Analysis
-
max time kernel
55s -
max time network
66s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 23:49
Behavioral task
behavioral1
Sample
DarkLoader.exe
Resource
win11-20240508-en
Errors
General
-
Target
DarkLoader.exe
-
Size
53KB
-
MD5
464f4201b6e847f3685e83503c8934af
-
SHA1
7ce3d09cb4387a831c3073b251a70eb0771f1f17
-
SHA256
37b738b858489999cad233e5527d50833cd7bd16b184eacc347670b98c76feff
-
SHA512
d0681734e235b08d8d70b79cd1cac1da22196450f0e69f74749633542c559ee9f6ff85908202bd9a05ced0e1e62790a9fcb7e24802d288a58ceab39f2ed4a91f
-
SSDEEP
768:5S7TZ38fvCv3E1cQrM+rMRa8Nu/itiHT:5uTZsHCv3Ear+gRJNU5
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1832 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
tmpF55C.tmp.exepid process 652 tmpF55C.tmp.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
DarkLoader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\adf4d2e3ce93b6a85f5bba50f2082510 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DarkLoader.exe\" .." DarkLoader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adf4d2e3ce93b6a85f5bba50f2082510 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DarkLoader.exe\" .." DarkLoader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
DarkLoader.exedescription ioc process File created C:\autorun.inf DarkLoader.exe File opened for modification C:\autorun.inf DarkLoader.exe File created D:\autorun.inf DarkLoader.exe File created F:\autorun.inf DarkLoader.exe File opened for modification F:\autorun.inf DarkLoader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DarkLoader.exepid process 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe 1568 DarkLoader.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DarkLoader.exepid process 1568 DarkLoader.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
DarkLoader.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1568 DarkLoader.exe Token: 33 1568 DarkLoader.exe Token: SeIncBasePriorityPrivilege 1568 DarkLoader.exe Token: 33 1568 DarkLoader.exe Token: SeIncBasePriorityPrivilege 1568 DarkLoader.exe Token: 33 1568 DarkLoader.exe Token: SeIncBasePriorityPrivilege 1568 DarkLoader.exe Token: 33 3764 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3764 AUDIODG.EXE Token: 33 1568 DarkLoader.exe Token: SeIncBasePriorityPrivilege 1568 DarkLoader.exe Token: 33 1568 DarkLoader.exe Token: SeIncBasePriorityPrivilege 1568 DarkLoader.exe Token: 33 1568 DarkLoader.exe Token: SeIncBasePriorityPrivilege 1568 DarkLoader.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
DarkLoader.exedescription pid process target process PID 1568 wrote to memory of 1832 1568 DarkLoader.exe netsh.exe PID 1568 wrote to memory of 1832 1568 DarkLoader.exe netsh.exe PID 1568 wrote to memory of 1832 1568 DarkLoader.exe netsh.exe PID 1568 wrote to memory of 652 1568 DarkLoader.exe tmpF55C.tmp.exe PID 1568 wrote to memory of 652 1568 DarkLoader.exe tmpF55C.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe"C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe" "DarkLoader.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF55C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF55C.tmp.exe"2⤵
- Executes dropped EXE
PID:652
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C01⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD55a9d19e4d434d2dbf8a87f2edcdef5f8
SHA1df61cc0e7ec9afa82ea7de4b790336a623c555fa
SHA256129ae20f2268060bde769a5c9d5530767b071402e153dff5268dd1ad349a310c
SHA512cb377dc737e12b5655bfc47bacf75c2b406d28ec6e976f9857fa3cf2bf4c49ff7d96e8bc3b41b1e1d4b0d06891bd608bf4b2f6669c4e2c4a2bc4a8f2ea56c6ad