Analysis
-
max time kernel
11s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2023 01:14
Static task
static1
Behavioral task
behavioral1
Sample
8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi
Resource
win10v2004-20231020-en
General
-
Target
8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi
-
Size
8.7MB
-
MD5
1170e2b02b92895d9db0be336d032d90
-
SHA1
18f49619d69b057e81163bdf08eab5f355ce662c
-
SHA256
8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7
-
SHA512
bd1ceeee7928592e318b7f28b557bfcb97e4bb8f65f8c09001f19a746c7532f4f9d86aa54aab2866b5852921aa04a4f8de18e6c9109cc91c94c34879013c0134
-
SSDEEP
196608:YeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9cNzvhXoZJ+:YdhVs6WXjX9HZ5AQX32WD/oZY
Malware Config
Extracted
darkgate
user_871236672
http://adhufdauifadhj13.com
-
alternative_c2_port
8080
-
anti_analysis
true
-
anti_debug
true
-
anti_vm
true
-
c2_port
2351
-
check_disk
false
-
check_ram
true
-
check_xeon
true
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
stanpttaHMuhnz
-
internal_mutex
txtMut
-
minimum_disk
40
-
minimum_ram
6002
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
user_871236672
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid process 776 ICACLS.EXE 3808 ICACLS.EXE -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ce060165ac6eec080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ce0601650000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ce060165000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dce060165000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ce06016500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeSecurityPrivilege 2808 msiexec.exe Token: SeCreateTokenPrivilege 1096 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1096 msiexec.exe Token: SeLockMemoryPrivilege 1096 msiexec.exe Token: SeIncreaseQuotaPrivilege 1096 msiexec.exe Token: SeMachineAccountPrivilege 1096 msiexec.exe Token: SeTcbPrivilege 1096 msiexec.exe Token: SeSecurityPrivilege 1096 msiexec.exe Token: SeTakeOwnershipPrivilege 1096 msiexec.exe Token: SeLoadDriverPrivilege 1096 msiexec.exe Token: SeSystemProfilePrivilege 1096 msiexec.exe Token: SeSystemtimePrivilege 1096 msiexec.exe Token: SeProfSingleProcessPrivilege 1096 msiexec.exe Token: SeIncBasePriorityPrivilege 1096 msiexec.exe Token: SeCreatePagefilePrivilege 1096 msiexec.exe Token: SeCreatePermanentPrivilege 1096 msiexec.exe Token: SeBackupPrivilege 1096 msiexec.exe Token: SeRestorePrivilege 1096 msiexec.exe Token: SeShutdownPrivilege 1096 msiexec.exe Token: SeDebugPrivilege 1096 msiexec.exe Token: SeAuditPrivilege 1096 msiexec.exe Token: SeSystemEnvironmentPrivilege 1096 msiexec.exe Token: SeChangeNotifyPrivilege 1096 msiexec.exe Token: SeRemoteShutdownPrivilege 1096 msiexec.exe Token: SeUndockPrivilege 1096 msiexec.exe Token: SeSyncAgentPrivilege 1096 msiexec.exe Token: SeEnableDelegationPrivilege 1096 msiexec.exe Token: SeManageVolumePrivilege 1096 msiexec.exe Token: SeImpersonatePrivilege 1096 msiexec.exe Token: SeCreateGlobalPrivilege 1096 msiexec.exe Token: SeBackupPrivilege 3896 vssvc.exe Token: SeRestorePrivilege 3896 vssvc.exe Token: SeAuditPrivilege 3896 vssvc.exe Token: SeBackupPrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1096 msiexec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1096
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3832
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4D723147918AF45170C6449C37ADC49C2⤵PID:3316
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-69cdf452-0554-40b3-863d-d93792caf90b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:776
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\MW-69cdf452-0554-40b3-863d-d93792caf90b\files\windbg.exe"C:\Users\Admin\AppData\Local\Temp\MW-69cdf452-0554-40b3-863d-d93792caf90b\files\windbg.exe"3⤵PID:4584
-
\??\c:\tmpa\Autoit3.exec:\tmpa\Autoit3.exe c:\tmpa\script.au34⤵PID:208
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-69cdf452-0554-40b3-863d-d93792caf90b\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:3808
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5c2861c23df5ad7a31c8ae622dc87f867
SHA10c50bc37cbf26c1e91f34b4a617f7ad663c78b13
SHA256beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013
SHA51281d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3
-
C:\Users\Admin\AppData\Local\Temp\MW-69cdf452-0554-40b3-863d-d93792caf90b\files\00004-4001132497.png
Filesize1.1MB
MD52ccc17c1a5bb5e656e7f3bb09ff0beff
SHA105866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA51246b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5
-
C:\Users\Admin\AppData\Local\Temp\MW-69cdf452-0554-40b3-863d-d93792caf90b\files\00005-3546315028.png
Filesize1.8MB
MD5dee56d4f89c71ea6c4f1e75b82f2e9c9
SHA1293ce531cddbf4034782d5dfed1e35c807d75c52
SHA256a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf
SHA512e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c
-
C:\Users\Admin\AppData\Local\Temp\MW-69cdf452-0554-40b3-863d-d93792caf90b\files\00006-3546315029.png
Filesize1.8MB
MD5173a98c6c7a166db7c3caa3a06fec06c
SHA13c562051f42353e72ba87b6f54744f6d0107df86
SHA256212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad
SHA5129dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d
-
C:\Users\Admin\AppData\Local\Temp\MW-69cdf452-0554-40b3-863d-d93792caf90b\files\00007-3546315030.png
Filesize1.6MB
MD594b4895b7b8a60481393b7b8c22ad742
SHA1902796c4aee78ab74e7ba5004625d797d83a8787
SHA256f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973
SHA512d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e
-
Filesize
92KB
MD5bb8c7df11b277155036fd6f62110d818
SHA1c7f7413f4e525822be37b33817a1755a04fec4e8
SHA256742f8df79f6dd2bd16d00d7235f655b32b687886cda485808d1c1762ba44336a
SHA512a568949fcef56f0db85c5f452b345f4912c8ce9435915b9380b21f97bebbcc0961e9739b8c62fa5181d527e1852c72e3bd947a56dddb0a3031c6f2c9d67e1b1d
-
Filesize
2.0MB
MD5148787dfd8c9b0d3c0681f0a984cbcf0
SHA10456d2fd54da6e9eaa239b9620efcf17c9cf95c5
SHA2564f1c84df725ddff0403f24080baff45abc06a1191b43c00f9847d791b7b79488
SHA512e0e4c8fc3953e48f253f3b762f6df6ec7bce0067e6f867eb1e8e5b3921ea7eada1993f8a173ae7f29103927b4e339374425b9f2a729da075fa142a8b5440e830
-
Filesize
1.9MB
MD5ed7798f01f00f2ce332053e85b73d512
SHA19dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA5129ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee
-
Filesize
1.9MB
MD5ed7798f01f00f2ce332053e85b73d512
SHA19dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA5129ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee
-
Filesize
474KB
MD504ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA158dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA5125b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80
-
Filesize
474KB
MD504ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA158dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA5125b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80
-
Filesize
1KB
MD59aa88395b375a9350979ae1fb5f6cffe
SHA18f76ee8c937191dd254d3a1053e00371de891264
SHA2563d1ae67db317a9fba120961771b731d91bd20e68d740b91bcaf91d8cb0c7caa0
SHA512fb1938f21a10f1f2f0ddc16777038d0a7fafafc0917bbf82cdd473a4d7644fc7b2f666495615797411da5c2b2e223be73d1142e8ba5afb0b4b1596c6b77a8c85
-
Filesize
1KB
MD55544942aa397e1dccc6e2acf98d0f3f1
SHA199719307d32cac6319f190a61d576e721a12cc99
SHA256ce91d0ea34a118844fc19b74fc6dbd117a048a3949e5a6e2cfb676568bdb56b9
SHA512c34e34cf99a4d9ed27e0c2bed546c72ec53cc8f53d0dfe26b938164f1a54f3596fba1717722c33566ffcd378dcb96d42e5e4c2b6a311f1f849f7ec03e274105e
-
Filesize
1KB
MD55544942aa397e1dccc6e2acf98d0f3f1
SHA199719307d32cac6319f190a61d576e721a12cc99
SHA256ce91d0ea34a118844fc19b74fc6dbd117a048a3949e5a6e2cfb676568bdb56b9
SHA512c34e34cf99a4d9ed27e0c2bed546c72ec53cc8f53d0dfe26b938164f1a54f3596fba1717722c33566ffcd378dcb96d42e5e4c2b6a311f1f849f7ec03e274105e
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
18.4MB
MD5abc17bda57945424f7ef9b194b028e81
SHA189f9213e55617ae36c4c17df8d6f0ab6e618bcc6
SHA256730ba7ad765981643583ec88023f6651e42f1cdb5bd5de2953e1fe16ae3511f7
SHA512ba513ca4acaee145a24c5335b959fcf84ed305b02369875f9d447476824381910ee1b98bdfcb19250d12eb1fc40bf175408cd8516e964a5daac499591a908a71
-
\??\Volume{650106ce-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c983d223-7166-47ed-8af9-b4720d974460}_OnDiskSnapshotProp
Filesize5KB
MD532fc599eeb14a8db7d5de7592424d014
SHA1b2c4a71d1fa4dc338a5c5bde6f40966cee4f7db8
SHA256d221d6c07d095273ecbe7f6f7122dfaf7bd21860f6fcd41238f0301e7993a01f
SHA512c8e6f8eb7a5aac41cb4f0d28887c2780bf90c8be9bed20ef161cdf6124eecb91ef47732452b47b2ec00785c38df8fbc6d50b1c9b19aa38466d7fa6acdf005238
-
Filesize
698KB
MD574de66e9523816a5b1dfbdb31b56cb3b
SHA19b0bd88932223c819d2c10d5739abdaf4f1a3cec
SHA25691323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2
SHA51221da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a