182c6f8f22cb8371121f0526

SHA1
233bc0845fe799c6b2d50d5b7899f8118c3668f2

SHA256
7ba02940ead9a8f8e4c5c51fd27667447ffe2aeb8485cb594c8747c517fd8288

SHA512
176a23a5ba88b9ae067200346afb39f33c744982aa0ca8da017e9b88ca56bd4f5c065cce98962f29e530a6d7dce591cb02d10a4ce24bb5b0de7c4cf28746fc6e

Download Submit
C:\ProgramData\aeehcfe\bcgbfbc.au3

Filesize
768KB

MD5
688fa612182c6f8f22cb8371121f0526

SHA1
233bc0845fe799c6b2d50d5b7899f8118c3668f2

SHA256
7ba02940ead9a8f8e4c5c51fd27667447ffe2aeb8485cb594c8747c517fd8288

SHA512
176a23a5ba88b9ae067200346afb39f33c744982aa0ca8da017e9b88ca56bd4f5c065cce98962f29e530a6d7dce591cb02d10a4ce24bb5b0de7c4cf28746fc6e

Download Submit
C:\ProgramData\aeehcfe\kedbbde\fahgehf

Filesize
129B

MD5
1f612e411a96db68297132b1c0c21e48

SHA1
b55dcc5b5c40bc4db8f5289214619bc003edf4c3

SHA256
393f979ca9506d4a5493c0d20e27a4d1b4f07dea96cbc94eb0afdb7b394fccf2

SHA512
dbde44274d609f9ce6b20e53c39cdcef1a20d4ce9e03f404c106bf45af1c34421bca2cf6083ddda934bd9fc83a171a6b5c315600d5d89cccae983718070a4da0

Download Submit
C:\ProgramData\aeehcfe\kedbbde\fahgehf

Filesize
129B

MD5
9c45402f68996114291fe559f24768b4

SHA1
f8e21106fce9da2fbcda78cf4c78173014bf2975

SHA256
e6e5cac1bafdebea0ed5cccfe4b13b3219515ba1477288c5f6107c19caeea8f4

SHA512
1e542eb0739ccf678e9a37fc72550feb95ec7f25edd81b6b3f74b38d801e1912c9cf60364576ef5117d416db9016d222658cede52ad47b6e32203ab0626ddfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\files.cab

Filesize
1.6MB

MD5
e7c3b16ed93b760546ae6756b12644da

SHA1
99b3b1af70b45b4b815a814f61f9b6e509cd3bb6

SHA256
659733a584c52078ac6b568dfb34a089bef2b3835a5ea737d32c1623a468b743

SHA512
b6eeaaeeb1f7c8335076075bc8033d5d4744544f3937eeaddcbef5f7ba257a64c20a47f8388c1e8f10c5821da8abe0683be8fd60c3e1a9aea25e4a705e2f8b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\files\UGtZgHHT.au3

Filesize
757KB

MD5
1b524d03b27b94906c1a87b207e08179

SHA1
8fbad6275708a69b764992b05126e053134fb9e9

SHA256
1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622

SHA512
1e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\msiwrapper.ini

Filesize
1KB

MD5
ce92fcbd8b833e755f61d396de97b826

SHA1
0339c5d0a175018d8e93d282eebbad590ed27b93

SHA256
94cb9de1006ead71ecf2420f970d910d637dbfbc80c94a5e181c75438ee06e29

SHA512
4cc6f39f8e1242394cc278206ac2e6165ef378ca585e98daa7062440797945801990c94b68bdb71d0ce0154d9295704021beba28860afd074bcaa487df7b4e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\msiwrapper.ini

Filesize
1KB

MD5
2aa2f54e2d31aa68e4e7b3cfb5c8f959

SHA1
4e5b845aa437367380b3ab1b73c8d7f471b48461

SHA256
c99d5d86c98957cad153c3d6faaf5f822d0fd4fa890aa4ca162f4ba48e7e01d2

SHA512
0a90e0b4c69f77f51f32d24f9dfc790ffedfc9be486c63fb023a5e26aea81c53dd68a89fc4693eb27ea40e42f89e2f702af5bfe6ac0f8ce39b30834706e0f7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\msiwrapper.ini

Filesize
1KB

MD5
a3fff3bd953f2b12c7e4f8116d40f81e

SHA1
4062c0254dad92b8d2f4efe782b40a31fbca0ac4

SHA256
d5145b6f4a56130970bf07561d920c2cbb65103967913659c384fbfd969dd296

SHA512
f40dd7295becb344c289c113ed672d4683e0b7aae7f3666663697b12ea22fb4b078f8a5854f1df0bff3904050b7665599efb6df87ec37a38ac21c50dfb2a0d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b2e3a0b2-9692-42ff-88f5-7c18b53f76a3\msiwrapper.ini

Filesize
1KB

MD5
a3fff3bd953f2b12c7e4f8116d40f81e

SHA1
4062c0254dad92b8d2f4efe782b40a31fbca0ac4

SHA256
d5145b6f4a56130970bf07561d920c2cbb65103967913659c384fbfd969dd296

SHA512
f40dd7295becb344c289c113ed672d4683e0b7aae7f3666663697b12ea22fb4b078f8a5854f1df0bff3904050b7665599efb6df87ec37a38ac21c50dfb2a0d3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ehdheeb.lnk

Filesize
647B

MD5
7aed69fb8f87dc3f0db9235528913690

SHA1
f72dd15fa4d897f3021f2418529ed3d2331c0dca

SHA256
30c40dee7a81d9ec4baa91d2860b921b63e22877cf385d8ab261d4c428e0ea37

SHA512
4d715b8157bd9755d6170c159f8bdffaa635729e99cca09db476dc78ee14a39911c753daa86b144c3d58cdf14a33d66ba2f4057fb3ba9b44cd436e53a3e65476

Download Submit
C:\Windows\Installer\MSIAC0A.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIAC0A.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIE77F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIE77F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
51cff6e392a77aff760278b3842e5d1e

SHA1
1dc7149cd0bdb1559effb3cff33e4135ab1993c9

SHA256
f33863a227d04ad47b7039203540e9d8fe1352cc05a0536363c2ddb10c767a81

SHA512
f7e5bb60cf55eb4a1ba1c9932a21c7be165ae3aa1bb957cc6197862d144bb2c593362848c01dacf33b97c94c2c314d4de351f89b68a0e148d015ed60f131259e

Download Submit
\??\Volume{fd77526f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fdd120c8-3fb4-4060-adf8-65a1dc67dfc9}_OnDiskSnapshotProp

Filesize
6KB

MD5
5725b01ebd0173a7adb42e02bd865edf

SHA1
6abedd046f23f9db20e214c13655b2c37b2de866

SHA256
d56da7b5880b5364277f05d64560cb9e31c86850575530b9bf4d61c93e0911ee

SHA512
ac6ff03b3506f9298d1236ee84a62f7b4d6dc4fdef6d7efad5d43bfdc36c56aedbbbafbb982b278dc76123a2534fc0d5fe084ae5faee9a9ebc4cae3d8fd2e469

Download Submit
\??\c:\temp\bcgbfbc.au3

Filesize
757KB

MD5
1b524d03b27b94906c1a87b207e08179

SHA1
8fbad6275708a69b764992b05126e053134fb9e9

SHA256
1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622

SHA512
1e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e

Download Submit
memory/1676-82-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1676-81-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/4780-79-0x0000000004000000-0x00000000041D9000-memory.dmp

Filesize
1.8MB

Download
memory/4780-73-0x0000000000C10000-0x0000000001010000-memory.dmp

Filesize
4.0MB

Download
memory/4780-428-0x0000000004000000-0x00000000041D9000-memory.dmp

Filesize
1.8MB

Download
memory/4780-102-0x0000000000C10000-0x0000000001010000-memory.dmp

Filesize
4.0MB

Download
memory/4780-74-0x00000000037E0000-0x00000000038D5000-memory.dmp

Filesize
980KB

Download
memory/4780-1190-0x0000000004000000-0x00000000041D9000-memory.dmp

Filesize
1.8MB

Download
memory/5716-1544-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/5716-1189-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/6488-1228-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/6488-1821-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/6488-1227-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/6488-1868-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download