Overview

overview

10

Static

static

1

destroy.msi

windows7-x64

10

destroy.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2023 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    destroy.msi

  • Size

    3.6MB

  • MD5

    c5dacb642fc9c905f9c29e8c3666ecae

  • SHA1

    21c21c7aff42ded891f2c69bb03f5a7d65758ea9

  • SHA256

    2c33166a74ba155a80bb28dcb1fa905ff8cce2dd19464d5784e863478facade5

  • SHA512

    97d82b1bc70d7368a68ee1af746ee8aaa45cce7150b94185818656bf6d1c4217043b004e01b73a8348d7f7e1803fead1cdfe2b3ce1d11d119e06ab5f439f482b

  • SSDEEP

    98304:cpG1DCG1G1w7cwv9JAEJUvXF/rFmoyqcUQc1ShZ:zE+dvLAEilrFmoyqdFSL

Score
10/10
darkgateuser_871236672discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

C2

http://cheneseemeg7575.cash

http://annoyingannoying.vodka

http://uiahbmajokriswhoer.net
Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    TDoGTDSWKFuYaM

  • internal_mutex

    txtMut

  • minimum_disk

    35

  • minimum_ram

    6000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    user_871236672

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\destroy.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1040
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 85C02E5624C163DC406986D8E334515F
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1544
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:692
      • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\windbg.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\windbg.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1324
        • \??\c:\tmpp\Autoit3.exe
          c:\tmpp\Autoit3.exe c:\tmpp\test.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:1800
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:3000
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2776
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003AC" "000000000000005C"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files.cab
    Filesize

    3.3MB

    MD5

    54636fdfd02e0ad39d1aff0ac775729c

    SHA1

    8c6fc9d9c49d569a3365b0bf5d798b12cfe07f35

    SHA256

    fbe2e0a67cf4c8429b15c8c55fb400d74fe09b59198ceff1e1dec43802f866dc

    SHA512

    1531648e7cf629cd454980862e14c1ef80c84b6320d871e2d4f91c0fb4eafcf8df76a260e60d0b5be899afeb64ce54e1501fdb16cc09640fe88d37a3a0b0f846

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\00595-1017085943.png
    Filesize

    1.1MB

    MD5

    cc4c3d3cd87934c4befb0e3489ffebf0

    SHA1

    509b27a80bd2a1d2ca5cfb1316b923698a5fe286

    SHA256

    a09c328f3d8dd7448491ec7a03ef67432527f9a79156a05151e05964ad6eeedd

    SHA512

    ebb895bd2a8b022e79b8bf118f785172f4c20a65f13c4f0b862738ebce48fbff8469899ef13f7d19b351303f3d19f764f35a17739a589b32b3316cc2a078df98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\dbgeng.dll
    Filesize

    3.8MB

    MD5

    b2bfbe8610d114f1da56e23be0667eb8

    SHA1

    8c21239895edf066b376425fe41cc5e268fea430

    SHA256

    63d35068ba58aa2041d89eeb90bc68ab62c44938ac26332077bd679923baedcf

    SHA512

    2a9493473146921ba4d18268c79224f4cf9650620ab803dca265f153e3b4f9560f245cabc5c741bdc05f4d04906f216a62a7009197bd7cf0edfab8a0da6bdd61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\unins000.dat
    Filesize

    62KB

    MD5

    5f6d7117758a11c5cc96725a4fc72348

    SHA1

    eede69efecd034bb059b90b1bdd48d406e80f5e9

    SHA256

    a5e75d0cb8ef19d4c28156a58b14958fee2ca7c8bf69e4cbb3c4333a0fd21202

    SHA512

    954d8c7ccc171e47ec495af646638e32f712624c707c6c6edcf860161ba337296c2fa955232e39f077d11d772717d47ee44eeb7554ac904d4936ce3b97fcd4a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\unins000.exe
    Filesize

    1.1MB

    MD5

    a82fd06ad4339762ef1ea3e6ebf28fae

    SHA1

    5fa84f3ad4a2f1e078562c00e6bbad445418cdb0

    SHA256

    6c61ce9dec3052ae229596c8a32fc2cf8c9090b8b632998ef69de580cfeb1afd

    SHA512

    63eda89fb03ae581c888c189906ec84ea8061097ec55296c0c6bbfa649a9d7e58d5a299e6e2bacb7d9aa8abad62ceec1f5f4e47e4236f9d7de9aff76c502d052

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\unins000.msg
    Filesize

    22KB

    MD5

    3b1a9a56eede8c6335e94959d5231ac5

    SHA1

    8d256fc02492b6c51db9f3861746b386e62ba317

    SHA256

    161a04957d74daafb21d9a03dade488ae7ebcf90af0e7e41cad1445418a9b3ff

    SHA512

    9fb552bebb2b72cb8f2df55863ba529974ea0d81da83cffb12f95974faaeead1d623f1a6df87478d308cc69a5102cbd01109dd5b8cf0fe11e5132baa903ae6e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\uninsTasks.txt
    Filesize

    22B

    MD5

    ed8842c313a411cf074fb082b7184ab0

    SHA1

    2e411a8b4b62c15e31415fa63742d4c40e8265df

    SHA256

    9bcb8b4872fb35ebb4413b554a9b8402b39119c78d120bdcef353ce511fc93ca

    SHA512

    019819aacc76617a466da73bfabdd892c407d7e74844329fa47ba3ea1e13379a41950988976b5021ac2cb9068da904ae93c249a229ff6dfa7fdb633f2adc1216

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\msiwrapper.ini
    Filesize

    1KB

    MD5

    63b528e8078c26c55378d33c6a441c5a

    SHA1

    cf189ead0fb94e4ba1aa035333a309db237db17c

    SHA256

    f46f3bfe856f5d1eb60b2f3796c36c90f960c2c66591a76a0301e57bf1efcca6

    SHA512

    45a7f146d68fc012d3bc4979eab6c4825d1e1ec37ed648ffcce048f39a34e114697e6b78f01b36f3ac1b7a619441e227189696405e6118abe9509fec1f66914e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\msiwrapper.ini
    Filesize

    370B

    MD5

    912008eb828d527433aeaaf1b9a4455c

    SHA1

    544acb7b18ab8d79c9a174490d121a1219a30e78

    SHA256

    5db4401ca69a7f11f8b35f151c0c58b5122605ebdaf239e507da0ae1d7e1472a

    SHA512

    18e30925375412d05f5014861a8a79e8582b830a2656cd9d7c48c5cf917e32d2b400ac03627ff8738e81d3e8ed675337bb23a93844a56c954d07b89807a94987

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\msiwrapper.ini
    Filesize

    1010B

    MD5

    e7ebfdb60d41760d25965de85219e0a2

    SHA1

    8051ed3749c14a9ecb89274f0083306bcfe8078b

    SHA256

    983331a3b0c2144e81e35e1691b8da698c509717f49a139e666b2ce4f6406460

    SHA512

    93b2339be9ebe0c391a54f500c0968adaa0eaa1a6eaf14d523c38be313a6746bb19a1567de5d174b41a3810ff98b1b9ead7802a02aade244914132fd8500ffd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\msiwrapper.ini
    Filesize

    1KB

    MD5

    63a265dfa8fba06865d74bf3254d0ea8

    SHA1

    cc127b473a11e98ccc053460869a5a91bfa6ad9e

    SHA256

    4cd149a74fa13b454d56ecc20568f9634f77d9912d453f6a3ba238e0492df882

    SHA512

    14c5c687a4ad83a2065a1a8fe9ba757931cf4bb55735b7e1e3aeb6604796b5af039a5617c181a2c98925fb75f3f1e38ced3eaf54c3f2ee88ce11b3a15c93153b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\msiwrapper.ini
    Filesize

    1KB

    MD5

    63a265dfa8fba06865d74bf3254d0ea8

    SHA1

    cc127b473a11e98ccc053460869a5a91bfa6ad9e

    SHA256

    4cd149a74fa13b454d56ecc20568f9634f77d9912d453f6a3ba238e0492df882

    SHA512

    14c5c687a4ad83a2065a1a8fe9ba757931cf4bb55735b7e1e3aeb6604796b5af039a5617c181a2c98925fb75f3f1e38ced3eaf54c3f2ee88ce11b3a15c93153b

    Download Submit

  • C:\Windows\Installer\MSICE09.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\Windows\Installer\MSIDF69.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\tmpp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \??\c:\tmpp\test.au3
    Filesize

    496KB

    MD5

    efeb316519a0592515535e633c620b0a

    SHA1

    a455786b56d0abd456f5617f2658fc9d537d3efc

    SHA256

    c71d372afb4862bb075e66a36ca3fe4c76d6983e31bd54645cc8f61f77d58a65

    SHA512

    fd09e3e15645e5cc03304c23a240c46057bf713c19c651c356333c9cb7ae5fdb6bbade0e75666abea6d04349d683a4ef8933e9bdd4ab8df6912608a1dd83eeae

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\dbgeng.dll
    Filesize

    3.8MB

    MD5

    b2bfbe8610d114f1da56e23be0667eb8

    SHA1

    8c21239895edf066b376425fe41cc5e268fea430

    SHA256

    63d35068ba58aa2041d89eeb90bc68ab62c44938ac26332077bd679923baedcf

    SHA512

    2a9493473146921ba4d18268c79224f4cf9650620ab803dca265f153e3b4f9560f245cabc5c741bdc05f4d04906f216a62a7009197bd7cf0edfab8a0da6bdd61

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-32857edb-d836-49ef-aeae-7903f085d6a4\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • \Windows\Installer\MSICE09.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • \Windows\Installer\MSIDF69.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • \tmpp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • memory/1324-99-0x00000000004D0000-0x00000000008B2000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1324-92-0x00000000004D0000-0x00000000008B2000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1800-109-0x0000000000A30000-0x0000000000E30000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1800-110-0x00000000030B0000-0x00000000033E2000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1800-111-0x0000000000A30000-0x0000000000E30000-memory.dmp

    Filesize

    4.0MB

    Download