Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:50
Behavioral task
behavioral1
Sample
2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe
-
Size
1.4MB
-
MD5
e3b7f7180b4b4267673d143afd3565af
-
SHA1
37f142706b7e25cea3b1cff296a370ff57eb6843
-
SHA256
b4abd8c9af8f4a1c2bcddd8ed5a52e31954b016f798f44844791bb1c9ad8a15f
-
SHA512
c5444ed51a236de4db561c620b93d69264a0b6ad3c43b119efda22d9e80cec278dc6ebf110c8c1df868938e8b0dcf1808b4f4c179b6a03cc496dcae275e8cfa5
-
SSDEEP
24576:cnsJ39LyjbJkQFMhmC+6GD9UW6VXRhP26zyxd5cb6h/1MPc:cnsHyjtk2MYC5GDv6ByGK/1P
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
darkcomet
guest
mori.giize.com:1604
DCMIN_MUTEX-RE8T7MY
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
D2eMrnnPZXw7
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" windowsupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" windowsupdate.exe -
Xred family
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation windowsupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation IMDCSC.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation ._cache_IMDCSC.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation IMDCSC.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation ._cache_IMDCSC.exe Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation windowsupdate.exe -
Executes dropped EXE 13 IoCs
pid Process 4696 ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 3144 Synaptics.exe 2520 Synaptics.exe 4556 windowsupdate.exe 2848 ._cache_Synaptics.exe 3652 IMDCSC.exe 4404 ._cache_Synaptics.exe 8 IMDCSC.exe 1392 ._cache_IMDCSC.exe 1760 ._cache_IMDCSC.exe 2420 windowsupdate.exe 3248 IMDCSC.exe 316 windowsupdate.exe -
Loads dropped DLL 2 IoCs
pid Process 3144 Synaptics.exe 3144 Synaptics.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" windowsupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" windowsupdate.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\._cache_Synaptics.exe Synaptics.exe File created C:\Windows\SysWOW64\._cache_IMDCSC.exe IMDCSC.exe File opened for modification C:\Windows\SysWOW64\._cache_IMDCSC.exe IMDCSC.exe File created C:\Windows\SysWOW64\._cache_Synaptics.exe Synaptics.exe -
resource yara_rule behavioral1/memory/4556-170-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/files/0x000700000002408e-169.dat upx behavioral1/memory/4556-282-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2420-322-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/316-354-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/316-357-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2420-381-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3248-393-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3248-398-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3248-402-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3248-425-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3248-429-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3248-434-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3248-438-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Drops file in Windows directory 27 IoCs
description ioc Process File created C:\Windows\__tmp_rar_sfx_access_check_240618750 ._cache_IMDCSC.exe File opened for modification C:\Windows\windowsupdate.exe ._cache_IMDCSC.exe File opened for modification C:\Windows\VPSTOOL.bat ._cache_IMDCSC.exe File opened for modification C:\Windows\back.exe ._cache_IMDCSC.exe File opened for modification C:\Windows\windowsupdate.exe ._cache_IMDCSC.exe File opened for modification C:\Windows\VPSTOOL.bat ._cache_IMDCSC.exe File opened for modification C:\Windows\windowsupdate.exe ._cache_Synaptics.exe File created C:\Windows\back.exe ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe File opened for modification C:\Windows\back.exe ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe File opened for modification C:\Windows\VPSTOOL.bat ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe File opened for modification C:\Windows\back.exe ._cache_Synaptics.exe File opened for modification C:\Windows\VPSTOOL.bat ._cache_Synaptics.exe File created C:\Windows\VPSTOOL.bat ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe File created C:\Windows\._cache_IMDCSC.exe IMDCSC.exe File opened for modification C:\Windows\VPSTOOL.bat ._cache_Synaptics.exe File created C:\Windows\windowsupdate.exe ._cache_Synaptics.exe File created C:\Windows\__tmp_rar_sfx_access_check_240618906 ._cache_IMDCSC.exe File created C:\Windows\windowsupdate.exe ._cache_Synaptics.exe File created C:\Windows\windowsupdate.exe ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe File opened for modification C:\Windows\windowsupdate.exe ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe File opened for modification C:\Windows\._cache_IMDCSC.exe IMDCSC.exe File created C:\Windows\__tmp_rar_sfx_access_check_240617562 ._cache_Synaptics.exe File created C:\Windows\__tmp_rar_sfx_access_check_240617859 ._cache_Synaptics.exe File opened for modification C:\Windows\back.exe ._cache_Synaptics.exe File opened for modification C:\Windows\back.exe ._cache_IMDCSC.exe File created C:\Windows\__tmp_rar_sfx_access_check_240616609 ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe File opened for modification C:\Windows\windowsupdate.exe ._cache_Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_IMDCSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_IMDCSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ IMDCSC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ IMDCSC.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1336 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4556 windowsupdate.exe Token: SeSecurityPrivilege 4556 windowsupdate.exe Token: SeTakeOwnershipPrivilege 4556 windowsupdate.exe Token: SeLoadDriverPrivilege 4556 windowsupdate.exe Token: SeSystemProfilePrivilege 4556 windowsupdate.exe Token: SeSystemtimePrivilege 4556 windowsupdate.exe Token: SeProfSingleProcessPrivilege 4556 windowsupdate.exe Token: SeIncBasePriorityPrivilege 4556 windowsupdate.exe Token: SeCreatePagefilePrivilege 4556 windowsupdate.exe Token: SeBackupPrivilege 4556 windowsupdate.exe Token: SeRestorePrivilege 4556 windowsupdate.exe Token: SeShutdownPrivilege 4556 windowsupdate.exe Token: SeDebugPrivilege 4556 windowsupdate.exe Token: SeSystemEnvironmentPrivilege 4556 windowsupdate.exe Token: SeChangeNotifyPrivilege 4556 windowsupdate.exe Token: SeRemoteShutdownPrivilege 4556 windowsupdate.exe Token: SeUndockPrivilege 4556 windowsupdate.exe Token: SeManageVolumePrivilege 4556 windowsupdate.exe Token: SeImpersonatePrivilege 4556 windowsupdate.exe Token: SeCreateGlobalPrivilege 4556 windowsupdate.exe Token: 33 4556 windowsupdate.exe Token: 34 4556 windowsupdate.exe Token: 35 4556 windowsupdate.exe Token: 36 4556 windowsupdate.exe Token: SeIncreaseQuotaPrivilege 2420 windowsupdate.exe Token: SeSecurityPrivilege 2420 windowsupdate.exe Token: SeTakeOwnershipPrivilege 2420 windowsupdate.exe Token: SeLoadDriverPrivilege 2420 windowsupdate.exe Token: SeSystemProfilePrivilege 2420 windowsupdate.exe Token: SeSystemtimePrivilege 2420 windowsupdate.exe Token: SeProfSingleProcessPrivilege 2420 windowsupdate.exe Token: SeIncBasePriorityPrivilege 2420 windowsupdate.exe Token: SeCreatePagefilePrivilege 2420 windowsupdate.exe Token: SeBackupPrivilege 2420 windowsupdate.exe Token: SeRestorePrivilege 2420 windowsupdate.exe Token: SeShutdownPrivilege 2420 windowsupdate.exe Token: SeDebugPrivilege 2420 windowsupdate.exe Token: SeSystemEnvironmentPrivilege 2420 windowsupdate.exe Token: SeChangeNotifyPrivilege 2420 windowsupdate.exe Token: SeRemoteShutdownPrivilege 2420 windowsupdate.exe Token: SeUndockPrivilege 2420 windowsupdate.exe Token: SeManageVolumePrivilege 2420 windowsupdate.exe Token: SeImpersonatePrivilege 2420 windowsupdate.exe Token: SeCreateGlobalPrivilege 2420 windowsupdate.exe Token: 33 2420 windowsupdate.exe Token: 34 2420 windowsupdate.exe Token: 35 2420 windowsupdate.exe Token: 36 2420 windowsupdate.exe Token: SeIncreaseQuotaPrivilege 3248 IMDCSC.exe Token: SeSecurityPrivilege 3248 IMDCSC.exe Token: SeTakeOwnershipPrivilege 3248 IMDCSC.exe Token: SeLoadDriverPrivilege 3248 IMDCSC.exe Token: SeSystemProfilePrivilege 3248 IMDCSC.exe Token: SeSystemtimePrivilege 3248 IMDCSC.exe Token: SeProfSingleProcessPrivilege 3248 IMDCSC.exe Token: SeIncBasePriorityPrivilege 3248 IMDCSC.exe Token: SeCreatePagefilePrivilege 3248 IMDCSC.exe Token: SeBackupPrivilege 3248 IMDCSC.exe Token: SeRestorePrivilege 3248 IMDCSC.exe Token: SeShutdownPrivilege 3248 IMDCSC.exe Token: SeDebugPrivilege 3248 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 3248 IMDCSC.exe Token: SeChangeNotifyPrivilege 3248 IMDCSC.exe Token: SeRemoteShutdownPrivilege 3248 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE 3248 IMDCSC.exe 1336 EXCEL.EXE 1336 EXCEL.EXE 1336 EXCEL.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4696 4968 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 87 PID 4968 wrote to memory of 4696 4968 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 87 PID 4968 wrote to memory of 4696 4968 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 87 PID 4968 wrote to memory of 3144 4968 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 90 PID 4968 wrote to memory of 3144 4968 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 90 PID 4968 wrote to memory of 3144 4968 2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 90 PID 4700 wrote to memory of 2520 4700 cmd.exe 91 PID 4700 wrote to memory of 2520 4700 cmd.exe 91 PID 4700 wrote to memory of 2520 4700 cmd.exe 91 PID 4696 wrote to memory of 3168 4696 ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 92 PID 4696 wrote to memory of 3168 4696 ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 92 PID 4696 wrote to memory of 3168 4696 ._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe 92 PID 3168 wrote to memory of 4556 3168 cmd.exe 95 PID 3168 wrote to memory of 4556 3168 cmd.exe 95 PID 3168 wrote to memory of 4556 3168 cmd.exe 95 PID 3144 wrote to memory of 2848 3144 Synaptics.exe 98 PID 3144 wrote to memory of 2848 3144 Synaptics.exe 98 PID 3144 wrote to memory of 2848 3144 Synaptics.exe 98 PID 4556 wrote to memory of 3652 4556 windowsupdate.exe 100 PID 4556 wrote to memory of 3652 4556 windowsupdate.exe 100 PID 4556 wrote to memory of 3652 4556 windowsupdate.exe 100 PID 2520 wrote to memory of 4404 2520 Synaptics.exe 101 PID 2520 wrote to memory of 4404 2520 Synaptics.exe 101 PID 2520 wrote to memory of 4404 2520 Synaptics.exe 101 PID 2712 wrote to memory of 8 2712 cmd.exe 102 PID 2712 wrote to memory of 8 2712 cmd.exe 102 PID 2712 wrote to memory of 8 2712 cmd.exe 102 PID 3652 wrote to memory of 1392 3652 IMDCSC.exe 104 PID 3652 wrote to memory of 1392 3652 IMDCSC.exe 104 PID 3652 wrote to memory of 1392 3652 IMDCSC.exe 104 PID 8 wrote to memory of 1760 8 IMDCSC.exe 105 PID 8 wrote to memory of 1760 8 IMDCSC.exe 105 PID 8 wrote to memory of 1760 8 IMDCSC.exe 105 PID 1392 wrote to memory of 1920 1392 ._cache_IMDCSC.exe 106 PID 1392 wrote to memory of 1920 1392 ._cache_IMDCSC.exe 106 PID 1392 wrote to memory of 1920 1392 ._cache_IMDCSC.exe 106 PID 1760 wrote to memory of 4744 1760 ._cache_IMDCSC.exe 108 PID 1760 wrote to memory of 4744 1760 ._cache_IMDCSC.exe 108 PID 1760 wrote to memory of 4744 1760 ._cache_IMDCSC.exe 108 PID 1920 wrote to memory of 2420 1920 cmd.exe 111 PID 1920 wrote to memory of 2420 1920 cmd.exe 111 PID 1920 wrote to memory of 2420 1920 cmd.exe 111 PID 2420 wrote to memory of 3248 2420 windowsupdate.exe 112 PID 2420 wrote to memory of 3248 2420 windowsupdate.exe 112 PID 2420 wrote to memory of 3248 2420 windowsupdate.exe 112 PID 4744 wrote to memory of 316 4744 cmd.exe 113 PID 4744 wrote to memory of 316 4744 cmd.exe 113 PID 4744 wrote to memory of 316 4744 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\VPSTOOL.