Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/07/2025, 18:53
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe
Resource
win11-20250610-en
General
-
Target
2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe
-
Size
1.2MB
-
MD5
d627a02bd7c66fde7aded5cd3663c88e
-
SHA1
005e01a8f50b32475a91fe70b41031f92439963e
-
SHA256
3d52cd593b20c3d040d4227ac0d3e4477f8d11289b5208946a12f826315da04b
-
SHA512
697476fedc69e522f6e079b8cfa2aa2448b24ae31e2f773dd2a7cdc086b3f6429c51ba040f8eec208d6ff191ae9188a6badfdd6056feb7b142240d9b8fa2d594
-
SSDEEP
3072:tZTz1WIXC6GESSgWNRXumi7+IF6foPCaTRMXbaev0FQcmWk6kwsNIf6cHzbQ2v0V:tZHcIX9SSgMi+IFZMbQrkodzb4VF2Yd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1916 audiohd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4792 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe 1916 audiohd.exe 3064 powershell.exe 3064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4792 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe Token: SeDebugPrivilege 1916 audiohd.exe Token: SeDebugPrivilege 3064 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4792 wrote to memory of 1916 4792 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe 78 PID 4792 wrote to memory of 1916 4792 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe 78 PID 4792 wrote to memory of 1916 4792 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe 78 PID 1916 wrote to memory of 3064 1916 audiohd.exe 79 PID 1916 wrote to memory of 3064 1916 audiohd.exe 79 PID 1916 wrote to memory of 3064 1916 audiohd.exe 79 PID 3064 wrote to memory of 5148 3064 powershell.exe 81 PID 3064 wrote to memory of 5148 3064 powershell.exe 81 PID 3064 wrote to memory of 5148 3064 powershell.exe 81 PID 5148 wrote to memory of 4936 5148 csc.exe 82 PID 5148 wrote to memory of 4936 5148 csc.exe 82 PID 5148 wrote to memory of 4936 5148 csc.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\balafsou\balafsou.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7782.tmp" "c:\Users\Admin\AppData\Local\Temp\balafsou\CSCC7934B86B36746E7996EEE7A289A38D.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:4936
-
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD59389727e72de3925bc783d7b89200475
SHA1c9b4c3e68c747b8f1849211c8e1d7890c21cb63b
SHA256c7c8bb455ac0814e8ef6ef4e85e722ce2fbbb38df9cc6f154c2a7a52d72fcffc
SHA5127f40945e8de52652b42dcf2feeba8aede7f44868d34774b33039d1a4ad6fc692e06cd79b7a85db85bb0237570bb932792d625851da6e9843406ad3dcbee9cbcc
-
Filesize
4KB
MD5ff169c4274b91df68a1a0548b9186b29
SHA1e2a406a1a49c5825d4f4279e82d1ca369433b244
SHA2566da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc
SHA5128785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b
-
Filesize
1KB
MD55d2609e2758be6a6f560e365ef9dd9ad
SHA124e43370c30d7669fb7d033d4dea4492c1f049d3
SHA256bb03fc0a5036c8415227524741972b1c502df48879af32311c8b622b8b072b24
SHA512e70f71b3784f80769c673f7919628283972d7d594fd2c4a7f4db81513b11966e1e46b58bf0cdacc8965b22cc91f451bc22d4edb42f66d1bbc920943db19d9415
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD585e51d00a02172b8dee1b7ffa9588b72
SHA13d8cede8d2b400391df63fb7293791a350da92c0
SHA2565a4290c6dcb38e72dde5e4a982dc5060e6d45bc9a956a5bc6b30dc70f3ea1170
SHA512272f3a44278ec5dbd50078d937ce9d36143008504cdf8e87e8469b1f1b4fca8da48fc381f53b8900ea09ee6d17a30ab17a5ad682f1821c885d59f1a5df22b525
-
Filesize
652B
MD5b2e149d9623d3a20d237c293b1e25104
SHA11a35ceeb08eb9bb6ea14589c8b91feddef6a9676
SHA256d527024d8d0333398bbc25afc04fd10661d62be13fd4d29590f7c8a584967d98
SHA512fa54c7a7b89814a7a41984176cd62435ad45faf6993457d2cdb47453f44970910b3b4a59595c2adf6c15d6e97f79f861bd733876aa3632cf368cd52e2b2e513b
-
Filesize
360B
MD5981b1a15218fff5d397cdfe49751154e
SHA175cbea253d2e5626506f40219b9908e86b2ef646
SHA256cb8b54cbee82f5f9340deffcacd35ac7b130363af8a6b9f372a9bacedd2b0548
SHA512f646ef6a3fd4d7b716803e04ad8d16da17a9103c8fb08eaa7678ac906344a3f2d8d4de27165fa38c7d1d6684f1128ab10d4d76e535c28c834d8cf3bf6ab564e4