Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 18:44
Static task
static1
Behavioral task
behavioral1
Sample
1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe
Resource
win10v2004-20240508-en
General
-
Target
1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe
-
Size
5.5MB
-
MD5
4af2e6a8be2b1862e2e1fb834da6a927
-
SHA1
cb01022fa8b4884e17cfc26b2320d166058c5e99
-
SHA256
1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b
-
SHA512
b174b4fb021930b2515236876e1145dd585c7a40949cd6647c0cb88e6efd20382926d6bbae686f5b0b94610c4b47e40293f4452d408ee34403a8093ffecc81ce
-
SSDEEP
24576:RFVmFF1UBOW6UWaPXiWdLSvwboQyzcQWQatx50PcL+J0qTIPwPyUCZv9F8JissLs:7Dxww8uX2FjHCdl+hnCqimL47JAl
Malware Config
Extracted
darkgate
x6x6x7x77xx6x6x67
dr-networks.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
swMFGADk
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
x6x6x7x77xx6x6x67
Signatures
-
Detect DarkGate stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2944-13-0x0000000003180000-0x0000000003500000-memory.dmp family_darkgate_v6 behavioral1/memory/2944-16-0x0000000003180000-0x0000000003500000-memory.dmp family_darkgate_v6 -
Executes dropped EXE 1 IoCs
Processes:
Autoit3.exepid process 2944 Autoit3.exe -
Loads dropped DLL 1 IoCs
Processes:
1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exepid process 2880 1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Autoit3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Autoit3.exepid process 2944 Autoit3.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2124 WMIC.exe Token: SeSecurityPrivilege 2124 WMIC.exe Token: SeTakeOwnershipPrivilege 2124 WMIC.exe Token: SeLoadDriverPrivilege 2124 WMIC.exe Token: SeSystemProfilePrivilege 2124 WMIC.exe Token: SeSystemtimePrivilege 2124 WMIC.exe Token: SeProfSingleProcessPrivilege 2124 WMIC.exe Token: SeIncBasePriorityPrivilege 2124 WMIC.exe Token: SeCreatePagefilePrivilege 2124 WMIC.exe Token: SeBackupPrivilege 2124 WMIC.exe Token: SeRestorePrivilege 2124 WMIC.exe Token: SeShutdownPrivilege 2124 WMIC.exe Token: SeDebugPrivilege 2124 WMIC.exe Token: SeSystemEnvironmentPrivilege 2124 WMIC.exe Token: SeRemoteShutdownPrivilege 2124 WMIC.exe Token: SeUndockPrivilege 2124 WMIC.exe Token: SeManageVolumePrivilege 2124 WMIC.exe Token: 33 2124 WMIC.exe Token: 34 2124 WMIC.exe Token: 35 2124 WMIC.exe Token: SeIncreaseQuotaPrivilege 2124 WMIC.exe Token: SeSecurityPrivilege 2124 WMIC.exe Token: SeTakeOwnershipPrivilege 2124 WMIC.exe Token: SeLoadDriverPrivilege 2124 WMIC.exe Token: SeSystemProfilePrivilege 2124 WMIC.exe Token: SeSystemtimePrivilege 2124 WMIC.exe Token: SeProfSingleProcessPrivilege 2124 WMIC.exe Token: SeIncBasePriorityPrivilege 2124 WMIC.exe Token: SeCreatePagefilePrivilege 2124 WMIC.exe Token: SeBackupPrivilege 2124 WMIC.exe Token: SeRestorePrivilege 2124 WMIC.exe Token: SeShutdownPrivilege 2124 WMIC.exe Token: SeDebugPrivilege 2124 WMIC.exe Token: SeSystemEnvironmentPrivilege 2124 WMIC.exe Token: SeRemoteShutdownPrivilege 2124 WMIC.exe Token: SeUndockPrivilege 2124 WMIC.exe Token: SeManageVolumePrivilege 2124 WMIC.exe Token: 33 2124 WMIC.exe Token: 34 2124 WMIC.exe Token: 35 2124 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exeAutoit3.execmd.exedescription pid process target process PID 2880 wrote to memory of 2944 2880 1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe Autoit3.exe PID 2880 wrote to memory of 2944 2880 1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe Autoit3.exe PID 2880 wrote to memory of 2944 2880 1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe Autoit3.exe PID 2880 wrote to memory of 2944 2880 1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe Autoit3.exe PID 2944 wrote to memory of 2300 2944 Autoit3.exe cmd.exe PID 2944 wrote to memory of 2300 2944 Autoit3.exe cmd.exe PID 2944 wrote to memory of 2300 2944 Autoit3.exe cmd.exe PID 2944 wrote to memory of 2300 2944 Autoit3.exe cmd.exe PID 2300 wrote to memory of 2124 2300 cmd.exe WMIC.exe PID 2300 wrote to memory of 2124 2300 cmd.exe WMIC.exe PID 2300 wrote to memory of 2124 2300 cmd.exe WMIC.exe PID 2300 wrote to memory of 2124 2300 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe"C:\Users\Admin\AppData\Local\Temp\1d3d325b621524c2d277f8e9cd3b50869c2c29a34d1f3bba2535c82ce6eff49b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\st\Autoit3.exe"c:\st\Autoit3.exe" c:\st\script.a3x2⤵
- Executes dropped EXE
- Command and Scripting Interpreter: AutoIT
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\hecbekc\eebekke3⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df
-
Filesize
546KB
MD5876f3c98e479b89f601605a8512aa9f8
SHA16c8018748f77d1847c35b7fd97375214a680bf33
SHA256e5ca57027dcd82215be269104d1e5fc8eaea3222a0f6bf0e8502b9d6c29ab78d
SHA512d9ce7ab883d6d61a5765f940db0992929de7fe18948a0e2148a122a779a91089aa3ed88e3dead85c619585152e30b3773f138f54059815b223b5dad9ef0255b4
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c