Analysis
-
max time kernel
103s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2025, 11:45
Behavioral task
behavioral1
Sample
2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe
-
Size
35.5MB
-
MD5
b47edbaaafa0e9436b6fe70620b3483b
-
SHA1
ba6a106b6667cfb15a2c3a7761189b7699b5b2a8
-
SHA256
49b62df7c253628dfd90aba39cdd061c48d0b15eea86eefa4e9f7ca08a6b2afd
-
SHA512
90d802377cd4e443dfdcd4689dff77832927a8593420c6fa22a0590f24660ea498e7c8dc4796b3d89fce555d13609a5a3ab53accd6f79c6169198fff36c02522
-
SSDEEP
196608:DsgiEuV5hhv5V57+btH5KUxamErRyhdGJgaMkG8K1HBRM4kqptasktkvzAgb09n:Hk5htX5atH5imEoJhN1HG/wzAu
Malware Config
Extracted
aresloader
http://127.0.0.1:8888
http://127.0.0.1:8080
http://192.168.31.111
Signatures
-
AresLoader
AresLoader is a loader and downloader written in C++.
-
Aresloader family
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 1624 netsh.exe 2396 netsh.exe 3744 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 776 wrote to memory of 2240 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 89 PID 776 wrote to memory of 2240 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 89 PID 776 wrote to memory of 2240 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 89 PID 776 wrote to memory of 5004 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 92 PID 776 wrote to memory of 5004 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 92 PID 776 wrote to memory of 5004 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 92 PID 776 wrote to memory of 1624 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 102 PID 776 wrote to memory of 1624 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 102 PID 776 wrote to memory of 1624 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 102 PID 776 wrote to memory of 2396 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 104 PID 776 wrote to memory of 2396 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 104 PID 776 wrote to memory of 2396 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 104 PID 776 wrote to memory of 3744 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 106 PID 776 wrote to memory of 3744 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 106 PID 776 wrote to memory of 3744 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 106 PID 776 wrote to memory of 4708 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 108 PID 776 wrote to memory of 4708 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 108 PID 776 wrote to memory of 4708 776 2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\netsh.exenetsh int ipv4 set dynamicport tcp start=10000 num=550002⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Windows\SysWOW64\netsh.exenetsh int ipv6 set dynamicport tcp start=10000 num=550002⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5004
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=SunnyNet2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1624
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=SunnyNet dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2396
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=SunnyNetOut dir=out action=allow program=C:\Users\Admin\AppData\Local\Temp\2025-05-10_b47edbaaafa0e9436b6fe70620b3483b_darkgate_elex_icedid_poet-rat_zxxz.exe2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3744
-
-
C:\Windows\SysWOW64\certutil.execertutil -addstore root C:\Users\Admin\AppData\Local\Temp\SunnyNet.crt2⤵
- Manipulates Digital Signatures
- System Location Discovery: System Language Discovery
PID:4708
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD529b54579baced4daf7153b961d02837d
SHA1534e448e54a7ad827e48c97f631008b7001d5999
SHA2569f42eb74eed9e79de2d2d9862676bcbd1043d74901813d01cb7fd5956bc4b55c
SHA512dee57bad7afdf70c0ff8fd4b8794013b9bc2a4f1e3ccdd2af6b5f9f4c4e3128e2b0c50e2a73e02c86f1bb62a7828d1e80dce69cbf36b6d41762e72f83d64f16d