Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
19-10-2023 06:56
General
-
Target
abb556b6e45931b1e27b40f9f5f610dea7c4e59c13a4299899b022d9.msi
-
Size
1.1MB
-
MD5
85fd43751333aa5d3b831d3d2fafebb7
-
SHA1
fd6e3b35b1059108d92d34660b0c54205d39529b
-
SHA256
a69719f8d5dd3a3725521d32e16623be5f39aa5731a12061cb3e08793c2c66ba
-
SHA512
d2b4f62f6e3e9cc65b741f150970431ebbdbd282cd4646c1f415ac5f8d995c90d79fca73b75f67d844d85f864f753fcd278e776b1df741532728398236582e07
-
SSDEEP
24576:+tncpVGPS3Hj74zrIbOCFd7m1+DfxQSSTooZVwn3/V4XCAXBv:DpUPS3D8zEbOw7m18ZptMCK
Malware Config
Extracted
darkgate
civilian1337
http://185.130.227.202
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
2351
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
kYQpinTbGbozah
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
civilian1337
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"2⤵
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\abb556b6e45931b1e27b40f9f5f610dea7c4e59c13a4299899b022d9.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CEC9F63F1DAE5CE16E1CECB63CF1248D2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-14bc0c8a-890c-441b-8b72-c66dee23e3b3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-14bc0c8a-890c-441b-8b72-c66dee23e3b3\files\KeyScramblerLogon.exe"C:\Users\Admin\AppData\Local\Temp\MW-14bc0c8a-890c-441b-8b72-c66dee23e3b3\files\KeyScramblerLogon.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\tmpp\Autoit3.exec:\tmpp\Autoit3.exe c:\tmpp\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpp\* & rmdir /s /q c:\tmpp\ exit5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-14bc0c8a-890c-441b-8b72-c66dee23e3b3\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
171B
MD5f635e7b31e1f7f9e00d27c33b2178625
SHA1f92908d429deed99ee706f8a074813723b188017
SHA25661c2f5520573c3843963f2da02735a5abfec81977c7557b40117d8020b4bd87f
SHA51282695116db6ebaac70c6200e58a1021d1336603ba86c467b7723163bdb3e30679ec7532764a2336fb24052e395f0ade02111c53160284339243af8ccf1c8b977
-
Filesize
171B
MD5f635e7b31e1f7f9e00d27c33b2178625
SHA1f92908d429deed99ee706f8a074813723b188017
SHA25661c2f5520573c3843963f2da02735a5abfec81977c7557b40117d8020b4bd87f
SHA51282695116db6ebaac70c6200e58a1021d1336603ba86c467b7723163bdb3e30679ec7532764a2336fb24052e395f0ade02111c53160284339243af8ccf1c8b977
-
Filesize
12KB
MD576108f2aa9f06808a670d55f37147a2b
SHA1ba7dd8d15b5a6e824678d7c49103069024e6ed45
SHA256ad03d872649da555bd6bb6cb020ae9ea37a05c4c75f2a9eb4ad7e484a563e44a
SHA5129292ef97f57a2361f75792c88f069b779e45b32982423de821df2889444ca8f651247b811fcdde704c1eaf507ffde1981afc09a296c8f8b7c0a6265be5dc4804
-
Filesize
888KB
MD534413865c1a86d7d1edde84cf4f973f7
SHA1d80b6d0dbdcfede9b117dc3fa8ea0dfc78a7d17a
SHA25643502b012ccddd0aa791c3b15678314419b24b537779d662e433c8d63ee6e2e1
