Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 03:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe
-
Size
1.3MB
-
MD5
f9895213b401a7ba00112c954b173cfa
-
SHA1
3beefd2c4ecea2a0fb33bbe5a04f3c3efd44e7f2
-
SHA256
849c08a491f9cbed4f9693c279c1012a838f1f115d64bc1babbce36c0b466333
-
SHA512
b9029eee3a6d2df3ce7bfaff37e90f041f5d1b237c33f908d5dda35d0ca8eaa2dfd05de8aa30d3bcb7d98fc34c1204c71965426e7d7c07d7a3e66fe9a461c9c9
-
SSDEEP
24576:HwxPanDWDAxfy+t4g6cBLi2iYQOlbQTAIUV:QxPpWTjPJplUTjUV
Malware Config
Signatures
-
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe = "0" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Detects executables containing artifacts associated with disabling Widnows Defender 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2464-17-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-30-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-49-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-69-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-94-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-113-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2764-124-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-133-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-154-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-177-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-196-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-217-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-236-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/600-251-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-260-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-281-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-300-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2464-17-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-30-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-49-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-69-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-94-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-113-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2764-124-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-133-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-154-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-177-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-196-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-217-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-236-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/600-251-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-260-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-281-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender behavioral1/memory/2924-300-0x0000000000400000-0x0000000000593000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Sets file execution options in registry 2 TTPs 12 IoCs
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "\"cmd.exe\",\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe\"" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe = "0" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Qwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exepowershell.exepid process 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 1936 powershell.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exepid process 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exepowershell.exedescription pid process Token: SeBackupPrivilege 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Token: SeRestorePrivilege 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Token: SeDebugPrivilege 1936 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.execmd.exetaskeng.exedescription pid process target process PID 2924 wrote to memory of 2788 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe cmd.exe PID 2924 wrote to memory of 2788 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe cmd.exe PID 2924 wrote to memory of 2788 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe cmd.exe PID 2924 wrote to memory of 2788 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe cmd.exe PID 2924 wrote to memory of 1936 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe powershell.exe PID 2924 wrote to memory of 1936 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe powershell.exe PID 2924 wrote to memory of 1936 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe powershell.exe PID 2924 wrote to memory of 1936 2924 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe powershell.exe PID 2788 wrote to memory of 2148 2788 cmd.exe schtasks.exe PID 2788 wrote to memory of 2148 2788 cmd.exe schtasks.exe PID 2788 wrote to memory of 2148 2788 cmd.exe schtasks.exe PID 1700 wrote to memory of 2764 1700 taskeng.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe PID 1700 wrote to memory of 2764 1700 taskeng.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe PID 1700 wrote to memory of 2764 1700 taskeng.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe PID 1700 wrote to memory of 2764 1700 taskeng.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe PID 1700 wrote to memory of 600 1700 taskeng.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe PID 1700 wrote to memory of 600 1700 taskeng.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe PID 1700 wrote to memory of 600 1700 taskeng.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe PID 1700 wrote to memory of 600 1700 taskeng.exe 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" 2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe"1⤵
- UAC bypass
- Windows security bypass
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" /rl HIGHEST /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe explorer.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {AD9E63D8-0D58-4C06-8645-DA419BB156D1} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-28_f9895213b401a7ba00112c954b173cfa_darkgate_ransomlock.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/600-251-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/1936-5-0x000000001B740000-0x000000001BA22000-memory.dmpFilesize
2.9MB
-
memory/1936-6-0x0000000002410000-0x0000000002418000-memory.dmpFilesize
32KB
-
memory/2464-17-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2764-124-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-49-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-154-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-69-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-94-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-113-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-0-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2924-133-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-54-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2924-177-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-196-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-217-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-236-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-30-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-260-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-281-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB
-
memory/2924-300-0x0000000000400000-0x0000000000593000-memory.dmpFilesize
1.6MB