Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
autoit3.exe
Resource
win7-20240903-en
General
-
Target
autoit3.exe
-
Size
872KB
-
MD5
c56b5f0201a3b3de53e561fe76912bfd
-
SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417
-
SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
-
SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
SSDEEP
12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
Malware Config
Extracted
darkgate
drk3
aspava-yachting.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
kDWIiPpI
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
drk3
Signatures
-
Darkgate family
-
Detect DarkGate stealer 11 IoCs
resource yara_rule behavioral1/memory/2616-3-0x00000000030D0000-0x0000000003425000-memory.dmp family_darkgate_v6 behavioral1/memory/2740-14-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 behavioral1/memory/2616-15-0x00000000030D0000-0x0000000003425000-memory.dmp family_darkgate_v6 behavioral1/memory/2740-18-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 behavioral1/memory/2740-25-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 behavioral1/memory/2740-26-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 behavioral1/memory/2740-27-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 behavioral1/memory/2740-24-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 behavioral1/memory/2740-28-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 behavioral1/memory/2664-29-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 behavioral1/memory/2740-30-0x00000000022C0000-0x0000000002A62000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2616 created 1100 2616 autoit3.exe 19 PID 2740 created 1100 2740 GoogleUpdateCore.exe 19 -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\fdaccdd = "\"C:\\ProgramData\\ckfcghe\\Autoit3.exe\" C:\\ProgramData\\ckfcghe\\gbhdgbh.a3x" GoogleUpdateCore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\fdaccdd = "\"C:\\ProgramData\\ckfcghe\\Autoit3.exe\" C:\\ProgramData\\ckfcghe\\gbhdgbh.a3x" GoogleUpdateCore.exe -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 2616 autoit3.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language autoit3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2616 autoit3.exe 2616 autoit3.exe 2740 GoogleUpdateCore.exe 2740 GoogleUpdateCore.exe 2664 GoogleUpdateCore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2740 GoogleUpdateCore.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2164 2616 autoit3.exe 31 PID 2616 wrote to memory of 2164 2616 autoit3.exe 31 PID 2616 wrote to memory of 2164 2616 autoit3.exe 31 PID 2616 wrote to memory of 2164 2616 autoit3.exe 31 PID 2164 wrote to memory of 2084 2164 cmd.exe 33 PID 2164 wrote to memory of 2084 2164 cmd.exe 33 PID 2164 wrote to memory of 2084 2164 cmd.exe 33 PID 2164 wrote to memory of 2084 2164 cmd.exe 33 PID 2616 wrote to memory of 2740 2616 autoit3.exe 35 PID 2616 wrote to memory of 2740 2616 autoit3.exe 35 PID 2616 wrote to memory of 2740 2616 autoit3.exe 35 PID 2616 wrote to memory of 2740 2616 autoit3.exe 35 PID 2616 wrote to memory of 2740 2616 autoit3.exe 35 PID 2616 wrote to memory of 2740 2616 autoit3.exe 35 PID 2616 wrote to memory of 2740 2616 autoit3.exe 35 PID 2616 wrote to memory of 2740 2616 autoit3.exe 35 PID 2740 wrote to memory of 2664 2740 GoogleUpdateCore.exe 36 PID 2740 wrote to memory of 2664 2740 GoogleUpdateCore.exe 36 PID 2740 wrote to memory of 2664 2740 GoogleUpdateCore.exe 36 PID 2740 wrote to memory of 2664 2740 GoogleUpdateCore.exe 36 PID 2740 wrote to memory of 2664 2740 GoogleUpdateCore.exe 36 PID 2740 wrote to memory of 2664 2740 GoogleUpdateCore.exe 36 PID 2740 wrote to memory of 2664 2740 GoogleUpdateCore.exe 36 PID 2740 wrote to memory of 2664 2740 GoogleUpdateCore.exe 36
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2740
-
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\autoit3.exeC:\Users\Admin\AppData\Local\Temp\autoit3.exe script.a3x1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: AutoIT
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ckfcghe\aefeehh2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df
-
Filesize
1KB
MD58eb879862ce6354c48e8a938240b480d
SHA1ecbcb244091b7b22dc2a5b42aa4ab290271b7a9c
SHA2565309eb3bbf5ce359a2bdf6316a5c7049cccb893bbed28c60f4e5a7dd7d416e39
SHA512f9f6715e463bf30f15a4430e6b00428c70fc8cdf67cebdac0e93edfa801e1d8ea589067f83cab2de6375224cdb7b60b68ba396ffe6bfb30f0353f50e1a429f4a
-
Filesize
585KB
MD5ecee8b8c60cca255f5e35abc3372ed03
SHA114b7ea450ac07450748bfd810437c89a1c4eae69
SHA256c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded
SHA512e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a
-
Filesize
32B
MD5b189df0bc9da640933f815a383cc22c0
SHA1241dbcec64bd8d89f1d3c5c6546c0c0a5ac15ce0
SHA25600e48e30ab7db2987be2f6bf5d17c4f36401fa8026f88415e39a1a9f92c63c71
SHA512a024e7beb6c23434a63de9af756af3797b7e7bc8e0572a8df5d5e634399feb20ca1b19b4f96cba4c89f9629eed188f649e55b6d46203114b299dc332b00298b8
-
Filesize
4B
MD52ad479305c55fb59d91e7be8e6d39c81
SHA1ad8dbf04202c8d87f6d783567098059330ccd976
SHA25694861764858efa58b45810c4e8dc048843a324e7673c2e6f569ae4072d308481
SHA512f970b80fcf861f54716664db6aa0583f83700acba6c598cba56428bc02deca8d9e0aed470f95eaf092b8ef0be75801fcf99096eb6ed1616950612a7497d59a0a
-
Filesize
4B
MD5669aa3418a02741fa2749627289b1bd0
SHA18ffbb00f2f066b2056552aa73c579d8e4410e467
SHA256ad3e19a94e3e46e0d315bf305463b132f42f6528b878c6bd6de91bf00f1fec2e
SHA5123979e67eb6291d356fe3b33a64f51ca47b5c395901204f9c724a2fc6c2d35cc1a96601943b9defeba64cd957f7e1a155164ae2390d3af758f98fb29f1c505676
-
Filesize
4B
MD5fe9972c0f150fcdbd81b347284af876e
SHA120ded953571d7a7cbf3106fbe175e4363a07b528
SHA2565bde7d8a011553e14f3668fb4747766a406d3098f67a6d1f7719d172c9d36a39
SHA51236bf17cc3587b4dd2388bb5cc90b6ac985149e06d90977327532452a3cf90217fc0419e747021c8424e5f539249e77be32c8e8473f4d90dd2f78ded549225ef5