Overview

overview

10

Static

static

1

1e070c7d2e26a.msi

windows7-x64

10

1e070c7d2e26a.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2023 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e070c7d2e26a.msi

  • Size

    8.5MB

  • MD5

    d63fda12b0bcaa5f916d6ee1d1b64315

  • SHA1

    8ec3ecd34f9e62a628c9a75744df348820d1ea2a

  • SHA256

    b2e6c0a826feb05452e6c2377fd0e365c269906c964d2ec7cc45b8608c49137e

  • SHA512

    9c13f112b5ca21332837954357bde4d1cc626e4d928cfbb5caad5a74595081fe82f39e85ff5f2107b81b1eb895f985459a83928762fdfbb8bee8642933a6ce9c

  • SSDEEP

    196608:SeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9wiVIu653rGDRBX/:SdhVs6WXjX9HZ5AQX32WDSVo5bKBX/

Score
10/10
darkgateplexdiscoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

C2

http://homeservicetreking.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    8443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    UxRmvbdCWVKFVZ

  • internal_mutex

    txtMut

  • minimum_disk

    20

  • minimum_ram

    6000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    PLEX

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1e070c7d2e26a.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:616
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 56C486CE17368E31B2E15F57F3A5A422
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2836
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2328
      • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\windbg.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\windbg.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2076
        • \??\c:\tmpa\Autoit3.exe
          c:\tmpa\Autoit3.exe c:\tmpa\script.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files"
        3⤵
          PID:940
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:2036
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "00000000000004C8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2820

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File and Directory Permissions Modification

    1
    T1222

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files.cab
      Filesize

      8.3MB

      MD5

      95bc65caa64ad58cfd30c87fb13fec37

      SHA1

      539d20551c1467f37dfb1d3723025c190c0bb493

      SHA256

      fcc1093485b69f3e9d9457ddd58206f018fe96bbb667c73c2fbc845a4c358206

      SHA512

      77153ec463ba754b93931081ae8290ec282c03841ffc32d22e6901d7e8c170138c4fb8282220b9cdd956a00bb5a42859419f8ded97db9ce26dd19c02b765aac0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\00004-~1.PNG
      Filesize

      1.1MB

      MD5

      2ccc17c1a5bb5e656e7f3bb09ff0beff

      SHA1

      05866cf7dd5fa99ea852b01c2791b30e7741ea19

      SHA256

      411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

      SHA512

      46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\00005-~1.PNG
      Filesize

      1.8MB

      MD5

      dee56d4f89c71ea6c4f1e75b82f2e9c9

      SHA1

      293ce531cddbf4034782d5dfed1e35c807d75c52

      SHA256

      a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

      SHA512

      e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\00006-~1.PNG
      Filesize

      1.8MB

      MD5

      173a98c6c7a166db7c3caa3a06fec06c

      SHA1

      3c562051f42353e72ba87b6f54744f6d0107df86

      SHA256

      212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

      SHA512

      9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\00007-~1.PNG
      Filesize

      1.6MB

      MD5

      94b4895b7b8a60481393b7b8c22ad742

      SHA1

      902796c4aee78ab74e7ba5004625d797d83a8787

      SHA256

      f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

      SHA512

      d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\data.bin
      Filesize

      92KB

      MD5

      175da1ba3139e5196fab23f1631c5c5d

      SHA1

      6174d9b24e149418e08af79045b1d8eb1dd03b99

      SHA256

      85ddfeabb5d31a71c1297d7d6c894ca915de9d267f345cafa5871a2701ae8894

      SHA512

      6271c5058442e0530f6df451761c4489493f8320518447aaea3b89e20430fa2291c99493b11389bfcd0b3da0ecbb4c5a85ace69c0c2f081db74a97274c2a2ebd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\data2.bin
      Filesize

      1.8MB

      MD5

      6789c4500f158ea0a20356a2ec530cae

      SHA1

      df8642ade1e4b2bf0e623ddd54d02c2952f78f07

      SHA256

      3abd9c5ad3e43ec44ce355a0b378aa5596988ae4fa5e32eeb124515fdac52773

      SHA512

      2bc9c1b448d28311182bbdd4c5dd6522b3d694907ce58da31e7b3a14fc01b3f532032d568dc83a5cf75bdc3d978c2298d2087793adb7d03763fe9dc0a3bf2491

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\dbgeng.dll
      Filesize

      1.9MB

      MD5

      893fd607902a4cebceb787ddce21d35e

      SHA1

      51c7998af63844396e78ac802cef86e7b8bba0b8

      SHA256

      b6a092efcbb8883009dddd855af3d006a691ca533c421676348ebc7018a03898

      SHA512

      7a114093b672ce214e1bf3add84f24b98dc9bdb5e9691fb4b06394e038e201c3b2241b34f2c548d4454067cd51a6dc787e023c05a180d89c6ecd9b261651bbbc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\msiwrapper.ini
      Filesize

      370B

      MD5

      62e73b19b83e6288333b26c3609d2598

      SHA1

      bf1569bcb4bffd5f8f28bbc11f0b7cbe98f8454f

      SHA256

      940180190bddd6291385e8d26594e40a7212c9d1ea84de29d22ed36376abfe5e

      SHA512

      7007703aedbfd402932e80e2e39501fd7710399ca74165fd7d17b758b4e6e5923a77a736685f47da08c4bb27d45396a5efcced9177a8ebe0c9969a1c1b2e641c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\msiwrapper.ini
      Filesize

      1KB

      MD5

      a8e03e0426aa093351707eee035451bb

      SHA1

      cc7103fc2873eb734537c732246e285e81f385a9

      SHA256

      4a3bb5a6936077582169073379cc8237c96d040afa37b4c98d6f3ec1656b54f8

      SHA512

      afbe99fe2ecbb3b3f7659d86429c6ad645eed97212dc107fd595fd3a954dec1823dcfc052b741612affaa0d28e65a06f2bf79efe1a0eaff3e521d496d8685d4d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\msiwrapper.ini
      Filesize

      1KB

      MD5

      a8e03e0426aa093351707eee035451bb

      SHA1

      cc7103fc2873eb734537c732246e285e81f385a9

      SHA256

      4a3bb5a6936077582169073379cc8237c96d040afa37b4c98d6f3ec1656b54f8

      SHA512

      afbe99fe2ecbb3b3f7659d86429c6ad645eed97212dc107fd595fd3a954dec1823dcfc052b741612affaa0d28e65a06f2bf79efe1a0eaff3e521d496d8685d4d

      Download Submit
    • C:\Windows\Installer\MSI190C.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit
    • C:\tmpa\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • \??\c:\tmpa\script.au3
      Filesize

      525KB

      MD5

      8d68640ef1f8448ffb3431f5c757b4cb

      SHA1

      4a961594137184fdd5c9fbe22bef77a6384c3d40

      SHA256

      147406be6ee73373bb9e1650a3be6a5919d973647ededaf3018be51c29e9fdf3

      SHA512

      148c3b3ff25d208652ba24e35e0bd7f9f914e7682b18efe2ba2c9fdaabe2ee0f20aa6e7607af9e66f92cf8c905f0420deca354269332b44b217281fd0af4fceb

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\dbgeng.dll
      Filesize

      1.9MB

      MD5

      893fd607902a4cebceb787ddce21d35e

      SHA1

      51c7998af63844396e78ac802cef86e7b8bba0b8

      SHA256

      b6a092efcbb8883009dddd855af3d006a691ca533c421676348ebc7018a03898

      SHA512

      7a114093b672ce214e1bf3add84f24b98dc9bdb5e9691fb4b06394e038e201c3b2241b34f2c548d4454067cd51a6dc787e023c05a180d89c6ecd9b261651bbbc

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-923f1e4d-c88b-43d8-aa03-78e0d5b7cfa8\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit
    • \Windows\Installer\MSI190C.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit
    • \tmpa\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit
    • memory/2076-101-0x00000000005A0000-0x00000000007A0000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/2076-113-0x00000000001C0000-0x000000000024A000-memory.dmp
      Filesize

      552KB

      Download
    • memory/2076-111-0x00000000005A0000-0x00000000007A0000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/2076-104-0x00000000001C0000-0x000000000024A000-memory.dmp
      Filesize

      552KB

      Download
    • memory/2560-123-0x0000000003050000-0x00000000031E5000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2560-117-0x0000000002990000-0x0000000002A90000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2560-118-0x0000000002990000-0x0000000002A90000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2560-126-0x0000000003050000-0x00000000031E5000-memory.dmp
      Filesize

      1.6MB

      Download