Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 12:37
Behavioral task
behavioral1
Sample
2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe
-
Size
4.0MB
-
MD5
fe812223b4ec65e09362ec90e98aeb66
-
SHA1
d63efd92ba34528df23c4666290ccc9b88bb4cc7
-
SHA256
63cf9f5d8fcdb4bc57c17b35b34f0a1edf92d42e4c2ff621a966c7a3cf2b1270
-
SHA512
13ce97105ccf6fbf8cfafdac0a9027fb60d1d68e9d09953849e7e2401f3df6ff5600b53ddcb4d88af29c0fd1cd24bb80ad6ea951fda8fa8b81c912d3e9aaa87e
-
SSDEEP
98304:+nsmtk2aqqanA7Q5RmbBNW9BMhnu5Puhyi1cZ+1KWDQ:ALPBAE/mwqNu5mUit1M
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exeSynaptics.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
Processes:
._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exeSynaptics.exe._cache_Synaptics.exepid Process 4600 ._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 4508 Synaptics.exe 2628 ._cache_Synaptics.exe -
Loads dropped DLL 8 IoCs
Processes:
._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe._cache_Synaptics.exepid Process 4600 ._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 4600 ._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 4600 ._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 4600 ._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 2628 ._cache_Synaptics.exe 2628 ._cache_Synaptics.exe 2628 ._cache_Synaptics.exe 2628 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Synaptics.exe._cache_Synaptics.exe2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
Processes:
Synaptics.exe2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 1088 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe._cache_Synaptics.exeEXCEL.EXEpid Process 4600 ._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 2628 ._cache_Synaptics.exe 1088 EXCEL.EXE 1088 EXCEL.EXE 1088 EXCEL.EXE 1088 EXCEL.EXE 1088 EXCEL.EXE 1088 EXCEL.EXE 1088 EXCEL.EXE 1088 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exeSynaptics.exedescription pid Process procid_target PID 3488 wrote to memory of 4600 3488 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 83 PID 3488 wrote to memory of 4600 3488 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 83 PID 3488 wrote to memory of 4600 3488 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 83 PID 3488 wrote to memory of 4508 3488 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 84 PID 3488 wrote to memory of 4508 3488 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 84 PID 3488 wrote to memory of 4508 3488 2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe 84 PID 4508 wrote to memory of 2628 4508 Synaptics.exe 85 PID 4508 wrote to memory of 2628 4508 Synaptics.exe 85 PID 4508 wrote to memory of 2628 4508 Synaptics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4600
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5fe812223b4ec65e09362ec90e98aeb66
SHA1d63efd92ba34528df23c4666290ccc9b88bb4cc7
SHA25663cf9f5d8fcdb4bc57c17b35b34f0a1edf92d42e4c2ff621a966c7a3cf2b1270
SHA51213ce97105ccf6fbf8cfafdac0a9027fb60d1d68e9d09953849e7e2401f3df6ff5600b53ddcb4d88af29c0fd1cd24bb80ad6ea951fda8fa8b81c912d3e9aaa87e
-
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-03_fe812223b4ec65e09362ec90e98aeb66_darkgate_magniber.exe
Filesize3.3MB
MD5f0e5feb33456e9d07be9cd6c475076ba
SHA169e24ec64e8825b9f639a417aaadf6386087b61a
SHA2562f009ce8426068f39eaa5c8df77d340f40090d422a6ab5fdfd0f5416c2f62a41
SHA51216b7b933dcb1d6c7f033601808ff0367810dd86f6f3aad03d0739f42845e5755643aed3837866420adbb17db0ed20b1c9006ea4847cead9f3ad08d75705d6eba
-
Filesize
23KB
MD55c4a4569922164a4c2f020518f7433b7
SHA1814415e3def46a157cea2ae4a0f18f94e955351d
SHA25617760454c397bcff5e6aa4fcd9883320eb163108eeb67e2dd4c4c929d7ffad68
SHA5128a23c27680931d3937409a48ef9ca5e4cd04921751b0c0365bda20ced5592f6958bd0f17040d528bebc7a5f45a4808cb1bbd27e69ac255ff960e668a3eda9ed7
-
Filesize
1KB
MD54037c9318188e436b6af7849ab31a68d
SHA1b8b35ef3c83445a18a662c465cda819e7ccc60ab
SHA25690797b59cf4ba7f60f63ca0c101766bcebe0af08ddf4c4708a49b24a8c0fb89e
SHA512e2bd992daa146f9bf39a2f8136181254782e58b9fd28291b122600c1535941bf76c1ffb438e4c3cccab32d58a8ce5e98f457da8206c716c4bde1f56e3d384aac
-
Filesize
1KB
MD5bb52da2afef96834a101a86f99c9eea2
SHA1bc0a5987024339989202c13c2dd334d654ab3387
SHA2569df6e8f19d890b7ad50b4625aba5af7da4bff84c58e3a3de51b450e637b84147
SHA51275558e179da51cf392ea00aa64cd7039567f9848b87cf8d4c6a229141ff42412f1c7872ec6d0656481d620da4e218e463847c1e6a231ab52c90dc7623398938c
-
Filesize
1KB
MD52a86ef34f315258839e59e5a0a079b6a
SHA197ea29a432a89df2d6fff9bf27d30ca04f9fd271
SHA2563c0430dc9095a538f84135106131cbe2ac1618c4851c9d05eddd2c1115789928
SHA512cad25b8be59cf8c7245b65e7dfae784ad1d5a16ebab3b77fceac346647915ffff25408b8e62c54a0aab578c9e232aaad9f7aadb1ecbe415874f0df77721e6f4c
-
Filesize
1KB
MD56a25e341d40f91b87b11f447d2e4237a
SHA188194bcef787bbf2acca55405d8cfcb21ac2dcb7
SHA256a529d3162289366a251bbebe05adb25f6db925896e54aebf956763133a3d460d
SHA512a0a0be4b82918822b69e33c3dbb39c4f908d605aeb3a8857cb1fbee014adca4d0414b04e101f7c06209639b22443c50549d728778b00ee38ecccfc2485b907ea
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04