Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
06-02-2024 12:41
General
-
Target
document_reader.exe
-
Size
3.9MB
-
MD5
dd191e98e5c264b5078b13fe38566d7e
-
SHA1
5b8b2c15c9457bfd0ce9ed012c308f245ee6d92d
-
SHA256
9a3990e375cc3a3a9d6c659b5b5551900dcdc1e7fc8f807f85a951517c8ae96f
-
SHA512
72ee9f8fbab5beb5559c993941b1ec03e26ef6f8add89c89206e0283ea141cfa301cbb382fcac2bc4f6b2c9e88f64037f75dbb23f4477508848b8ef25be31289
-
SSDEEP
49152:zLaXnHEdxX+e3FLpgvDn8P7SM4af+QZ2asV:zLIIhGh
Malware Config
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer 40 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\document_reader.exe"C:\Users\Admin\AppData\Local\Temp\document_reader.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "c:\temp\document.pdf"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe5e29758,0x7fffe5e29768,0x7fffe5e297783⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4080 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4784 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 --field-trial-handle=1916,i,17938447889451433731,17883423674649359963,131072 /prefetch:83⤵
-
-
-
\??\c:\tes2\Autoit3.exec:\tes2\Autoit3.exe c:\tes2\script.au32⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a4a9843d13943b4015ba4f7823f1a25d
SHA1440ae1c631beec71c2fbe9ca336b7d5d295befd6
SHA25658b3f399101f3b696a88de26c4180594742b7060a382c7042f8205bb17536757
SHA512a27ea3ba211a93104ec28a1e656186e416e8efe6ff418cf46ea114878c8b52f4c19b3fcada15723c49b2e2e811b0c1bf9693e5bad78f43527a91ee4c092cd76a
-
Filesize
940B
MD5096cf0969db2b66de41940a3cbb78b6e
SHA13c3f2bb2cb9d1f5461c8b4ac50e82819af8d84eb
SHA256f89d45d9eacc412ae8bd1c5deb89d7b8b37713303750b2e801dec42df3927aeb
SHA512aadaf995b5d061844c2b76932df1a30c7ab5a7585590224098f250ecc24ff566a86ce0881a5c173d04bd7d8f90aff38d2cffafe0746b45948312b0ab412f6f7a
-
Filesize
6KB
MD588434dbaeb96c70c83752afb84e76d3e
SHA17478f3f60fee2c8a9738b4999cc5379fc9839e87
SHA2569db6a1c57543d730205062479ebf2cecf857def90a8fa5d4f70468f99931f6ca
SHA5129451c87ba9a46f7caf98caed0c7276a4179b767dc3a8ea3c124c6bc4b4bd53aeb66b608ce9398c585cf874b7f0d6264e94e7d5a2cb87028a68eb6e22a98190bb
-
Filesize
15KB
MD53e95cfa5bd3e7e59fe9cd9b60fed7abf
SHA143ed60229b9226f99a9df3bbb0f2a40bfd5dc0cf
SHA256846909d9172be219337bd0a8235b9b00a6959182914a8c295d11ac6dbeb6773b
SHA512778c7ea849c58170496b5b4a9c2db613b49250dfb2021001f5ed52a722dae800ef96e3c4af7ca48fe65a11d806cc23513ff6daa215d004c6dd4b90d24312b36d
-
Filesize
115KB
MD56ef180cdf778e9a837e286c54e541f96
SHA1fd3745898ed650459e8b2f5b269271696a78a029
SHA25606fb57e2a916a9af964acaee24fab12d0b092081134a69bdcf100b9b92dcec1b
SHA512903790ec2385c78c860a4174b937498b529305965eb067169d5d5c10fb9d54ad53504a315ed0b2f7cc04d80ef6f0a9b4e2456b87cb0034451d9d1c43983d0d29
-
Filesize
235KB
MD5ec8ec7c611e17806e62251a2e1a16ac1
SHA1c85f8bf09563bf2b6ddacc47503c7ec21f8ae138
SHA256b0546c6a08efd1ec75659a7c2e9c7bc1826d0bd56f9b2b7c1c92110d48ceb500
SHA512fdd865bf345abfa43dfc442425319af0816798e1b01daea92de492099d011ea90a172c486fdd03f37e787884e73823e65a066dcc6036f71f153fa97a92c47117
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
32B
MD5ced6358616c2fd097b6b339a729d8eb0
SHA15690df735d103f757c5a577d31651e9b7743be82
SHA256e3edb1cf7028e9677484eeb763101ea2328b38e55f6a7fb8f921e0916ba4474e
SHA512ea75db70bfe43397b7fa58384d6a60e0f9b100f5ab9ade9d4faa75701dbbc5c8dcdf8d837b1a3a8175a832bdb715576940eca26bef859ba61aa4172ebe6c9708
-
Filesize
4B
MD59de56dc09ea3e10e7ee7bf096a086677
SHA1907cc47036df7a0ce8cce05b4d5e372de3254ec2
SHA256a083da7a7ca7126ed8ef7d22a91be01e67c1850234ed294b8542fee4b74d8166
SHA5129d70fb79ebba79f819ee682d7bab6900305fe0a06eafed77fc650c3d134961d78c169a1bea7676de63b0c9e76210a27a75d55d3e95e7e01c30509d57bca73317
-
Filesize
448KB
MD5a26f0dc347b844309a57cb651f03e243
SHA12d1c78b1b8d776cbbb6e443458e8733d8315b911
SHA25668d7a72f821bae0a1466aa88f5d43ea11740c323e52e578629f8842a994ea2d6
SHA5128cb31d86b02802fa53273b54edd42c8d208aa3296519e8ec332b1ea51c079b0592b24a9b2c9e533c24c31dea31fcfff52c5d1e6fcfb1cdeb23f4cb48fadf9a35
-
Filesize
4B
MD5b3d3780c2061809a9efdd460729b0a9c
SHA1f52ecb69e47602c1e6e29b96879a2f54c3bc4abf
SHA25657109a122f6cc324a93b38a866572ba7cdb6bac43712d8c0f2b11dd0ae7fdffc
SHA512bdc5c4bcd33f01612e61a4022df796f5bb285e4aa5e4e5445f83a3a45d6c312551c638e5c0d8e1d7199e66d93669f7ec996bd938a6daa884021f7a59f4169928
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
583KB
MD5c37514367bf7b08d6cd30f938b33146a
SHA106f277690f2bbe71bdfc77ca227455657bd02c31
SHA2569dd25ba75e415f2e6260de78977091e1ada7b6f0f5cba7c4944673c65fbd7609
SHA5123a009923ff8152720b1e327b0dfd159122d4282f12d7ad540837111226ec3535eb2d550adf065729ea9155f4eb4f46128d0d91bc87a083bcc176f062df2d6b23
-
Filesize
76B
MD54252e248997cb141c0d2b5211d9459f7
SHA1cad24dbb355b37345b85c9e276931ba6b3a7dd1c
SHA256c8fd4ff9ccaca0d223aaf28f8a25b54a241666b5ddd81f0ea16217868d7025d8
SHA51225ddfeca9124262bf7f8963585729cc95ecf17584cb2265d2f71b07f5846c1e5b38f15209a5b2a94cc0a38e83e6f6a2eefc339948e15f01aaf0caf74060ca8e2
-
Filesize
3.4MB
-
Filesize
15.8MB
-
Filesize
3.4MB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB