Overview

overview

10

Static

static

1

1c532f2594.msi

windows7-x64

10

1c532f2594.msi

windows10-2004-x64

6

Resubmissions

26-12-2023 08:41

231226-klnl6abhh2 10

19-11-2023 21:36

231119-1fyg6sbh52 10

Analysis

  • max time kernel
    122s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2023 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c532f2594.msi

  • Size

    8.5MB

  • MD5

    fbf5d7b4c5f0e86a95b4fcd5c5ccc534

  • SHA1

    51588315ff4ae36412c337361ea65f84810938d8

  • SHA256

    6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d

  • SHA512

    3ef2d34071fc10bed59dbe60df3789524f62b89284cc011f1ab0a790196f9010ef6fa41d809947f52668918aa72c90c17211d6be82707b0f8099df548fb40588

  • SSDEEP

    196608:0eS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9OtaQCK0Ex7FVJi0:0dhVs6WXjX9HZ5AQX32WDb0ExZV8

Score
10/10
darkgateplexdiscoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

C2

http://jordanmikejeforse.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    8443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    yIzFYincIffips

  • internal_mutex

    txtMut

  • minimum_disk

    20

  • minimum_ram

    6000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    PLEX

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1c532f2594.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1948
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 15D72E86F34724D9C7C0DC3CDFB5DD71
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:632
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2784
      • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\windbg.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\windbg.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1132
        • \??\c:\tmpa\Autoit3.exe
          c:\tmpa\Autoit3.exe c:\tmpa\script.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:2240
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files"
        3⤵
          PID:872
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:2152
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C8" "0000000000000560"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files.cab
      Filesize

      8.3MB

      MD5

      d5298413b9d6dc59e277eb08f6e4431c

      SHA1

      55d71275c8737068b130dade96a8354d966e295a

      SHA256

      5d8fea0c2e3a41247dada38ccaf7222aef40fc485e26e54dbee1fbcadb3079c0

      SHA512

      983fee4dd48b55eb572b09eb1d743a61a67d320c23b55f7b9e8a9e55e407b8b3db00ffe5ca4c6793d26b436decb9dac9323003692c8ebac291c70396e6a0e2b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\00004-~1.PNG
      Filesize

      1.1MB

      MD5

      2ccc17c1a5bb5e656e7f3bb09ff0beff

      SHA1

      05866cf7dd5fa99ea852b01c2791b30e7741ea19

      SHA256

      411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

      SHA512

      46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\00005-~1.PNG
      Filesize

      1.8MB

      MD5

      dee56d4f89c71ea6c4f1e75b82f2e9c9

      SHA1

      293ce531cddbf4034782d5dfed1e35c807d75c52

      SHA256

      a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

      SHA512

      e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\00006-~1.PNG
      Filesize

      1.8MB

      MD5

      173a98c6c7a166db7c3caa3a06fec06c

      SHA1

      3c562051f42353e72ba87b6f54744f6d0107df86

      SHA256

      212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

      SHA512

      9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\00007-~1.PNG
      Filesize

      1.6MB

      MD5

      94b4895b7b8a60481393b7b8c22ad742

      SHA1

      902796c4aee78ab74e7ba5004625d797d83a8787

      SHA256

      f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

      SHA512

      d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\data.bin
      Filesize

      92KB

      MD5

      472526a8c742a25296b345509638c863

      SHA1

      345523ddcd3216cf060ce242071374614fc372a6

      SHA256

      5d7aace8eb61d1fb4553069d8501100d64abb9968b1f20f84f3d23c71dab1366

      SHA512

      8ab00a37557e6e92476a85ae8e5f71fa1a84e54a0e60e5f75eb553d12e145b17fd4b82b81cf2610435976c828f29865df41c4cddc2224e55dfa0edf7375f67f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\data2.bin
      Filesize

      1.8MB

      MD5

      5be4a940ee8e35bafe74fb4b80c81ef1

      SHA1

      aaef9c2779ce4a43859248a181b30f70bb947a50

      SHA256

      61e7a91c74b852f0eec7587bed6080d2950769b7b7587927d8dcfafe03e9d670

      SHA512

      d6d6dd61af6f3a0ee3db240b6b341fd310716c3f5fe78ee79a8cfc39349ad5ab8ec3823d15acc8cf56e03d78e30734beae9cd151bced6e42b3123b0f00e73930

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\dbgeng.dll
      Filesize

      1.9MB

      MD5

      a5fcc0097a7eca9ed79596243aac4652

      SHA1

      865f03e10c56d2d1c30f500597a6d0dbd1030f68

      SHA256

      8e8ea3571042dffcd35491bfd1530a7e4c10ee04efd3ab181bdde37ef1e07e0d

      SHA512

      1644a70d039aa9b221e5d65a2879ffabd1cfd0798d6be31ba16938225286a465281ae768d396203668ee6aec417216018a1ad833124d63e1ddbbd667ab097505

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\msiwrapper.ini
      Filesize

      830B

      MD5

      49c1e688bd800eb650be0b183069ea1a

      SHA1

      b84478e45df1ee48e28e22caee08197a348219ed

      SHA256

      6337c7ca34deab242132898b08082d25f52f8393ca3a27634c5405023051f0de

      SHA512

      07a4ab36f3adb1121010d3a68e2936ebe2bfda54cc21b39942914706d9ceab9a8fb7d482a9d32ba990c1cabc7ba97e00563fab47b1ac7b493475d14932a0a2ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\msiwrapper.ini
      Filesize

      1KB

      MD5

      1f6c0c80461dd2684d7f43147d7c297a

      SHA1

      995f4f225e8ae253b4af77cfe4533e468559cf54

      SHA256

      dc62fafb9582369775323e2b63eddd5abfe4658f779c39d46f3cd789baa89277

      SHA512

      61a236eed36682895756e217b3b62a584645ae66034896febb5e89a73232275f93f7a2b4f86d17e6e1f2af122d1a41b1dc9188ff14d5ccc9d679957b6862dac2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\msiwrapper.ini
      Filesize

      1KB

      MD5

      1f6c0c80461dd2684d7f43147d7c297a

      SHA1

      995f4f225e8ae253b4af77cfe4533e468559cf54

      SHA256

      dc62fafb9582369775323e2b63eddd5abfe4658f779c39d46f3cd789baa89277

      SHA512

      61a236eed36682895756e217b3b62a584645ae66034896febb5e89a73232275f93f7a2b4f86d17e6e1f2af122d1a41b1dc9188ff14d5ccc9d679957b6862dac2

      Download Submit

    • C:\Windows\Installer\MSIDDE1.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit

    • C:\tmpa\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • \??\c:\tmpa\script.au3
      Filesize

      536KB

      MD5

      53041e3e4bae56f12d3b1b8e395f0055

      SHA1

      ff1ccc146e62dd9f4a0f233d9a37854b1190f6c0

      SHA256

      65f996a60954e9c328624ff8f76ed150cc9facfde950e223bc4f8e1554a40b3f

      SHA512

      5560e86341cb2c07a5cc4aca14c07b463e3d6b18691a07ebfc85ff8079b5adb12b68c659278f7e402921f8990f00ef7c5946a0a30b7d41abb55b2ea68f87a7e5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\dbgeng.dll
      Filesize

      1.9MB

      MD5

      a5fcc0097a7eca9ed79596243aac4652

      SHA1

      865f03e10c56d2d1c30f500597a6d0dbd1030f68

      SHA256

      8e8ea3571042dffcd35491bfd1530a7e4c10ee04efd3ab181bdde37ef1e07e0d

      SHA512

      1644a70d039aa9b221e5d65a2879ffabd1cfd0798d6be31ba16938225286a465281ae768d396203668ee6aec417216018a1ad833124d63e1ddbbd667ab097505

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-27815eb9-9bd8-493b-baae-b63d918e43cd\files\windbg.exe
      Filesize

      474KB

      MD5

      04ec4f58a1f4a87b5eeb1f4b7afc48e0

      SHA1

      58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

      SHA256

      bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

      SHA512

      5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

      Download Submit

    • \Windows\Installer\MSIDDE1.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit

    • \tmpa\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • memory/1132-95-0x0000000000470000-0x0000000000670000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1132-107-0x0000000002320000-0x00000000023AA000-memory.dmp

      Filesize

      552KB

      Download

    • memory/1132-98-0x0000000002320000-0x00000000023AA000-memory.dmp

      Filesize

      552KB

      Download

    • memory/1132-105-0x0000000000470000-0x0000000000670000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2240-111-0x0000000002930000-0x0000000002A30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2240-112-0x0000000002FD0000-0x0000000003165000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2240-113-0x0000000002FD0000-0x0000000003165000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2240-114-0x0000000002930000-0x0000000002A30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2240-108-0x0000000002930000-0x0000000002A30000-memory.dmp

      Filesize

      1024KB

      Download