Overview

overview

10

Static

static

1

24102023_0...or.msi

windows7-x64

10

24102023_0...or.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2023 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24102023_0153_mentor.msi

  • Size

    9.1MB

  • MD5

    40ff1957d91dbeb7268cace0ccf49ceb

  • SHA1

    5daedf4db9414be44a7562a970db177bde4c7efa

  • SHA256

    99f25de5cc5614f4efd967db0dae50f20e2acbae9e98920aff3d98638b9ca1f1

  • SHA512

    8b1fd758cad469b4f5f0091d95200b46f2836399652a25cd1f0d8aab01c2916181e97ce02d225c229926c0def185e5096bcbd75ed4923618da034fecfe61d329

  • SSDEEP

    196608:9hbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cvUOzZx:7bWzPM5HCZNrgMVw6wyZUupkjSPcvXx

Score
10/10
darkgateuser_871236672discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

C2

http://voodmastrelinux.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    vBojMjKiOxwdob

  • internal_mutex

    txtMut

  • minimum_disk

    35

  • minimum_ram

    6000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    user_871236672

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\24102023_0153_mentor.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4488
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding CB0827D7CF3C2899D1B084DEAB40FB20
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2512
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2008
      • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\windbg.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\windbg.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2144
        • \??\c:\tmpa\Autoit3.exe
          c:\tmpa\Autoit3.exe c:\tmpa\script.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Modifies registry class
          PID:3876
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:4248
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3576
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files.cab
    Filesize

    8.8MB

    MD5

    8a65439208c6a5bbf45b5ad58d07704c

    SHA1

    be3421519ee23b89757b8c666ab034aefb639a46

    SHA256

    4f33d2c9215f0af0c6de2377747341d153c7aefedd7d9e8cb1dfcbb3d9707702

    SHA512

    5697ce36e901f20e63d4053fb464dff534a7b6f248a514e212e209339b8fccf9191d276de65190ec573cfa99436d9bcd27773051d1eb97b5d7f3ef2b60036d1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\00001-337121377.png
    Filesize

    1.1MB

    MD5

    fd49f38e666f94abdbd9cc0bb842c29b

    SHA1

    36a00401a015d0719787d5a65c86784760ee93ff

    SHA256

    1f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f

    SHA512

    2fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\00002-337121378.png
    Filesize

    1.0MB

    MD5

    f68d2ca13e1268dd79e95591b976ec45

    SHA1

    588454301e3c25065349740573282145aa0a5c7b

    SHA256

    af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460

    SHA512

    a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\00003-337121379.png
    Filesize

    1.1MB

    MD5

    7dbe5e4b98d7601585cfb9697f265e0f

    SHA1

    da8477a2494b1436664c535d7c854bf778942a76

    SHA256

    c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288

    SHA512

    38e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\00004-337121380.png
    Filesize

    1.0MB

    MD5

    85da5b7fd4b6983fffe78853c5276c03

    SHA1

    49a68d92beabfdfce7b2939f35a7b3e4bdc2bc96

    SHA256

    ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba

    SHA512

    c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\00005-337121381.png
    Filesize

    1.0MB

    MD5

    602b44b5e0a94c61c7ae501966eb4fd5

    SHA1

    853f5c83bedd4523cb72ca127cc6c269ac99e2d9

    SHA256

    2e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3

    SHA512

    e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\00007-337121383.png
    Filesize

    1.1MB

    MD5

    9a40cf65a81a8f618a4f562e2494a557

    SHA1

    3b06e119cc017bbe99c06906779f40f2d04b08ad

    SHA256

    087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6

    SHA512

    745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\00008-337121384.png
    Filesize

    1.1MB

    MD5

    452b0afd9436be767a0ee61e98ef0356

    SHA1

    736f12f84f8af0bd04f5b207f31cba8dd359ae03

    SHA256

    0348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a

    SHA512

    2fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\data.bin
    Filesize

    92KB

    MD5

    8b305b67e45165844d2f8547a085d782

    SHA1

    92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

    SHA256

    776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

    SHA512

    2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\data2.bin
    Filesize

    1.8MB

    MD5

    67d9ff2c54906e6de543f0d0c0c02d24

    SHA1

    7d22a89a4502dd7c9106c00ff379aa516df00616

    SHA256

    aeae977f8a8f82fd520c74f3df4e817cc1d118c95a4183ec15116273236c8745

    SHA512

    ea4166c5ef0f5b213713b369e956e40bd05db4eff3d7cf1cd2eca5c342c2d5ea64bb1dc5af03a07848e72ca3b97a8894c43e5ab389e0f1ab8238a643e676d4ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\dbgeng.dll
    Filesize

    542KB

    MD5

    a1defa998f5984c7819cffd68664e00a

    SHA1

    9b0b17a2d660a2a51c8188186f394f8fe1650552

    SHA256

    abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

    SHA512

    792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\dbgeng.dll
    Filesize

    542KB

    MD5

    a1defa998f5984c7819cffd68664e00a

    SHA1

    9b0b17a2d660a2a51c8188186f394f8fe1650552

    SHA256

    abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

    SHA512

    792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\files\windbg.exe
    Filesize

    474KB

    MD5

    04ec4f58a1f4a87b5eeb1f4b7afc48e0

    SHA1

    58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

    SHA256

    bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

    SHA512

    5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\msiwrapper.ini
    Filesize

    1KB

    MD5

    79296acffa9f515eea46c16e3b046a76

    SHA1

    5ea51ec87c1da9d5d5bdab522c2724bcd1f02383

    SHA256

    f7af4b5de83306093b4c716c5e92cb3df08b66841602c722811a462ef6f89fdb

    SHA512

    4d093954ca9e1533e275107eb2f9277cf7ddf0640ec3b3868c19deb9fd741a5f27fc261fac4b214d3e6d50a2c691a03bd7bddab0c8e089150cb91d166e42294a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\msiwrapper.ini
    Filesize

    1KB

    MD5

    eceee42759e3459bcfb38801c445ae89

    SHA1

    9bb4c8128fab43edac702bb30641057b6a1bdfab

    SHA256

    ea83b3db9dbbddc716280192c75fadde06767154ac29ed6716b3e61850895283

    SHA512

    1a497667c0103fc3b7fab51d20f6198c63246193965dd7e0f1642d2408790c9383fb1259b779467e577de58750a908ac0c3ca90848f6f20a8eb5272754c35e9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9b1de410-d847-4f96-b78d-af57cb8490c5\msiwrapper.ini
    Filesize

    1KB

    MD5

    eceee42759e3459bcfb38801c445ae89

    SHA1

    9bb4c8128fab43edac702bb30641057b6a1bdfab

    SHA256

    ea83b3db9dbbddc716280192c75fadde06767154ac29ed6716b3e61850895283

    SHA512

    1a497667c0103fc3b7fab51d20f6198c63246193965dd7e0f1642d2408790c9383fb1259b779467e577de58750a908ac0c3ca90848f6f20a8eb5272754c35e9e

    Download Submit

  • C:\Windows\Installer\MSI3042.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\Windows\Installer\MSI3042.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\Windows\Installer\MSI5D50.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\Windows\Installer\MSI5D50.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\tmpa\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \??\c:\tmpa\script.au3
    Filesize

    490KB

    MD5

    47254a9762ec3d0d2840db3c509775fe

    SHA1

    b56ae57e7feac10d839d960f130f3a7caddd175b

    SHA256

    25d76801735b5b7b49a7fa3f4dcfc13536832a354a7200458099c120d4faa7b6

    SHA512

    54e761e26cb5721cbc24f2ee4e9e138530d7c89b0cd9d731ab6551153dc76999056031e6436faaf357524afe655a596d7e490f37a1a4ba20ecc9e7496f53c13d

    Download Submit

  • memory/2144-98-0x0000000000E30000-0x0000000000F30000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2144-103-0x0000000000400000-0x000000000048D000-memory.dmp

    Filesize

    564KB

    Download

  • memory/3876-114-0x0000000000C70000-0x0000000001070000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3876-119-0x0000000003D60000-0x000000000408A000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/3876-125-0x0000000003D60000-0x000000000408A000-memory.dmp

    Filesize

    3.2MB

    Download