Overview

overview

10

Static

static

1

NEAS.143c1...JC.msi

windows7-x64

10

NEAS.143c1...JC.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    19-10-2023 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.143c1f6a1095fd6f63eae25d3b2cee9ba800c47b48279c8f7c62609118cc4299msi_JC.msi

  • Size

    3.6MB

  • MD5

    6550b181486c080b7c524bec6370d85d

  • SHA1

    b54ca1ad61df207e0aa3215cb58e362886f68095

  • SHA256

    143c1f6a1095fd6f63eae25d3b2cee9ba800c47b48279c8f7c62609118cc4299

  • SHA512

    13453e3777583540449225d83c6ca8838da905ec6067312488c23cc36d3f387e772f5716c4a4778ddc5a5302aa4cda1eef983e6d76e3c414aaa5d4a32a544ea2

  • SSDEEP

    98304:TpA1DCG1G1w7cwv9JAEh7DyU35oGFYGHnzzMBdHB3:gE+dvLAEh7DyU35oGFTHz4B/3

Score
10/10
darkgateuser_871236672discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

C2

http://cheneseemeg7575.cash

http://annoyingannoying.vodka

http://uiahbmajokriswhoer.net
Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    bfpKQguIjifOez

  • internal_mutex

    txtMut

  • minimum_disk

    35

  • minimum_ram

    6000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    user_871236672

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.143c1f6a1095fd6f63eae25d3b2cee9ba800c47b48279c8f7c62609118cc4299msi_JC.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2076
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B124D75452209F85B29147C1C0A4324B
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1084
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\windbg.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\windbg.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:564
        • \??\c:\tmpp\Autoit3.exe
          c:\tmpp\Autoit3.exe c:\tmpp\test.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:2404
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:1408
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2816
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "00000000000005B4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files.cab
    Filesize

    3.3MB

    MD5

    715bba93d091b4e64f26a9e7511742bf

    SHA1

    16d3ed9c4a46c39d2bc11880350bc62b532b3b65

    SHA256

    1fa7c173f814cc611f279ee51624b225ea978b31e67fcdc53f49ce5f4ddabaae

    SHA512

    a4e614c00cbf6efa2713ef1976494a8a8e0f03616d5c3dd3946bf6e9061f7945dd2885b7d7e7adc73c0430e6576a7bda5b0b27f7bee6d4a0dddc351dc19a15e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\00595-1017085943.png
    Filesize

    1.1MB

    MD5

    cc4c3d3cd87934c4befb0e3489ffebf0

    SHA1

    509b27a80bd2a1d2ca5cfb1316b923698a5fe286

    SHA256

    a09c328f3d8dd7448491ec7a03ef67432527f9a79156a05151e05964ad6eeedd

    SHA512

    ebb895bd2a8b022e79b8bf118f785172f4c20a65f13c4f0b862738ebce48fbff8469899ef13f7d19b351303f3d19f764f35a17739a589b32b3316cc2a078df98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\dbgeng.dll
    Filesize

    3.8MB

    MD5

    544ad0ac2a8ac23cfcadce08dbc6ccf4

    SHA1

    435a190c0ab8e1bf7f0acfeaf677ddfcea2eb5eb

    SHA256

    6b7e78ffec23a2f21ee3664d5e9a976cf6fce4a2413c49808976cebe7fad1db8

    SHA512

    c80e2e057c42052e784c644e4b78cd6acab77c0810bd60a291f40e531c51b31a6ad73bd89eafdd29a20d98afaf01250f920a2e5d3ebe026b032b08c3edaaba63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\unins000.dat
    Filesize

    62KB

    MD5

    5f6d7117758a11c5cc96725a4fc72348

    SHA1

    eede69efecd034bb059b90b1bdd48d406e80f5e9

    SHA256

    a5e75d0cb8ef19d4c28156a58b14958fee2ca7c8bf69e4cbb3c4333a0fd21202

    SHA512

    954d8c7ccc171e47ec495af646638e32f712624c707c6c6edcf860161ba337296c2fa955232e39f077d11d772717d47ee44eeb7554ac904d4936ce3b97fcd4a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\unins000.exe
    Filesize

    1.1MB

    MD5

    a82fd06ad4339762ef1ea3e6ebf28fae

    SHA1

    5fa84f3ad4a2f1e078562c00e6bbad445418cdb0

    SHA256

    6c61ce9dec3052ae229596c8a32fc2cf8c9090b8b632998ef69de580cfeb1afd

    SHA512

    63eda89fb03ae581c888c189906ec84ea8061097ec55296c0c6bbfa649a9d7e58d5a299e6e2bacb7d9aa8abad62ceec1f5f4e47e4236f9d7de9aff76c502d052

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\unins000.msg
    Filesize

    22KB

    MD5

    3b1a9a56eede8c6335e94959d5231ac5

    SHA1

    8d256fc02492b6c51db9f3861746b386e62ba317

    SHA256

    161a04957d74daafb21d9a03dade488ae7ebcf90af0e7e41cad1445418a9b3ff

    SHA512

    9fb552bebb2b72cb8f2df55863ba529974ea0d81da83cffb12f95974faaeead1d623f1a6df87478d308cc69a5102cbd01109dd5b8cf0fe11e5132baa903ae6e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\uninsTasks.txt
    Filesize

    22B

    MD5

    ed8842c313a411cf074fb082b7184ab0

    SHA1

    2e411a8b4b62c15e31415fa63742d4c40e8265df

    SHA256

    9bcb8b4872fb35ebb4413b554a9b8402b39119c78d120bdcef353ce511fc93ca

    SHA512

    019819aacc76617a466da73bfabdd892c407d7e74844329fa47ba3ea1e13379a41950988976b5021ac2cb9068da904ae93c249a229ff6dfa7fdb633f2adc1216

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\msiwrapper.ini
    Filesize

    1KB

    MD5

    4040deca1dd2729eae29905f32149d92

    SHA1

    3b04c08f5aa8842db07a9dc269c623ccd3508ab5

    SHA256

    1b253f7f84da479e41e22034fda8e9e0a8f72f37333f2839c1162200ba2c3b9c

    SHA512

    e09e6963b0b874fcc5b576e8417fb094757c3b28ab50e24df458cf21b57a64b951eadc0b7bebea839c2ec20605ab454b514ecd8e73f504cfde03ecc77d856158

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\msiwrapper.ini
    Filesize

    1KB

    MD5

    4693281ece64e23b2db2662436db7af1

    SHA1

    93662b6e5d9e4e38dfbeb046b7562462d3e78556

    SHA256

    c9657f388e32ffc523b419fa740ffbf13176dbc2ae1f4469d2dc3a186f82f329

    SHA512

    99ce4bb8aad197a38399c3aa67f9562f1a3b39b24e6de941e9d36fc2f32ab2aabe5bd61b31fc1620e083a6caaa65ed4850205d233c10da26b991d1f394b51c36

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\msiwrapper.ini
    Filesize

    1KB

    MD5

    4693281ece64e23b2db2662436db7af1

    SHA1

    93662b6e5d9e4e38dfbeb046b7562462d3e78556

    SHA256

    c9657f388e32ffc523b419fa740ffbf13176dbc2ae1f4469d2dc3a186f82f329

    SHA512

    99ce4bb8aad197a38399c3aa67f9562f1a3b39b24e6de941e9d36fc2f32ab2aabe5bd61b31fc1620e083a6caaa65ed4850205d233c10da26b991d1f394b51c36

    Download Submit

  • C:\Windows\Installer\MSI4A78.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\Windows\Installer\MSI79C4.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\tmpp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \??\c:\tmpp\test.au3
    Filesize

    493KB

    MD5

    c0f2c7cc9d7111047be09e53165e2317

    SHA1

    2720bf8d2c7f46fa86930b93a65454dd19bb32fb

    SHA256

    53521c6673a1c8f9e1981147efa2db1a7d3a723e79041c9a50f5ac3b450ef051

    SHA512

    6ca1a2ea9dda32ef3909111203fb15379c5998b89b194fa7c1178db8dc96a4052ffa9e68503186f15820bf51d0e74462e7a6a9b34e270481d0cf16f240ea6d3b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\dbgeng.dll
    Filesize

    3.8MB

    MD5

    544ad0ac2a8ac23cfcadce08dbc6ccf4

    SHA1

    435a190c0ab8e1bf7f0acfeaf677ddfcea2eb5eb

    SHA256

    6b7e78ffec23a2f21ee3664d5e9a976cf6fce4a2413c49808976cebe7fad1db8

    SHA512

    c80e2e057c42052e784c644e4b78cd6acab77c0810bd60a291f40e531c51b31a6ad73bd89eafdd29a20d98afaf01250f920a2e5d3ebe026b032b08c3edaaba63

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MW-bd0f1dd0-2371-435c-80d0-bd9041720e6e\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • \Windows\Installer\MSI4A78.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • \Windows\Installer\MSI79C4.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • \tmpp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • memory/564-104-0x0000000000720000-0x0000000000B01000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/564-98-0x0000000000720000-0x0000000000B01000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2404-108-0x0000000000CD0000-0x00000000010D0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2404-110-0x0000000003010000-0x0000000003342000-memory.dmp

    Filesize

    3.2MB

    Download