Overview

overview

10

Static

static

1

stopdoingthis.msi

windows7-x64

10

stopdoingthis.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2023 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    stopdoingthis.msi

  • Size

    7.7MB

  • MD5

    599423697dafc91edf9cc90aba306646

  • SHA1

    a6f3060af91d9bbea8e72a23b5f92896edf4c3a9

  • SHA256

    12f5d9383518e88b0b7b857b946d33de8c9a075b1b348a7df83ae983c5fefeaa

  • SHA512

    862f6452f8bb0108d8b5535a5bdd35e0c452c0993fa0d6ec5b6f9d059c2711fe4748e25ab201a16bace528c81abd4fb21e60e384eb123185dda19d5bb2af4a80

  • SSDEEP

    98304:TpFKjsEZcgsdUqakFRFawTV82ASqQBW9vpWzxjFycvniqy33XglSB2CiU39hItDb:61NsUqai/pTOryNnxyXxBTiWKmbSQMR

Score
10/10
darkgateuser_871236672discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

C2

http://onlineserviceboonkers.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    yBhTbTZsxrLjqz

  • internal_mutex

    txtMut

  • minimum_disk

    35

  • minimum_ram

    6000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    user_871236672

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\stopdoingthis.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2584
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DB03DEC429A4E9B7B6AD5422004024E5
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1568
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:524
      • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\windbg.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\windbg.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2052
        • \??\c:\tmpa\Autoit3.exe
          c:\tmpa\Autoit3.exe c:\tmpa\script.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\data.bin
            5⤵
            • Modifies registry class
            PID:2392
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files"
        3⤵
          PID:2380
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:1252
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004B8" "00000000000005B0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files.cab
      Filesize

      7.4MB

      MD5

      8f95ee581b60c84c7aae8e7f73c18f8a

      SHA1

      e3384841b67b57b5a55c9f75eb7feb48e756b6a4

      SHA256

      b1d5669a662282a88729a6babfd6b9233f91656620232b41b88fec0c23f37363

      SHA512

      61de833db0f5f645faae076f9599da3d0693584136c8dc40cd1d7dd94f009d9927ef387b055a349cccc1b7dfcdee86c2a519597e1140abe500dd66469498d6bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\00147-~1.PNG
      Filesize

      1.3MB

      MD5

      7ec930b1536750116c13b06313286cf5

      SHA1

      adc543581e4acbaffd5593d07346296bbda1ede5

      SHA256

      1d18677415ff9d03c8e3accde3ab0786d33985f3d6b3855eca632c07fc4de547

      SHA512

      531887e99339aa19cef104226074cdbfb74d8e31cb535cf232b241f4cb05550ac33504ad58dc9b3eaa2c5dbb0a2eb32e9cc06a754b00618485d625ca4c3415db

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\00148-~1.PNG
      Filesize

      1.2MB

      MD5

      bb581ea56d0940dc4d002a902e0fb0c9

      SHA1

      226afeb98300bc51a4e80e112b38bfbf9ef8f706

      SHA256

      84e19377a78d441de940eb1943edddc5720aafb67aed7dc30c281b98c3d0a201

      SHA512

      3237d3a234549704af058e64c4e190f07023e44164bae66e31c87a733ed215c827d2c29facce53a1dc781cc31f538f8f17e4a389ca21354c111ed9da04429511

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\00149-~1.PNG
      Filesize

      1.2MB

      MD5

      5cf577304c7231e35ab9296db1207993

      SHA1

      6deec1a72be8e657dcb484d58e81d138cfd8f25d

      SHA256

      ad7544c407ec1655adc699e70b75b5d75c3a7f28538a9738925b5f020b5e571c

      SHA512

      e1615432911024c9ad9abca3f851a94647f22b2600160dca9ad6ac18c2830d78e6e87f96cc4ecb2d9b597b66b0a7ddf5774299415cc0bd40d4e19741352aa37f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\00150-~1.PNG
      Filesize

      1.2MB

      MD5

      09f104f5af838fc714ba3d17623008b9

      SHA1

      842bcd3e250ab2ee598947ba241cafb274dda591

      SHA256

      caf1252510b1be93214fc9d464a20fdbf81a89839f7e0bc9156190762af3714f

      SHA512

      c37105eeaf8659546922066ffc712f88527adb59954c74381a53afa3623b8bedbdad548f26d3ecfd43cb0f0eca7f052ddf953358ece96d1199ff1e5e76e5604c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\00151-~1.PNG
      Filesize

