Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
28-04-2024 03:57
General
-
Target
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe
-
Size
1.3MB
-
MD5
f9895213b401a7ba00112c954b173cfa
-
SHA1
3beefd2c4ecea2a0fb33bbe5a04f3c3efd44e7f2
-
SHA256
849c08a491f9cbed4f9693c279c1012a838f1f115d64bc1babbce36c0b466333
-
SHA512
b9029eee3a6d2df3ce7bfaff37e90f041f5d1b237c33f908d5dda35d0ca8eaa2dfd05de8aa30d3bcb7d98fc34c1204c71965426e7d7c07d7a3e66fe9a461c9c9
-
SSDEEP
24576:HwxPanDWDAxfy+t4g6cBLi2iYQOlbQTAIUV:QxPpWTjPJplUTjUV
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Detects executables containing artifacts associated with disabling Widnows Defender 17 IoCs
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
-
Sets file execution options in registry 2 TTPs 12 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe"1⤵
- UAC bypass
- Windows security bypass
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" /rl HIGHEST /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe explorer.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {AD9E63D8-0D58-4C06-8645-DA419BB156D1} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/600-251-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/1936-5-0x000000001B740000-0x000000001BA22000-memory.dmpFilesize
2.9MB
-
memory/1936-6-0x0000000002410000-0x0000000002418000-memory.dmpFilesize
32KB
-
memory/2464-17-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2764-124-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-49-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-154-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-69-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-94-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-113-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-0-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2924-133-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-54-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2924-177-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-196-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-217-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-236-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-30-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-260-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-281-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-300-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB