4ba6d134d0b56c39622ff5978f1582d1707d809090b46020c1a3ad489a102282

General

Target

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
Size

6.4MB
MD5

19e407b6fe29797017c45ab33c80de0b
SHA1

668a39cf3db3aa8fdb5d95481506de888c0ebbde
SHA256

4ba6d134d0b56c39622ff5978f1582d1707d809090b46020c1a3ad489a102282
SHA512

be6bf3f757e8dcd92a30d325221c9f15f467637f735c3842a22b8de302b31bcbae4524fe07ce9aa4a34883926c2fc77c659b619f11c95bfdd28a07b91cbebbf1
SSDEEP

196608:GLnrxUCGSTOuajel1vEEBhyc7EYrTouj0k:GRaiD84ycxLj0k

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exeSynaptics.exe._cache_Synaptics.exe

pid process

2180 ._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
2028 Synaptics.exe
2752 ._cache_Synaptics.exe

pid	process
2180	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
2028	Synaptics.exe
2752	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

Processes:

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exeSynaptics.exeMsiExec.exe

pid	process
2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
2028	Synaptics.exe
2028	Synaptics.exe
1480	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeMSIEXEC.EXE

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSIEXEC.EXE

pid process

2724 MSIEXEC.EXE

pid	process
2724	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MSIEXEC.EXEmsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2724	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2724	MSIEXEC.EXE
Token: SeRestorePrivilege	2836	msiexec.exe
Token: SeTakeOwnershipPrivilege	2836	msiexec.exe
Token: SeSecurityPrivilege	2836	msiexec.exe
Token: SeCreateTokenPrivilege	2724	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2724	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2724	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2724	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2724	MSIEXEC.EXE
Token: SeTcbPrivilege	2724	MSIEXEC.EXE
Token: SeSecurityPrivilege	2724	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2724	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2724	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2724	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2724	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2724	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2724	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2724	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2724	MSIEXEC.EXE
Token: SeBackupPrivilege	2724	MSIEXEC.EXE
Token: SeRestorePrivilege	2724	MSIEXEC.EXE
Token: SeShutdownPrivilege	2724	MSIEXEC.EXE
Token: SeDebugPrivilege	2724	MSIEXEC.EXE
Token: SeAuditPrivilege	2724	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2724	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2724	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2724	MSIEXEC.EXE
Token: SeUndockPrivilege	2724	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2724	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2724	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2724	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2724	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2724	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2724	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2724	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2724	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2724	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2724	MSIEXEC.EXE
Token: SeTcbPrivilege	2724	MSIEXEC.EXE
Token: SeSecurityPrivilege	2724	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2724	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2724	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2724	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2724	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2724	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2724	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2724	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2724	MSIEXEC.EXE
Token: SeBackupPrivilege	2724	MSIEXEC.EXE
Token: SeRestorePrivilege	2724	MSIEXEC.EXE
Token: SeShutdownPrivilege	2724	MSIEXEC.EXE
Token: SeDebugPrivilege	2724	MSIEXEC.EXE
Token: SeAuditPrivilege	2724	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2724	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2724	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2724	MSIEXEC.EXE
Token: SeUndockPrivilege	2724	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2724	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2724	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2724	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2724	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2724	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2724	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MSIEXEC.EXE

pid process

2724 MSIEXEC.EXE

pid	process
2724	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exeSynaptics.exe._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exemsiexec.exe

description	pid	process	target process
PID 2244 wrote to memory of 2180	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 2244 wrote to memory of 2180	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 2244 wrote to memory of 2180	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 2244 wrote to memory of 2180	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 2244 wrote to memory of 2180	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 2244 wrote to memory of 2180	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 2244 wrote to memory of 2180	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 2244 wrote to memory of 2028	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	Synaptics.exe
PID 2244 wrote to memory of 2028	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	Synaptics.exe
PID 2244 wrote to memory of 2028	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	Synaptics.exe
PID 2244 wrote to memory of 2028	2244	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	Synaptics.exe
PID 2028 wrote to memory of 2752	2028	Synaptics.exe	._cache_Synaptics.exe
PID 2028 wrote to memory of 2752	2028	Synaptics.exe	._cache_Synaptics.exe
PID 2028 wrote to memory of 2752	2028	Synaptics.exe	._cache_Synaptics.exe
PID 2028 wrote to memory of 2752	2028	Synaptics.exe	._cache_Synaptics.exe
PID 2028 wrote to memory of 2752	2028	Synaptics.exe	._cache_Synaptics.exe
PID 2028 wrote to memory of 2752	2028	Synaptics.exe	._cache_Synaptics.exe
PID 2028 wrote to memory of 2752	2028	Synaptics.exe	._cache_Synaptics.exe
PID 2180 wrote to memory of 2724	2180	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 2180 wrote to memory of 2724	2180	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 2180 wrote to memory of 2724	2180	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 2180 wrote to memory of 2724	2180	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 2180 wrote to memory of 2724	2180	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 2180 wrote to memory of 2724	2180	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 2180 wrote to memory of 2724	2180	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 2836 wrote to memory of 1480	2836	msiexec.exe	MsiExec.exe
PID 2836 wrote to memory of 1480	2836	msiexec.exe	MsiExec.exe
PID 2836 wrote to memory of 1480	2836	msiexec.exe	MsiExec.exe
PID 2836 wrote to memory of 1480	2836	msiexec.exe	MsiExec.exe
PID 2836 wrote to memory of 1480	2836	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{CFF97961-C54F-447F-883F-5E97A6BFF9E7}\DIAS Installer Module.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe"
3⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2724

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
PID:2752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 9652BA43F327858127F138200F17F8D9 C
2⤵
- Loads dropped DLL
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.4MB

MD5
19e407b6fe29797017c45ab33c80de0b

SHA1
668a39cf3db3aa8fdb5d95481506de888c0ebbde

SHA256
4ba6d134d0b56c39622ff5978f1582d1707d809090b46020c1a3ad489a102282

SHA512
be6bf3f757e8dcd92a30d325221c9f15f467637f735c3842a22b8de302b31bcbae4524fe07ce9aa4a34883926c2fc77c659b619f11c95bfdd28a07b91cbebbf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI122A.tmp

Filesize
210KB

MD5
d0e93d8f24c62d3d419ff831d2141f60

SHA1
6115cab23ff1423d6920a75a19b76434d3f1ab0b

SHA256
61e63c049d6dd933703b53603cbc4437583483aa586c802c91f57cbc4453f5ac

SHA512
9300e22640406d83e6864d89d17c0e7944898e16add6faa77ec7ce8803fcee3e9859599440cd77c7010d143ca1bb6eb29d194c05f751d7e1c3632bbb7e2673bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{68622E8E-B1EC-43C8-AA01-8EEE5B23A6DA}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CFF97961-C54F-447F-883F-5E97A6BFF9E7}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CFF97961-C54F-447F-883F-5E97A6BFF9E7}\DIAS Installer Module.msi

Filesize
2.4MB

MD5
6d79149cc3f1f111d9c7b669d19251aa

SHA1
fa78d2799a7de687951edd3b5ac8e1995f3b0929

SHA256
3e6a00678821ecda14e7f791c27daf27b89007493cabba9264cda50487bc34df

SHA512
1fc5c71aca969f6599f9461d679cc11108444f107d18bbc3942ede356632230574d14ea86f62ff98e300f3023382027ed22bd8d27507e6361c12b38c357b1d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~FD81.tmp

Filesize
5KB

MD5
5ebba1745981b75348ab33ef1fd77ee5

SHA1
f457a3da8349c112509fca2b16e988679fad66ec

SHA256
ed28f5e3ccd6e3f06705f8b74e639ed79a1d14275405d4222faf028cd140af5e

SHA512
6ab41dce132159edfef0013059e9347e1d64946615ac82f0a760b1935396a13dcfae557ef3c65033ee22fb00bc3e79c73758fa7a74e9b668a1c366ac6721e7b9

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe

Filesize
5.7MB

MD5
953078f0242c7028b50c96a62989e331

SHA1
6f5805dc5eb0c35c8d34f05862c5f01ed21f68e1

SHA256
484595fbbdb007fbb2bd16e609ba1c1371fd9749c1c8bb6b40a7f257fdb67c3d

SHA512
9cdb2cd87b7505f6482cd0c47e886864300392634f45f310342af32a042f79412c31560e4f9fca469bc5e7ec0b4c99ca682833df85fd9d1bded2c90164f44bf3

Download Submit
memory/2028-91-0x0000000000400000-0x0000000000A6F000-memory.dmp

Filesize
6.4MB

Download
memory/2028-157-0x0000000000400000-0x0000000000A6F000-memory.dmp

Filesize
6.4MB

Download
memory/2028-162-0x0000000000400000-0x0000000000A6F000-memory.dmp

Filesize
6.4MB

Download
memory/2244-55-0x0000000000400000-0x0000000000A6F000-memory.dmp

Filesize
6.4MB

Download
memory/2244-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads