4ba6d134d0b56c39622ff5978f1582d1707d809090b46020c1a3ad489a102282

General

Target

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
Size

6.4MB
MD5

19e407b6fe29797017c45ab33c80de0b
SHA1

668a39cf3db3aa8fdb5d95481506de888c0ebbde
SHA256

4ba6d134d0b56c39622ff5978f1582d1707d809090b46020c1a3ad489a102282
SHA512

be6bf3f757e8dcd92a30d325221c9f15f467637f735c3842a22b8de302b31bcbae4524fe07ce9aa4a34883926c2fc77c659b619f11c95bfdd28a07b91cbebbf1
SSDEEP

196608:GLnrxUCGSTOuajel1vEEBhyc7EYrTouj0k:GRaiD84ycxLj0k

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exeSynaptics.exe._cache_Synaptics.exe

pid process

4248 ._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
2848 Synaptics.exe
4824 ._cache_Synaptics.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

3084 MsiExec.exe

pid	process
4248	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
2848	Synaptics.exe
4824	._cache_Synaptics.exe

pid	process
3084	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeMSIEXEC.EXE

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MSIEXEC.EXEmsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	464	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	464	MSIEXEC.EXE
Token: SeSecurityPrivilege	4964	msiexec.exe
Token: SeCreateTokenPrivilege	464	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	464	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	464	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	464	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	464	MSIEXEC.EXE
Token: SeTcbPrivilege	464	MSIEXEC.EXE
Token: SeSecurityPrivilege	464	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	464	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	464	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	464	MSIEXEC.EXE
Token: SeSystemtimePrivilege	464	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	464	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	464	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	464	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	464	MSIEXEC.EXE
Token: SeBackupPrivilege	464	MSIEXEC.EXE
Token: SeRestorePrivilege	464	MSIEXEC.EXE
Token: SeShutdownPrivilege	464	MSIEXEC.EXE
Token: SeDebugPrivilege	464	MSIEXEC.EXE
Token: SeAuditPrivilege	464	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	464	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	464	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	464	MSIEXEC.EXE
Token: SeUndockPrivilege	464	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	464	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	464	MSIEXEC.EXE
Token: SeManageVolumePrivilege	464	MSIEXEC.EXE
Token: SeImpersonatePrivilege	464	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	464	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	464	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	464	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	464	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	464	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	464	MSIEXEC.EXE
Token: SeTcbPrivilege	464	MSIEXEC.EXE
Token: SeSecurityPrivilege	464	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	464	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	464	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	464	MSIEXEC.EXE
Token: SeSystemtimePrivilege	464	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	464	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	464	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	464	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	464	MSIEXEC.EXE
Token: SeBackupPrivilege	464	MSIEXEC.EXE
Token: SeRestorePrivilege	464	MSIEXEC.EXE
Token: SeShutdownPrivilege	464	MSIEXEC.EXE
Token: SeDebugPrivilege	464	MSIEXEC.EXE
Token: SeAuditPrivilege	464	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	464	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	464	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	464	MSIEXEC.EXE
Token: SeUndockPrivilege	464	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	464	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	464	MSIEXEC.EXE
Token: SeManageVolumePrivilege	464	MSIEXEC.EXE
Token: SeImpersonatePrivilege	464	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	464	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	464	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	464	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	464	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MSIEXEC.EXE

pid process

464 MSIEXEC.EXE

pid	process
464	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exeSynaptics.exe._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exemsiexec.exe

description	pid	process	target process
PID 1220 wrote to memory of 4248	1220	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 1220 wrote to memory of 4248	1220	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 1220 wrote to memory of 4248	1220	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
PID 1220 wrote to memory of 2848	1220	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	Synaptics.exe
PID 1220 wrote to memory of 2848	1220	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	Synaptics.exe
PID 1220 wrote to memory of 2848	1220	2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	Synaptics.exe
PID 2848 wrote to memory of 4824	2848	Synaptics.exe	._cache_Synaptics.exe
PID 2848 wrote to memory of 4824	2848	Synaptics.exe	._cache_Synaptics.exe
PID 2848 wrote to memory of 4824	2848	Synaptics.exe	._cache_Synaptics.exe
PID 4248 wrote to memory of 464	4248	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 4248 wrote to memory of 464	4248	._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe	MSIEXEC.EXE
PID 4964 wrote to memory of 3084	4964	msiexec.exe	MsiExec.exe
PID 4964 wrote to memory of 3084	4964	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{07931542-8919-4B90-BAC7-F682E1EF3EE9}\DIAS Installer Module.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:464

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding DC3666F58EF8472069E85B5F9957A581 C
2⤵
- Loads dropped DLL
PID:3084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
6.4MB

MD5
19e407b6fe29797017c45ab33c80de0b

SHA1
668a39cf3db3aa8fdb5d95481506de888c0ebbde

SHA256
4ba6d134d0b56c39622ff5978f1582d1707d809090b46020c1a3ad489a102282

SHA512
be6bf3f757e8dcd92a30d325221c9f15f467637f735c3842a22b8de302b31bcbae4524fe07ce9aa4a34883926c2fc77c659b619f11c95bfdd28a07b91cbebbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-05-23_19e407b6fe29797017c45ab33c80de0b_darkgate_magniber.exe
Filesize
5.7MB

MD5
953078f0242c7028b50c96a62989e331

SHA1
6f5805dc5eb0c35c8d34f05862c5f01ed21f68e1

SHA256
484595fbbdb007fbb2bd16e609ba1c1371fd9749c1c8bb6b40a7f257fdb67c3d

SHA512
9cdb2cd87b7505f6482cd0c47e886864300392634f45f310342af32a042f79412c31560e4f9fca469bc5e7ec0b4c99ca682833df85fd9d1bded2c90164f44bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI783D.tmp
Filesize
210KB

MD5
d0e93d8f24c62d3d419ff831d2141f60

SHA1
6115cab23ff1423d6920a75a19b76434d3f1ab0b

SHA256
61e63c049d6dd933703b53603cbc4437583483aa586c802c91f57cbc4453f5ac

SHA512
9300e22640406d83e6864d89d17c0e7944898e16add6faa77ec7ce8803fcee3e9859599440cd77c7010d143ca1bb6eb29d194c05f751d7e1c3632bbb7e2673bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{07931542-8919-4B90-BAC7-F682E1EF3EE9}\0x0409.ini
Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{07931542-8919-4B90-BAC7-F682E1EF3EE9}\DIAS Installer Module.msi
Filesize
2.4MB

MD5
6d79149cc3f1f111d9c7b669d19251aa

SHA1
fa78d2799a7de687951edd3b5ac8e1995f3b0929

SHA256
3e6a00678821ecda14e7f791c27daf27b89007493cabba9264cda50487bc34df

SHA512
1fc5c71aca969f6599f9461d679cc11108444f107d18bbc3942ede356632230574d14ea86f62ff98e300f3023382027ed22bd8d27507e6361c12b38c357b1d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B73B5E3D-2B2D-4CB5-A0A5-EF431F7C3B9B}\_ISMSIDEL.INI
Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~60FC.tmp
Filesize
5KB

MD5
5ebba1745981b75348ab33ef1fd77ee5

SHA1
f457a3da8349c112509fca2b16e988679fad66ec

SHA256
ed28f5e3ccd6e3f06705f8b74e639ed79a1d14275405d4222faf028cd140af5e

SHA512
6ab41dce132159edfef0013059e9347e1d64946615ac82f0a760b1935396a13dcfae557ef3c65033ee22fb00bc3e79c73758fa7a74e9b668a1c366ac6721e7b9

Download Submit
memory/1220-0-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1220-123-0x0000000000400000-0x0000000000A6F000-memory.dmp

Filesize
6.4MB

Download
memory/2848-216-0x0000000000400000-0x0000000000A6F000-memory.dmp

Filesize
6.4MB

Download
memory/2848-239-0x0000000000400000-0x0000000000A6F000-memory.dmp

Filesize
6.4MB

Download
memory/2848-259-0x0000000000400000-0x0000000000A6F000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads