Overview

overview

10

Static

static

1

SystemSync.exe

windows7-x64

10

SystemSync.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SystemSync.exe

  • Size

    2.2MB

  • MD5

    3e9c3cc6b0f1e8e8724377eb82909ff8

  • SHA1

    313b0effb543efa6264e57fb5b6a2a048c57708d

  • SHA256

    71d381c6bb60a155304bfc532f53caef17de842fbeee76c66def4a47f299fa92

  • SHA512

    c87291bbb6916ed3ae4084302405b7e2a83432260502f599563644c3485010ed6977e5544468b933afee25ba8b09427f69e660c0c9085f7aa7e0b4b0bfdebd0c

  • SSDEEP

    49152:6EcPUz0VuTpPc4JrA5aR3UD9Cc/rENUwwiw4jm59J92mbd4H57+dIxEZVKzr71:N0VQP1JrA5+l+92mbOH5zKg

Score
10/10
darkgatedrk3discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

todayput.shop

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    sEhfQzVh

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 11 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2896
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:4364
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3920
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3984
          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
            2⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:4268
        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
          1⤵
            PID:1768
          • C:\Users\Admin\AppData\Local\Temp\SystemSync.exe
            "C:\Users\Admin\AppData\Local\Temp\SystemSync.exe"
            1⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3596
            • \??\c:\temp\test\Autoit3.exe
              "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
              2⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Executes dropped EXE
              • Command and Scripting Interpreter: AutoIT
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3944
              • \??\c:\windows\SysWOW64\cmd.exe
                "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bafacce\hhkegkd
                3⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2388
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic ComputerSystem get domain
                  4⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:912

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\bafacce\ffagche
            Filesize

            1KB

            MD5

            5e650bce138a859ec566bb0e90b4814d

            SHA1

            e5f40d4df38567cee8fef3004f3879700d1710fc

            SHA256

            4b2fba14c05e14ac2b5b743f928f7d6fec3ed38a8954e19bd3f28b8c0aa2b652

            SHA512

            a02825b7ef767d6c7bc36cf4c62cd9531c28606e91bd91c924febb556c187eeb81a7ff74ea0046dde20637961f187ef202f0cb41fc43bc48e0a7c9ec62488a86

            Download Submit

          • C:\ProgramData\bafacce\hhkegkd
            Filesize

            54B

            MD5

            c8bbad190eaaa9755c8dfb1573984d81

            SHA1

            17ad91294403223fde66f687450545a2bad72af5

            SHA256

            7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

            SHA512

            05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

            Download Submit

          • C:\Users\Admin\AppData\Roaming\KAKAEDd
            Filesize

            32B

            MD5

            c9fc5ee02bcb112f755ccc0c78858dbc

            SHA1

            53e10d2f225f077d4eb5144d7106842ad83522b8

            SHA256

            3254d1abee9ffdbd2fae0f6600e32f48f8c889bea29d5f98ee80f3997097c769

            SHA512

            dfc8db3ce887459c1be254a06742d93f46e976ff489e83427b5bbfe860ba4031dcb9e8a1c605eb6f2f0dd17b152ae249be5f89282c6e43602f43fee53834a1fa

            Download Submit

          • C:\temp\cefdhcf
            Filesize

            4B

            MD5

            c3c42626394b95badaad6833cd71614b

            SHA1

            8f8040391dd4e2d8040342762b16f869ea610d20

            SHA256

            75375fd536c26bd45c703065b27b5a88feffde5e8cdb32c63d937f57f2d585f3

            SHA512

            9dffa01ee0e3c2492708ba865f7883f118d366fc05195aab54494a92b658ff5527f2ef1a39c16bd727a859fc8a3b526d2ce75946b0a50b5ee2ced07cd7335ae5

            Download Submit

          • C:\temp\cefdhcf
            Filesize

            4B

            MD5

            1194debad9f43b55d2fa093e37be2db9

            SHA1

            db6afa3bafe2e9ef3e348dadff3d5eb489ba0506

            SHA256

            bf7d6257329b4bef4fa6232b6a57189f79e2b3c7fe780e5002e418c80ac7f14c

            SHA512

            3e7e03aef6c42d06c97175081f4b419f22462e7f528c227c121a2403190b994319aa8b095395ecc339efc0412fac0e1c91d9164ccd2648b8feb33ae6f27089e8

            Download Submit

          • C:\temp\dhhefga
            Filesize

            4B

            MD5

            e1c505b08029cef4e52fbf7903f290c6

            SHA1

            024c0554212466341117931d92872deef3f9a2d3

            SHA256

            8a228feba0b68330f4c6fa7a8bb315bb1ab4fb60f0a88424f00d9a2089773eb2

            SHA512

            f20fffbdc543a003794a47d979579f526a8b6c4cdcd72c8adad1ac44f44a82b2c38d8604a5492d4a5fdd86c8b58ae8a1b08cf64ede9dfa52b4cd956d25eff6e8

            Download Submit

          • C:\temp\test\Autoit3.exe
            Filesize

            872KB

            MD5

            c56b5f0201a3b3de53e561fe76912bfd

            SHA1

            2a4062e10a5de813f5688221dbeb3f3ff33eb417

            SHA256

            237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

            SHA512

            195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

            Download Submit

          • \??\c:\temp\test\script.a3x
            Filesize

            581KB

            MD5

            2bf27a4ef77513aa86659950f589a089

            SHA1

            e5238f7403f90cc1998f312504707c86585f9da5

            SHA256

            fce2d534623887f17922412cd8b9e4313a695db76573d69dda0f2693b3a0353f

            SHA512

            3c599dc4b5b88966f4657130324d122191500e1ecf4ac912a7c7d31c3d35b2fab9e951831484b63e4d0cfcaabfc7a305e4b91c448533fc1f2e2d4f6ad30fdb9d

            Download Submit

          • memory/3596-1-0x00000000026E0000-0x000000000285B000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/3596-5-0x00000000026E0000-0x000000000285B000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/3944-23-0x0000000003F40000-0x0000000004295000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3944-9-0x0000000003F40000-0x0000000004295000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3944-8-0x00000000013A0000-0x00000000017A0000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4268-37-0x0000000002B50000-0x00000000032F2000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4364-22-0x0000000002C90000-0x0000000003432000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4364-26-0x0000000002C90000-0x0000000003432000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4364-33-0x0000000002C90000-0x0000000003432000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4364-32-0x0000000002C90000-0x0000000003432000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4364-34-0x0000000002C90000-0x0000000003432000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4364-35-0x0000000002C90000-0x0000000003432000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4364-36-0x0000000002C90000-0x0000000003432000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4364-38-0x0000000002C90000-0x0000000003432000-memory.dmp

            Filesize

            7.6MB

            Download