Analysis Overview
SHA256
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
Threat Level: Known bad
The file 30112023_2249_LightShot.dll was found to be: Known bad.
Malicious Activity Summary
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-30 14:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-30 14:49
Reported
2023-11-30 14:51
Platform
win7-20231020-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2540 created 1172 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 2540 created 1172 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 2540 created 1172 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 2540 created 1172 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 2540 created 1284 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\Dwm.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpp\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30112023_2249_LightShot.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30112023_2249_LightShot.dll,#1
\??\c:\tmpp\Autoit3.exe
c:\tmpp\Autoit3.exe c:\tmpp\test.au3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trans1ategooglecom.com | udp |
| US | 8.8.8.8:53 | trans1ategooglecom.com | udp |
Files
memory/1652-0-0x0000000002110000-0x00000000023D2000-memory.dmp
\tmpp\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tmpp\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1652-7-0x0000000002110000-0x00000000023D2000-memory.dmp
\??\c:\tmpp\test.au3
| MD5 | dbd1ca08a1b009d1abab3def6ffa967b |
| SHA1 | f05c604a879c9396f93f6857f84d6ba58734ae0f |
| SHA256 | 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1 |
| SHA512 | 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb |
memory/2540-11-0x0000000000DA0000-0x00000000011A0000-memory.dmp
memory/2540-12-0x0000000002F90000-0x0000000003125000-memory.dmp
\??\c:\tmpp\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2540-18-0x0000000002F90000-0x0000000003125000-memory.dmp
memory/2540-19-0x0000000002F90000-0x0000000003125000-memory.dmp
memory/2540-20-0x0000000002F90000-0x0000000003125000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-30 14:49
Reported
2023-11-30 14:51
Platform
win10v2004-20231127-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4580 created 3736 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe |
| PID 4580 created 3916 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe |
| PID 4580 created 3832 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\System32\RuntimeBroker.exe |
| PID 4580 created 2864 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\backgroundTaskHost.exe |
| PID 4580 created 2820 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhostw.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpp\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 496 wrote to memory of 4580 | N/A | C:\Windows\SysWOW64\rundll32.exe | \??\c:\tmpp\Autoit3.exe |
| PID 496 wrote to memory of 4580 | N/A | C:\Windows\SysWOW64\rundll32.exe | \??\c:\tmpp\Autoit3.exe |
| PID 496 wrote to memory of 4580 | N/A | C:\Windows\SysWOW64\rundll32.exe | \??\c:\tmpp\Autoit3.exe |
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30112023_2249_LightShot.dll,#1
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30112023_2249_LightShot.dll,#1
\??\c:\tmpp\Autoit3.exe
c:\tmpp\Autoit3.exe c:\tmpp\test.au3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.245.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/496-0-0x0000000002330000-0x00000000025F2000-memory.dmp
C:\tmpp\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/496-5-0x0000000002330000-0x00000000025F2000-memory.dmp
\??\c:\tmpp\test.au3
| MD5 | dbd1ca08a1b009d1abab3def6ffa967b |
| SHA1 | f05c604a879c9396f93f6857f84d6ba58734ae0f |
| SHA256 | 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1 |
| SHA512 | 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb |
memory/4580-8-0x0000000000E50000-0x0000000001250000-memory.dmp
memory/4580-10-0x0000000003F90000-0x0000000004125000-memory.dmp
\??\c:\tmpp\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4580-16-0x0000000003F90000-0x0000000004125000-memory.dmp
memory/4580-17-0x0000000003F90000-0x0000000004125000-memory.dmp
memory/4580-18-0x0000000003F90000-0x0000000004125000-memory.dmp