SHA51284c95a20f22fdae2b261f23562f4bfe528d0e16480c9a632df53dbec83185a16fe7a3695ff9c98dec91cd4cd1085f58f43879cb6bf2d9f78328f15da59620b17
-
Filesize
355KB
MD57ee9f12ced52edd26d0d9852ab2082f2
SHA1ecd188b96d55564842b46263efd61bfffd68c02b
SHA256640a3b86b4327d77a4e27a36769cd6973400d30b582696f8edc7fcdb2ab46570
SHA5123dae262f3198abab11e75e13438902d10d7791a9e7b278af84dc2c0b450e563480eaea2d3fda6e359f807c85b7607e957d1af4262542985a75f3d29a0a1734dc
-
Filesize
355KB
MD57ee9f12ced52edd26d0d9852ab2082f2
SHA1ecd188b96d55564842b46263efd61bfffd68c02b
SHA256640a3b86b4327d77a4e27a36769cd6973400d30b582696f8edc7fcdb2ab46570
SHA5123dae262f3198abab11e75e13438902d10d7791a9e7b278af84dc2c0b450e563480eaea2d3fda6e359f807c85b7607e957d1af4262542985a75f3d29a0a1734dc
-
Filesize
500KB
MD5c790ebfcb6a34953a371e32c9174fe46
SHA13ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA51274e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554
-
Filesize
500KB
MD5c790ebfcb6a34953a371e32c9174fe46
SHA13ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA51274e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554
-
Filesize
884KB
MD5bc73f7da4fb84539de7cead0a1025080
SHA11b2b24cf9f4f94d6ded5e4a0cbae2a98a35ae066
SHA2563879dd8ea315895e504619dbda780c843dfdda2abf46f243268fd4ce8bb95d46
SHA51287f52792fd1333c96b8f4d766a145981701a680d92a7609c3f22f365e9e48d9d3100cce392fa9dd4e4800ebbb8a7a613dc2a355635527dc7067217c51323d424
-
Filesize
458B
MD52adf7a4c16433d30b3bb65b1acc4685f
SHA128376692cad7d6dc9ebdb2d5f3dfc51840dd9987
SHA256453dd634f5530bda86f98faffcc6347a1024c8caf7ffe5246428eede7ff90711
SHA512d70277900b60f97189e6fe81774d9177c6b123986d8f54a26bf9590a94327c75f4997735044904ac32e2acfdb1852dff17cc93bcb3e20ad8ea01871255c51143
-
Filesize
1KB
MD5c69c896b67f15accb6b6c3a9f1e60b50
SHA14c774c62883f2ad609db5007c01c61c99f890d68
SHA2562e5f63a8dd1f0101cbfb33445045afcb398b95e1c44e4f935f1916931456da7c
SHA5123e0f2d0c8be48a16f19da920102e6b3648ae226d9f177ea21318698894c3296760185a080eb49b25bcfe800265cae27fd067db5b70997998035fc67bb140c33c
-
Filesize
1KB
MD5c69c896b67f15accb6b6c3a9f1e60b50
SHA14c774c62883f2ad609db5007c01c61c99f890d68
SHA2562e5f63a8dd1f0101cbfb33445045afcb398b95e1c44e4f935f1916931456da7c
SHA5123e0f2d0c8be48a16f19da920102e6b3648ae226d9f177ea21318698894c3296760185a080eb49b25bcfe800265cae27fd067db5b70997998035fc67bb140c33c
-
Filesize
1KB
MD59c050decdc8368e42e6fe97379de2713
SHA10e413621b592c2d9ad55700127bcf78136f97bee
SHA25610cd2ee6473beb0332320513e4d060ed5185c06cebb1c0e47fa8122138776ded
SHA51239e78a2ca9b65d59efec2505e393153716f8d6182101185b916cbfa8466d9c99870ea6f809b630630d038faf689e59d3d3476f6e359043f2db1d37ba3646d3c5
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
4B
MD543ca754b829ebd2ab52a70e7519602dc
SHA18353a8b14442885f4311660eaf9ad99369366c12
SHA256fa52120fad08443cd97a00f2f254c8d62b08f3276b682c34c8993d1b037f4f2c
SHA5125e56783d38bf23fb4d66e54956c54b38896c1ebd52719878f5fd8f9036d4eb9108227f5dad624e792c09ad6bddb0a46a4e5cce85e15f56c95e3858bb856480e6
-
Filesize
387KB
MD587cd6e254eaec733c85caf55354840e1
SHA12902f6d4aa74ce6387da210bad23e41ba3374200
SHA25639232087108623d600c7304065dac7a36ab6f65925db060dbae0d15970364cb1
SHA5120f3d65c6d5988c248c9422f0ad65ab5336b2d9b5deb1084281b3234bc7843c4d1e4464231589298e0751eba5c9119a1d98128cd77a8c3cc9b86b8fa9a5ad5325
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
23.0MB
MD55c039e627afa8e10a3a2e029487a7128
SHA127c9be9fcef61d5d42d212dcf3999906ed352068
SHA256a80661785e42b4903b5c587cf0d5156162b600cecb8cfcd98d2fc55a89d8f8f1
SHA5128b65cd115547b1599baf1e0bf2a29eded2bcd2695b6687a3b9048de89458a5248bfa9dd79426708d45ae0bffd3ddab289d671414150873d251a13f99fdef37b7
-
Filesize
6KB
MD55c9457d8efb5cdd87a56de52819b0247
SHA13c7bbcfb7d32a4a01d4bd9b06da14c0e23af4908
SHA256adf272e17d895a493e9e04fea3a7d4e34052958eeef711e194e970a05863e633
SHA51294261ee68b95d99c23321db2f1027fd4a6f639b3ee40760e4ec20609415865f2a76fcee2153ab31234928aa7f94ed5590b74e643ee5b04792018255d1460332a
-
Filesize
387KB
MD587cd6e254eaec733c85caf55354840e1
SHA12902f6d4aa74ce6387da210bad23e41ba3374200
SHA25639232087108623d600c7304065dac7a36ab6f65925db060dbae0d15970364cb1
SHA5120f3d65c6d5988c248c9422f0ad65ab5336b2d9b5deb1084281b3234bc7843c4d1e4464231589298e0751eba5c9119a1d98128cd77a8c3cc9b86b8fa9a5ad5325
-
Filesize
387KB
MD587cd6e254eaec733c85caf55354840e1
SHA12902f6d4aa74ce6387da210bad23e41ba3374200
SHA25639232087108623d600c7304065dac7a36ab6f65925db060dbae0d15970364cb1
SHA5120f3d65c6d5988c248c9422f0ad65ab5336b2d9b5deb1084281b3234bc7843c4d1e4464231589298e0751eba5c9119a1d98128cd77a8c3cc9b86b8fa9a5ad5325
-
Filesize
12KB
MD576108f2aa9f06808a670d55f37147a2b
SHA1ba7dd8d15b5a6e824678d7c49103069024e6ed45
SHA256ad03d872649da555bd6bb6cb020ae9ea37a05c4c75f2a9eb4ad7e484a563e44a
SHA5129292ef97f57a2361f75792c88f069b779e45b32982423de821df2889444ca8f651247b811fcdde704c1eaf507ffde1981afc09a296c8f8b7c0a6265be5dc4804
-
Filesize
387KB
MD587cd6e254eaec733c85caf55354840e1
SHA12902f6d4aa74ce6387da210bad23e41ba3374200
SHA25639232087108623d600c7304065dac7a36ab6f65925db060dbae0d15970364cb1
SHA5120f3d65c6d5988c248c9422f0ad65ab5336b2d9b5deb1084281b3234bc7843c4d1e4464231589298e0751eba5c9119a1d98128cd77a8c3cc9b86b8fa9a5ad5325
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
12KB
MD576108f2aa9f06808a670d55f37147a2b
SHA1ba7dd8d15b5a6e824678d7c49103069024e6ed45
SHA256ad03d872649da555bd6bb6cb020ae9ea37a05c4c75f2a9eb4ad7e484a563e44a
SHA5129292ef97f57a2361f75792c88f069b779e45b32982423de821df2889444ca8f651247b811fcdde704c1eaf507ffde1981afc09a296c8f8b7c0a6265be5dc4804
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
4.0MB
-
Filesize
376KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB