Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 14:28
Behavioral task
behavioral1
Sample
DarkLoader.exe
Resource
win11-20240508-en
General
-
Target
DarkLoader.exe
-
Size
57KB
-
MD5
8fe7d92ca519d2c0b34104c6099c2a71
-
SHA1
4563da22bd956c6ff2166099426061d558cb9931
-
SHA256
00850425582a22c868e727fbb72c188db08232313902f13b59473f7d46dc722a
-
SHA512
dd9e9a3ccad25eebcb7beacf94ca00cd1c68361b7573975f0c0295b5f5ff6cf6db03f0829df923a72b350e0af8013d400956aec145da8d1b50f4951f1fc4a488
-
SSDEEP
768:/r8rcj5gyBiT9t/TJ8q9WKFG95F764Ouh86LRHTn:G5uq/FG95R64Ou6Cn
Malware Config
Extracted
xworm
5.tcp.eu.ngrok.io:19444
wiz.bounceme.net:6000
dmGEi4sCsdEP5Ik6
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-1-0x0000000000960000-0x0000000000974000-memory.dmp family_xworm behavioral1/memory/1340-47-0x000000001C3A0000-0x000000001C3AE000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 1696 powershell.exe 3220 powershell.exe 2436 powershell.exe -
Drops startup file 2 IoCs
Processes:
DarkLoader.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DarkLoader.lnk DarkLoader.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DarkLoader.lnk DarkLoader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DarkLoader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkLoader = "C:\\ProgramData\\DarkLoader.exe" DarkLoader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exeDarkLoader.exepid process 1696 powershell.exe 1696 powershell.exe 3220 powershell.exe 3220 powershell.exe 2436 powershell.exe 2436 powershell.exe 1340 DarkLoader.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
DarkLoader.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1340 DarkLoader.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DarkLoader.exepid process 1340 DarkLoader.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
DarkLoader.exedescription pid process target process PID 1340 wrote to memory of 1696 1340 DarkLoader.exe powershell.exe PID 1340 wrote to memory of 1696 1340 DarkLoader.exe powershell.exe PID 1340 wrote to memory of 3220 1340 DarkLoader.exe powershell.exe PID 1340 wrote to memory of 3220 1340 DarkLoader.exe powershell.exe PID 1340 wrote to memory of 2436 1340 DarkLoader.exe powershell.exe PID 1340 wrote to memory of 2436 1340 DarkLoader.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe"C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DarkLoader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\DarkLoader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4720
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:4828
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5437395ef86850fbff98c12dff89eb621
SHA19cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA2569c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64
-
Filesize
944B
MD55a229813bb19961125dd054b7137e8a7
SHA1467c80909ebdfac7d0d9da24528fcb23ac052548
SHA2569681554aa5cc22dd2b54fe5089f6417341c2c32915a3feadc61fc864f0742177
SHA51237a408318d49bbe01acb04e57e5222e3cec89cd063ea26e18f20095955a85324bdccd036cb6efd4705a158b327041e66d4724ba3c87d6f8fa4428a99a93d87cd
-
Filesize
944B
MD5f8c40f7624e23fa92ae2f41e34cfca77
SHA120e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82