      1.1MB

      MD5

      64d144051485b81b8a7c83476ba59427

      SHA1

      044bd6b794414b82d1579d309d3762d02e39d292

      SHA256

      f63482d06fbe08336aa1b7b7ec813bad196bba9f60a6a27363a82c9da9cc17f0

      SHA512

      d38f9ca097277cf6500258e16cb183deaa07b10e2060d93810af3eb97e8c97285817b32ab5876d5f42b0ca504dd5b562f421b7eb2ad65be5d950eb52f6ead1db

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\data.bin
      Filesize

      92KB

      MD5

      8b305b67e45165844d2f8547a085d782

      SHA1

      92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

      SHA256

      776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

      SHA512

      2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\data2.bin
      Filesize

      1.8MB

      MD5

      78ed007015a6be04035921a5c9881a3e

      SHA1

      3a3a7a8c84f192eaf3e399aacd630b95ee848005

      SHA256

      43ebb3f62d6ddfc43ffea5b7de0c4992db1920591f19552148c36863ef16f454

      SHA512

      6b8453a28db2a154667c794c12c73f9426fc145f56f7a3d884eef8d7fff9076feec202f1c2e90899701caf952c6778266e851c852c1858b5aef0caafd3bb3e39

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\dbgeng.dll
      Filesize

      736KB

      MD5

      0e15cf36767154814fb8e6b61c726e19

      SHA1

      1f7bae6cb38aa8da60723ead126840f49e7af07d

      SHA256

      036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

      SHA512

      4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\msiwrapper.ini
      Filesize

      1KB

      MD5

      a515d84b6097a8180bd85b02da5dc99b

      SHA1

      e199d62ce4fef7fa9153fbf07e4ee092ba94b49c

      SHA256

      4c3b32560717038ace443ab332c3c4ead3b6f766ecf6f0a923ce9061b37c98ae

      SHA512

      0c6473128900bdeb591c953dffc3b68a8d6f86444c5fec0f3a6f93d2a93ae911d30ba8f2ed0b957c641375fa1b8c3fccb38ab2271b55a305d24b6784214031aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\msiwrapper.ini
      Filesize

      1KB

      MD5

      a515d84b6097a8180bd85b02da5dc99b

      SHA1

      e199d62ce4fef7fa9153fbf07e4ee092ba94b49c

      SHA256

      4c3b32560717038ace443ab332c3c4ead3b6f766ecf6f0a923ce9061b37c98ae

      SHA512

      0c6473128900bdeb591c953dffc3b68a8d6f86444c5fec0f3a6f93d2a93ae911d30ba8f2ed0b957c641375fa1b8c3fccb38ab2271b55a305d24b6784214031aa

      Download Submit

    • C:\Windows\Installer\MSI8B6E.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit

    • C:\tmpa\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • \??\c:\tmpa\script.au3
      Filesize

      499KB

      MD5

      dadd841301a9e91a1f2fee0ac37a94a5

      SHA1

      64f43876eeaae2b091cfc820353bf903290482d3

      SHA256

      53e48b6b1edb8299333b19bca07327a3e706d42ee57bc44e239e7de642405fe5

      SHA512

      c6b26acea5ff78ec9d03db93b27ef864ba0fae1b7b5ee724c8be208d51dbedd7ef380b6aace17a1b3641308c75a538ee6c2259adb073b4fdef9ae1f54cd3e30e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\dbgeng.dll
      Filesize

      736KB

      MD5

      0e15cf36767154814fb8e6b61c726e19

      SHA1

      1f7bae6cb38aa8da60723ead126840f49e7af07d

      SHA256

      036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

      SHA512

      4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-7c8ad5b6-f53d-4f1e-82d2-53b73f83f75e\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • \Windows\Installer\MSI8B6E.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit

    • \tmpa\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • memory/2052-108-0x0000000000100000-0x00000000001BD000-memory.dmp

      Filesize

      756KB

      Download

    • memory/2052-101-0x0000000000260000-0x0000000000360000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2052-97-0x0000000000100000-0x00000000001BD000-memory.dmp

      Filesize

      756KB

      Download

    • memory/2688-114-0x0000000000930000-0x0000000000D30000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2688-115-0x00000000030C0000-0x00000000033EA000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2688-121-0x00000000030C0000-0x00000000033EA000-memory.dmp

      Filesize

      3.2MB

      Download