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\windowsupdate.exeC:\Windows\windowsupdate.exe4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\._cache_IMDCSC.exe"C:\Windows\._cache_IMDCSC.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\VPSTOOL.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\windowsupdate.exeC:\Windows\windowsupdate.exe8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3248
-
-
-
-
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\ProgramData\Synaptics\Synaptics.exeC:\ProgramData\Synaptics\Synaptics.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\._cache_Synaptics.exe"C:\Windows\system32\._cache_Synaptics.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeC:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\._cache_IMDCSC.exe"C:\Windows\system32\._cache_IMDCSC.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\VPSTOOL.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\windowsupdate.exeC:\Windows\windowsupdate.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1336
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5e3b7f7180b4b4267673d143afd3565af
SHA137f142706b7e25cea3b1cff296a370ff57eb6843
SHA256b4abd8c9af8f4a1c2bcddd8ed5a52e31954b016f798f44844791bb1c9ad8a15f
SHA512c5444ed51a236de4db561c620b93d69264a0b6ad3c43b119efda22d9e80cec278dc6ebf110c8c1df868938e8b0dcf1808b4f4c179b6a03cc496dcae275e8cfa5
-
C:\Users\Admin\AppData\Local\Temp\._cache_2025-07-02_e3b7f7180b4b4267673d143afd3565af_black-basta_darkgate_elex_gcleaner_luca-stealer.exe
Filesize680KB
MD5a1755b8c749b4e0fd0789ca9adbf91bd
SHA1f3ca65ce3e97af30e3395dff087f5d0036d5ea38
SHA25669a0b221da95d37de2507575352ebf748e238364129a9ddbbd0a44b106330d6d
SHA512f76e399f50b53aaceac44fd1f17430e0685fbd02a4d9849be5be94c81402345bf09de573a5adcc4a276aae1e9beb55b4b404bbbeca2f0d572a79ba66c8245914
-
Filesize
22KB
MD5814624d05bf710356d66d57a9e4788d6
SHA1778941deb01d7edb70e9388bc110699f20dbd99a
SHA256d96f14c6d40776a713091baa6dca5007f26923d5b1c9d8b4ec295b2d65baca74
SHA512dbe4b2be59b0d8c52a50c6ee6327439cc7a00c718bc51c752eacaa273e1676d0314297169af4557dd9fc1eb500e8d5150ce8273ff6803d0f439f9f66640171d0
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
2KB
MD541ee125c368186c6d384209990d58acf
SHA1ce7c6593714d7f68c14e0e982f20fa79179262dc
SHA25611b03f007190de1639813eecf51ef17c7018763943b33f8cd86e17956004671c
SHA512030250c8fbf24172145afcb3eb06deaa009ecb52097e6ed97c35b840a851d3fccd4b201178db0a72e6ed821b12156754082ddab049753f964006fe5e5f9e64da
-
Filesize
294KB
MD5cbee84dba7cb855aff0ba5e977030b98
SHA1fbfa18e7fd6e8a9bbe812083808cd2b214d3ad15
SHA256e02983386ab9a22beb5f053103505f9e779abdf583baa2eb25cde42f94083329
SHA512bfe4ddefa05a4c9da93e71737249ed7cb9759dbcd7938b68fae23a29bab3c6246b5bee6b5529ef01ee582ca075b75c40ce18a76cdd4f0a1001a15d4a2fe4d235
-
Filesize
294KB
MD56c87e484a8f8442fa2cada28e2726243
SHA1e82a598d61564ff05cfaee00eb947c8259ee632e
SHA25611440fc9fd8b1a332797f1a9794c8d7241488745154a459c2645b9b922e9b132
SHA5124bdb972e0cbc4c21d630bff9c2857e062d9cf10f2eb05ccd0ff9739bf327849deb0dfc33fffef55d1ef3df643dc5676d5f907c6a9cf418145b1f77b6463fec6f
-
Filesize
232KB
MD52cb91c11ad3e1e2fd299bf39e340b7ea
SHA1aa8b9e77344502bcf7e622f5afd384a30f1fd8b5
SHA256d036b55a6a557ea9ff5334c416d58f3375ee3cb73f6b0e40e89c793f47d6f506
SHA5129f3edd1d6f88ca0bb54702d5efc2b895eedf991794122346fb43b5deac77f6b9582fc8ff8e6cafc69dfe499b5031d360f4e126d80c427b9c9effeb1cc4ee9964