0bb9def35e96ceaab2f5c480f67526c0d5efd8cd4ba0f7fbb0df374ac7e95d99

General

Target

2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
Size

15.1MB
MD5

a928b42d86202e99058a1d2eec897451
SHA1

e15e42c173ffd18108bb7e55c151b58c4c28f9af
SHA256

0bb9def35e96ceaab2f5c480f67526c0d5efd8cd4ba0f7fbb0df374ac7e95d99
SHA512

d342a177b11c8e0af404e770bbee56ef0b491325831765407fb2c67527fcfdcdba06609f71bc0681cab939d558a5085d69e122690bed81c6d1fe35b3721eaf4c
SSDEEP

196608:GLJ80/s7A4zlBc5D18zZP2iIE80qLrHFLOyomFHKnPArxf5cBudLps7FLOyomFHE:Gq0k7AhD18BwE8zHFzxfKsNps7FoLL5

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe

Executes dropped EXE 4 IoCs

pid	Process
4844	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
4164	Synaptics.exe
4636	._cache_Synaptics.exe
4704	LenovoSfcRepair.exe

Loads dropped DLL 7 IoCs

pid	Process
4704	LenovoSfcRepair.exe
4704	LenovoSfcRepair.exe
4704	LenovoSfcRepair.exe
4704	LenovoSfcRepair.exe
4704	LenovoSfcRepair.exe
4704	LenovoSfcRepair.exe
4704	LenovoSfcRepair.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4844	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
4844	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
4636	._cache_Synaptics.exe
4636	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4844	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
4844	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
4636	._cache_Synaptics.exe
4636	._cache_Synaptics.exe
4704	LenovoSfcRepair.exe
4704	LenovoSfcRepair.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4844	2320	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	85
PID 2320 wrote to memory of 4844	2320	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	85
PID 2320 wrote to memory of 4844	2320	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	85
PID 2320 wrote to memory of 4164	2320	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	86
PID 2320 wrote to memory of 4164	2320	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	86
PID 2320 wrote to memory of 4164	2320	2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	86
PID 4164 wrote to memory of 4636	4164	Synaptics.exe	87
PID 4164 wrote to memory of 4636	4164	Synaptics.exe	87
PID 4164 wrote to memory of 4636	4164	Synaptics.exe	87
PID 4844 wrote to memory of 4704	4844	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	88
PID 4844 wrote to memory of 4704	4844	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	88
PID 4844 wrote to memory of 4704	4844	._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\LenovoQuickFix\QuickFix\LenovoSfcRepair\LenovoSfcRepair.exe
    "C:\LenovoQuickFix\QuickFix\LenovoSfcRepair\LenovoSfcRepair.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4704
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LenovoQuickFix\QuickFix\LenovoSfcRepair\LenovoFeedbackInformation.dll

Filesize
1.5MB

MD5
f827eb21db930c1dffc5446bbd90641f

SHA1
b05b9bf04f78374681f02277751d5dbd7756da65

SHA256
f8a21f9098ac485e2b014d05a9d85bf080b44c946e918cc285ed358409e4a527

SHA512
42cd674abcafe0fecd22b6b7f9fd60ed9c3a189715742be8dcdf9e04bc07a0f6e764945352a09627af70a901fd636e73a5b3cb6e689f3fcb8e4bb7eb1444ac57

Download Submit
C:\LenovoQuickFix\QuickFix\LenovoSfcRepair\LenovoSfcRepair.dll

Filesize
33KB

MD5
cb15bbd4cc743f803bb133bc51d53757

SHA1
2872286db08a2bed0805471fb1d6b570f457f486

SHA256
6c58c7718f09d0dd7d585c60cfd6d91935cc9cfdffb05f2c98b308b84aa5e921

SHA512
f2ff9fa45e58449ecf462c325f8c6fe28ff3eb65f15f6e421dcf29ccdeaf6a2b64bfe80e3d206870fba61214bc72beab0b02039ddfe3a2433ad86c119888c4fb

Download Submit
C:\LenovoQuickFix\QuickFix\LenovoSfcRepair\LenovoSfcRepair.exe

Filesize
1.4MB

MD5
b08673fc93518027199a5b7ccff2a222

SHA1
7c9e03a1eaaa35057f00386b6c31c2035cdbb916

SHA256
50cd1b4b05b4908298e7111c25a8c902eff2f64fe8ed8655269b0af89f917bf3

SHA512
55989b895125db8a68dab1bca35230dae66ce7c1e9c846e978ad4fee50382423aff7b9bc827c6ed69e0182a9b465ab94ddd0e7bac5c855b453cfe9225d4486e7

Download Submit
C:\LenovoQuickFix\QuickFix\LenovoSfcRepair\MSVCR100.dll

Filesize
760KB

MD5
bfa401e3618a7bf14ea2f6199edfe113

SHA1
43acebc12e035dbf4290b3139baa8a1aed3fac47

SHA256
e083d9d267256d0c31741fd3494138fb80296561fe20e51b91d8898277754ccd

SHA512
9c85b45d215eafad1e238751814d573c98368111523e0f9608da93b72a170c183e5b8fde92268853b3e9562f3a92bf92323f4b7e99ff00afc426cfaf432571f4

Download Submit
C:\LenovoQuickFix\QuickFix\LenovoSfcRepair\mfc100u.dll

Filesize
4.2MB

MD5
de6eff382af93fd09b54cea3a5e4e1f0

SHA1
fd8d5ba9387c19223761aae5543f456095f7f75b

SHA256
86bbfd859d3db03686d080c6f220ca238b3774c3bfcd27bfcdd14421779edc13

SHA512
6e9887d531d06ee8edf23955ebb2aaa3273d171001a2264a958bc9aea66ef659af9e6112382b81f859b1953153af5800379f072228195444812222af0f1a68a0

Download Submit
C:\LenovoQuickFix\QuickFix\LenovoSfcRepair\msvcp100.dll

Filesize
419KB

MD5
e28d4fba1dce207f9a8c9216b5104ec4

SHA1
513d5a2426cf31cc8f9a4d1be3a9021be0d18ede

SHA256
da1100a8cbd154d4302c73e334c7a5e9810ec1f70d8ddee33d10cf91ec09a261

SHA512
796390b0422d75d7168c0a718a0db926797cac2297b929abf62bc594b94d6e9034ee71b6784b848a521b1ff3145f8a1ba4db1a32c8ae41f3736b529942fae828

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
15.1MB

MD5
a928b42d86202e99058a1d2eec897451

SHA1
e15e42c173ffd18108bb7e55c151b58c4c28f9af

SHA256
0bb9def35e96ceaab2f5c480f67526c0d5efd8cd4ba0f7fbb0df374ac7e95d99

SHA512
d342a177b11c8e0af404e770bbee56ef0b491325831765407fb2c67527fcfdcdba06609f71bc0681cab939d558a5085d69e122690bed81c6d1fe35b3721eaf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-05_a928b42d86202e99058a1d2eec897451_darkgate_magniber.exe

Filesize
14.4MB

MD5
55505bc96aada5617269917a7d471eed

SHA1
b6d2bbb99824f5cdf7abf3e06c8224cda299d42a

SHA256
a883c34f3a26284aecd0357df9aef18268537ce6a4c77f8918ee812902d3a451

SHA512
ee9b734fb7a999f9880a7606b11c4294c3bd1b1161ca152fcb0cbc74f7f503b9793f291ae92d72875363ea87538cd308e265bdc78bd7df7065ab7b36702174c2

Download Submit
memory/2320-128-0x0000000000400000-0x0000000001328000-memory.dmp

Filesize
15.2MB

Download
memory/2320-0-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4164-219-0x0000000000400000-0x0000000001328000-memory.dmp

Filesize
15.2MB

Download
memory/4164-234-0x0000000000400000-0x0000000001328000-memory.dmp

Filesize
15.2MB

Download
memory/4164-244-0x0000000000400000-0x0000000001328000-memory.dmp

Filesize
15.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads