darkgate | cb6631977fd57aea2c49e62263131b3e20a071495ad63adb3363ca6fd0d3184a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad.msi
Size

3.2MB
MD5

6922c8d97e6d60135a3c55302ce1eecf
SHA1

f3714edb96b5db59b392058292ed486dfd3d3629
SHA256

de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad
SHA512

2477b8432ffd9a0873608d978b30a8eea129d6180a18437a3a204c875ec2469e4eb0db2a6c52b6d2bb3e1881fcb0e1e29934d73608499694545cfdda5bf53494
SSDEEP

49152:qpUPqczdMZnZajVw8XsmOL8ruQO7/rsGQNTRJD+jQW/XRaWEr1bCU:qpmBUZaZw8u8rJOjrsG2apKGU

Score

10^/10

darkgate admin888 discovery persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

pjnbadfjandkadm3kd.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
wVImrJRl
minimum_disk
100
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Extracted

Family

darkgate

Version

6.1.7

Botnet

admin888

pjnbadfjandkadm3kd.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
wVImrJRl
minimum_disk
100
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 39 IoCs

resource	yara_rule
behavioral2/memory/4196-101-0x0000000005E00000-0x000000000614E000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-108-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-111-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-110-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-109-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4196-114-0x0000000005E00000-0x000000000614E000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-119-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-121-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-123-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-125-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-126-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-127-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-129-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-130-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-131-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-132-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-133-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-134-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-135-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-136-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-137-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-141-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-142-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-143-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-144-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-145-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-146-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-147-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-148-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-149-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-150-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-151-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-152-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-153-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-154-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-155-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-156-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/4704-157-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6
behavioral2/memory/3196-158-0x0000000000400000-0x0000000000470000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 4196 created 3984	4196	Autoit3.exe	61
PID 4196 created 4576	4196	Autoit3.exe	74
PID 4196 created 3836	4196	Autoit3.exe	59
PID 4196 created 4576	4196	Autoit3.exe	74
PID 4196 created 4576	4196	Autoit3.exe	74
PID 4196 created 3896	4196	Autoit3.exe	60
PID 4704 created 3748	4704	vbc.exe	58

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4772	ICACLS.EXE
3680	ICACLS.EXE

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFDdAHA = "C:\\ProgramData\\hcbhbef\\Autoit3.exe C:\\ProgramData\\hcbhbef\\gadbahh.au3"	vbc.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4196 set thread context of 4704	4196	Autoit3.exe	106
PID 4704 set thread context of 3196	4704	vbc.exe	107

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI69C8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E6AB046C-2184-4430-B482-620EB1327B97}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI633E.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI69A8.tmp	msiexec.exe
File created	C:\Windows\Installer\e576263.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576263.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4036	KeyScramblerLogon.exe
4196	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
2744	MsiExec.exe
4036	KeyScramblerLogon.exe
2744	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000042283678384db7f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000422836780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090042283678000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d42283678000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004228367800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1200	msiexec.exe
1200	msiexec.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4196	Autoit3.exe
4704	vbc.exe
4704	vbc.exe
4704	vbc.exe
4704	vbc.exe
3196	vbc.exe
3196	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4704	vbc.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4932	msiexec.exe
Token: SeSecurityPrivilege	1200	msiexec.exe
Token: SeCreateTokenPrivilege	4932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4932	msiexec.exe
Token: SeLockMemoryPrivilege	4932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4932	msiexec.exe
Token: SeMachineAccountPrivilege	4932	msiexec.exe
Token: SeTcbPrivilege	4932	msiexec.exe
Token: SeSecurityPrivilege	4932	msiexec.exe
Token: SeTakeOwnershipPrivilege	4932	msiexec.exe
Token: SeLoadDriverPrivilege	4932	msiexec.exe
Token: SeSystemProfilePrivilege	4932	msiexec.exe
Token: SeSystemtimePrivilege	4932	msiexec.exe
Token: SeProfSingleProcessPrivilege	4932	msiexec.exe
Token: SeIncBasePriorityPrivilege	4932	msiexec.exe
Token: SeCreatePagefilePrivilege	4932	msiexec.exe
Token: SeCreatePermanentPrivilege	4932	msiexec.exe
Token: SeBackupPrivilege	4932	msiexec.exe
Token: SeRestorePrivilege	4932	msiexec.exe
Token: SeShutdownPrivilege	4932	msiexec.exe
Token: SeDebugPrivilege	4932	msiexec.exe
Token: SeAuditPrivilege	4932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4932	msiexec.exe
Token: SeChangeNotifyPrivilege	4932	msiexec.exe
Token: SeRemoteShutdownPrivilege	4932	msiexec.exe
Token: SeUndockPrivilege	4932	msiexec.exe
Token: SeSyncAgentPrivilege	4932	msiexec.exe
Token: SeEnableDelegationPrivilege	4932	msiexec.exe
Token: SeManageVolumePrivilege	4932	msiexec.exe
Token: SeImpersonatePrivilege	4932	msiexec.exe
Token: SeCreateGlobalPrivilege	4932	msiexec.exe
Token: SeBackupPrivilege	4924	vssvc.exe
Token: SeRestorePrivilege	4924	vssvc.exe
Token: SeAuditPrivilege	4924	vssvc.exe
Token: SeBackupPrivilege	1200	msiexec.exe
Token: SeRestorePrivilege	1200	msiexec.exe
Token: SeRestorePrivilege	1200	msiexec.exe
Token: SeTakeOwnershipPrivilege	1200	msiexec.exe
Token: SeRestorePrivilege	1200	msiexec.exe
Token: SeTakeOwnershipPrivilege	1200	msiexec.exe
Token: SeBackupPrivilege	4516	srtasks.exe
Token: SeRestorePrivilege	4516	srtasks.exe
Token: SeSecurityPrivilege	4516	srtasks.exe
Token: SeTakeOwnershipPrivilege	4516	srtasks.exe
Token: SeBackupPrivilege	4516	srtasks.exe
Token: SeRestorePrivilege	4516	srtasks.exe
Token: SeSecurityPrivilege	4516	srtasks.exe
Token: SeTakeOwnershipPrivilege	4516	srtasks.exe
Token: SeRestorePrivilege	1200	msiexec.exe
Token: SeTakeOwnershipPrivilege	1200	msiexec.exe
Token: SeRestorePrivilege	1200	msiexec.exe
Token: SeTakeOwnershipPrivilege	1200	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4932	msiexec.exe
4932	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 4516	1200	msiexec.exe	95
PID 1200 wrote to memory of 4516	1200	msiexec.exe	95
PID 1200 wrote to memory of 2744	1200	msiexec.exe	97
PID 1200 wrote to memory of 2744	1200	msiexec.exe	97
PID 1200 wrote to memory of 2744	1200	msiexec.exe	97
PID 2744 wrote to memory of 3680	2744	MsiExec.exe	98
PID 2744 wrote to memory of 3680	2744	MsiExec.exe	98
PID 2744 wrote to memory of 3680	2744	MsiExec.exe	98
PID 2744 wrote to memory of 3656	2744	MsiExec.exe	100
PID 2744 wrote to memory of 3656	2744	MsiExec.exe	100
PID 2744 wrote to memory of 3656	2744	MsiExec.exe	100
PID 2744 wrote to memory of 4036	2744	MsiExec.exe	102
PID 2744 wrote to memory of 4036	2744	MsiExec.exe	102
PID 2744 wrote to memory of 4036	2744	MsiExec.exe	102
PID 4036 wrote to memory of 4196	4036	KeyScramblerLogon.exe	103
PID 4036 wrote to memory of 4196	4036	KeyScramblerLogon.exe	103
PID 4036 wrote to memory of 4196	4036	KeyScramblerLogon.exe	103
PID 2744 wrote to memory of 4772	2744	MsiExec.exe	104
PID 2744 wrote to memory of 4772	2744	MsiExec.exe	104
PID 2744 wrote to memory of 4772	2744	MsiExec.exe	104
PID 4196 wrote to memory of 4704	4196	Autoit3.exe	106
PID 4196 wrote to memory of 4704	4196	Autoit3.exe	106
PID 4196 wrote to memory of 4704	4196	Autoit3.exe	106
PID 4196 wrote to memory of 4704	4196	Autoit3.exe	106
PID 4196 wrote to memory of 4704	4196	Autoit3.exe	106
PID 4704 wrote to memory of 3196	4704	vbc.exe	107
PID 4704 wrote to memory of 3196	4704	vbc.exe	107
PID 4704 wrote to memory of 3196	4704	vbc.exe	107
PID 4704 wrote to memory of 3196	4704	vbc.exe	107
PID 4704 wrote to memory of 3196	4704	vbc.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3196

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3984

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4576

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5AFCF24D5B2F1FCD8E2AC1E656E545DD
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3680
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3656
- - C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4196
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hcbhbef\gadbahh.au3

Filesize
469KB

MD5
5d96e041da78366fb70f972308ebc5d9

SHA1
8dcc25d1bb736adf3b94e9a415597b45df0f1828

SHA256
009bf4414bd1e2d3fe7757d5302c9dc52d686235cab6df278df79db67cedecd3

SHA512
d3d25de8c0843e102cd9d34f8fcb674b067c501d97bcf72bbdae7bdc65f333e9d6b01f78bb6059e7b0ea6f2482f0aff018aa9f934f736224a8c8589559b4c742

Download Submit
C:\ProgramData\hcbhbef\hfbkehd

Filesize
1KB

MD5
12f80655ef36b15099cefe96e196df9b

SHA1
b0494bbb1b8aaf3caf4a488dc77a19af7f09df4f

SHA256
59ba29ef62331c75e1808bf7155508bae8110aa5f5a5526e368a37b60e7d91f6

SHA512
cdd0a639575b10bd37f1486e70cc546ca0772f5bbbc4130baf75fa3f3db18f0bb0da79b344403866bddfdd0b0a761b637ff00a30a6e6f704af90b363d9939b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\files.cab

Filesize
2.9MB

MD5
01d622632dbbacf38144c286e0592ca2

SHA1
7c580efe8be24bb5b347ff123bf649b63c9a77ce

SHA256
e2141b7864c5e8ebf0fadb016afa9648ef9d46df9fa26dce5f913387acec219d

SHA512
3826bd82e78b2e301c4eab4d893f4e72a36fd4be170a00ef3cb34ad647b00e9bd201f24fe436fa80909671a7038c2128b7c4d5e489f4104b9525957e6ea1b895

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\files\KeyScramblerIE.dll

Filesize
929KB

MD5
cbdebca0624a78f0d9adbd4af5c4773f

SHA1
7256fcaf986e685e7c5ca4f69178b386ccb2e59f

SHA256
1afac9ba20b60b6fee7708026165f089ab28f28b868166789c6ae2eb1d4f5a8f

SHA512
dfad441832a63efff88f97dd2e0327b2864819113aff7041f1409059da6d06896fa45470a2ca4119277aa33f611dcb302ddaf8ad93498883f1790bc04f5b03d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\files\sqlite3.dll

Filesize
1.5MB

MD5
fc125c903267e34c6729a7b74d2267e6

SHA1
654473ea4e18623909df5369ae6f75564699c175

SHA256
3aea69935cd5759732e403dc3b220b062f8fa582066d32be59a11b2d78ab19b4

SHA512
a7a886b6aec0ee89f1dd137c06a338035c3a304f588dba318ab5e7bf63d6c109c7fb420d063ed244d8b351ee4390d24505ad6294e9250d691662a06dfd878a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\msiwrapper.ini

Filesize
1KB

MD5
baf3d97e0840e82ea7e8b3f2b8466528

SHA1
4e4484081e46e6e95ff64a7cbcfca90f933fd346

SHA256
7898fe8d4aeb98391b1b2b758fc0ce0642a8aebf5179c37fb03fa65e5e291020

SHA512
04130dba4a5e3efabd4c1c8055a49401246263a794733d3521129a98b8cb4a5c59a336401015202b6534ba1e4ffb6cb5791c94f18bf71eb60c0046bff63c619a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\msiwrapper.ini

Filesize
1KB

MD5
2ca97b0b76273b1a71bd0d3808374336

SHA1
05ba939cb8a53efc8871984c373974e2702dc29c

SHA256
b64bb47e277397f72c6db3d4b5d1a0ac540d4e6b5bcf5a113c8399512e244fc1

SHA512
e325c9d6233689b6abd03e543427d5c826314991cfdd5d3827b2ed9071d89ace3e7044a4432a062aecbc4e69f4228217b85d14d5190a9a49dfdb4cde3768d9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0dfc7c8f-d8e8-4d4d-a973-9ea584292723\msiwrapper.ini

Filesize
1KB

MD5
5a7e530b9d9b1ae959aa374e804a7337

SHA1
6462bc63e9cba95babd37068781b86efd93d19a4

SHA256
b7d9766148c059df024ed195747d740a10672975b382c34a387e41d2986e019f

SHA512
12fd14bebd17dec706050ea8387be4308c253d976cb4eecf907a03297a70e5b92b764312b26926c2a84ae70a97a4daf25a6f582de5bf3bc2782c3659490606cd

Download Submit
C:\Users\Admin\AppData\Roaming\DFDdAHA

Filesize
32B

MD5
5723744915894f63d13bf00b5ebcec72

SHA1
59d070398935eba4fb847e1ab6bcdf1ce772553e

SHA256
4d22cbd23fddf3e896fbcba37044876ba8e0867c5bac59638e25feef35f2f56b

SHA512
0d96bf477a539a758589ecde2825b806292f175e2fa316875f15824653aff43f95c66a087f2ef3648870e6e65e0f356c5eb386f25130d9e296acae52f1780b18

Download Submit
C:\Windows\Installer\MSI633E.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\temp\cc.txt

Filesize
4B

MD5
1334444017af971d65ae39c48d8c2bad

SHA1
13de8893e25ce8bb2d3c84881e2bd974a3592f87

SHA256
971769be55ccafdae412268eff9d219dbfee0552193940bb77498b356196b0d3

SHA512
8648ccceda1b65ec2c1ccdab4612050b224bf2f29fc0480f510657b78beff25066abd270932d77a9c6e61b0c2e7aa0afb6ebeca3264ccac7a5f5183d02bba955

Download Submit
C:\temp\fs.txt

Filesize
4B

MD5
1c17b673da2c92414e0c314dcc7b90bb

SHA1
76dfe4ef6e3f8117a2d3ad8a577d03651d1424c9

SHA256
08497c6dcf4f0067667948a1ebfabc0d48f5e32f269efad0acf07c6d8a486b0a

SHA512
8f83342e376fd680058d75c6409b7079c50e4035168574917a55a5078688b6703858d765caea955c85674acd097dadfb176bac940f71ad53001073a7bad338f2

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
458fe41d42cbcdcaaca38a9820a3d937

SHA1
656df3ddae1da2183c871320cac3f18c5d37d7e8

SHA256
c9e775974ab694d4d5cb63160e7b689666b916ad81222e2167ad56f40668f930

SHA512
3fbd074624bbfc67b22f20e1f6ff992df54ffaf9b2e9dfbd8a833aa49db5de4329611b6189bb843dd8003b69b1143bd875fca08e8cfe8601306642f09daf9267

Download Submit
\??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d50bd550-8234-423d-a3df-43d119bf4d63}_OnDiskSnapshotProp

Filesize
6KB

MD5
80595b55a70e439c0129dd1024e04f1e

SHA1
6067f16dd4779a0204ca9ebd70b91396b81e916e

SHA256
92d9f45c0bb90464e224c345753491719719b0653a681b9fbb3177b83d34bcd0

SHA512
724a5e3f3d4f41dcb49eea0726fb787ec24d0c596eda90284f7ea22630c25d9233efd2210a4ef14ee1e6bd7abd5d5785db65a48255c15fa06b4335e07d5b3055

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
e9fd91421b3e079be0052a2fc206283b

SHA1
0f09e6fcfc81a628190a6920fc9deee2b99632e9

SHA256
10c491967d675c25b67030162be119894b99396cf60db4663a92ef9df4e2df25

SHA512
ff8188de44e2881799e91c5761ecae9f3646f8e8d283f34aad71cee5f5d0b24d2ba7f11413b72af3caa60ce2cebf89cf649125e8a9b3dfb5c6540421196f1d5e

Download Submit
memory/3196-144-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-131-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-158-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-156-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-154-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-133-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-137-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-129-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-152-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-142-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-150-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-148-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-146-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-135-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3196-127-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4036-85-0x0000000073AC0000-0x0000000073BB4000-memory.dmp

Filesize
976KB

Download
memory/4036-80-0x0000000002F80000-0x0000000003104000-memory.dmp

Filesize
1.5MB

Download
memory/4036-86-0x0000000002F80000-0x0000000003104000-memory.dmp

Filesize
1.5MB

Download
memory/4196-99-0x0000000004900000-0x00000000058D0000-memory.dmp

Filesize
15.8MB

Download
memory/4196-101-0x0000000005E00000-0x000000000614E000-memory.dmp

Filesize
3.3MB

Download
memory/4196-114-0x0000000005E00000-0x000000000614E000-memory.dmp

Filesize
3.3MB

Download
memory/4704-134-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-123-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-136-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-132-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-141-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-130-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-143-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-126-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-145-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-125-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-147-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-108-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-149-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-121-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-151-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-119-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-153-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-109-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-155-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-110-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-157-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4704-111-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download