Analysis
-
max time kernel
138s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2023 21:14
Static task
static1
Behavioral task
behavioral1
Sample
8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi
Resource
win10v2004-20231023-en
General
-
Target
8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi
-
Size
8.7MB
-
MD5
1170e2b02b92895d9db0be336d032d90
-
SHA1
18f49619d69b057e81163bdf08eab5f355ce662c
-
SHA256
8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7
-
SHA512
bd1ceeee7928592e318b7f28b557bfcb97e4bb8f65f8c09001f19a746c7532f4f9d86aa54aab2866b5852921aa04a4f8de18e6c9109cc91c94c34879013c0134
-
SSDEEP
196608:YeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9cNzvhXoZJ+:YdhVs6WXjX9HZ5AQX32WD/oZY
Malware Config
Extracted
darkgate
user_871236672
http://adhufdauifadhj13.com
-
alternative_c2_port
8080
-
anti_analysis
true
-
anti_debug
true
-
anti_vm
true
-
c2_port
2351
-
check_disk
false
-
check_ram
true
-
check_xeon
true
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
stanpttaHMuhnz
-
internal_mutex
txtMut
-
minimum_disk
40
-
minimum_ram
6002
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
user_871236672
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Autoit3.exepid process 3436 Autoit3.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 4728 MsiExec.exe 4728 MsiExec.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid process 5096 ICACLS.EXE 3356 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC317.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE1FC.tmp msiexec.exe File created C:\Windows\Installer\e59c029.msi msiexec.exe File opened for modification C:\Windows\Installer\e59c029.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE1DB.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{3D6CC9D9-208A-4C2E-8054-F677C4EFB216} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Autoit3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 3584 msiexec.exe 3584 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 3292 msiexec.exe Token: SeIncreaseQuotaPrivilege 3292 msiexec.exe Token: SeSecurityPrivilege 3584 msiexec.exe Token: SeCreateTokenPrivilege 3292 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3292 msiexec.exe Token: SeLockMemoryPrivilege 3292 msiexec.exe Token: SeIncreaseQuotaPrivilege 3292 msiexec.exe Token: SeMachineAccountPrivilege 3292 msiexec.exe Token: SeTcbPrivilege 3292 msiexec.exe Token: SeSecurityPrivilege 3292 msiexec.exe Token: SeTakeOwnershipPrivilege 3292 msiexec.exe Token: SeLoadDriverPrivilege 3292 msiexec.exe Token: SeSystemProfilePrivilege 3292 msiexec.exe Token: SeSystemtimePrivilege 3292 msiexec.exe Token: SeProfSingleProcessPrivilege 3292 msiexec.exe Token: SeIncBasePriorityPrivilege 3292 msiexec.exe Token: SeCreatePagefilePrivilege 3292 msiexec.exe Token: SeCreatePermanentPrivilege 3292 msiexec.exe Token: SeBackupPrivilege 3292 msiexec.exe Token: SeRestorePrivilege 3292 msiexec.exe Token: SeShutdownPrivilege 3292 msiexec.exe Token: SeDebugPrivilege 3292 msiexec.exe Token: SeAuditPrivilege 3292 msiexec.exe Token: SeSystemEnvironmentPrivilege 3292 msiexec.exe Token: SeChangeNotifyPrivilege 3292 msiexec.exe Token: SeRemoteShutdownPrivilege 3292 msiexec.exe Token: SeUndockPrivilege 3292 msiexec.exe Token: SeSyncAgentPrivilege 3292 msiexec.exe Token: SeEnableDelegationPrivilege 3292 msiexec.exe Token: SeManageVolumePrivilege 3292 msiexec.exe Token: SeImpersonatePrivilege 3292 msiexec.exe Token: SeCreateGlobalPrivilege 3292 msiexec.exe Token: SeBackupPrivilege 4832 vssvc.exe Token: SeRestorePrivilege 4832 vssvc.exe Token: SeAuditPrivilege 4832 vssvc.exe Token: SeBackupPrivilege 3584 msiexec.exe Token: SeRestorePrivilege 3584 msiexec.exe Token: SeRestorePrivilege 3584 msiexec.exe Token: SeTakeOwnershipPrivilege 3584 msiexec.exe Token: SeRestorePrivilege 3584 msiexec.exe Token: SeTakeOwnershipPrivilege 3584 msiexec.exe Token: SeRestorePrivilege 3584 msiexec.exe Token: SeTakeOwnershipPrivilege 3584 msiexec.exe Token: SeRestorePrivilege 3584 msiexec.exe Token: SeTakeOwnershipPrivilege 3584 msiexec.exe Token: SeBackupPrivilege 2952 srtasks.exe Token: SeRestorePrivilege 2952 srtasks.exe Token: SeSecurityPrivilege 2952 srtasks.exe Token: SeTakeOwnershipPrivilege 2952 srtasks.exe Token: SeBackupPrivilege 2952 srtasks.exe Token: SeRestorePrivilege 2952 srtasks.exe Token: SeSecurityPrivilege 2952 srtasks.exe Token: SeTakeOwnershipPrivilege 2952 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3292 msiexec.exe 3292 msiexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
msiexec.exeMsiExec.exewindbg.exedescription pid process target process PID 3584 wrote to memory of 2952 3584 msiexec.exe srtasks.exe PID 3584 wrote to memory of 2952 3584 msiexec.exe srtasks.exe PID 3584 wrote to memory of 4728 3584 msiexec.exe MsiExec.exe PID 3584 wrote to memory of 4728 3584 msiexec.exe MsiExec.exe PID 3584 wrote to memory of 4728 3584 msiexec.exe MsiExec.exe PID 4728 wrote to memory of 5096 4728 MsiExec.exe ICACLS.EXE PID 4728 wrote to memory of 5096 4728 MsiExec.exe ICACLS.EXE PID 4728 wrote to memory of 5096 4728 MsiExec.exe ICACLS.EXE PID 4728 wrote to memory of 1472 4728 MsiExec.exe EXPAND.EXE PID 4728 wrote to memory of 1472 4728 MsiExec.exe EXPAND.EXE PID 4728 wrote to memory of 1472 4728 MsiExec.exe EXPAND.EXE PID 4728 wrote to memory of 3496 4728 MsiExec.exe windbg.exe PID 4728 wrote to memory of 3496 4728 MsiExec.exe windbg.exe PID 4728 wrote to memory of 3496 4728 MsiExec.exe windbg.exe PID 3496 wrote to memory of 3436 3496 windbg.exe Autoit3.exe PID 3496 wrote to memory of 3436 3496 windbg.exe Autoit3.exe PID 3496 wrote to memory of 3436 3496 windbg.exe Autoit3.exe PID 4728 wrote to memory of 3356 4728 MsiExec.exe ICACLS.EXE PID 4728 wrote to memory of 3356 4728 MsiExec.exe ICACLS.EXE PID 4728 wrote to memory of 3356 4728 MsiExec.exe ICACLS.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3292
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1BEC7EC71DF835814B38FB3C684A18FD2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:5096
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe"C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\tmpa\Autoit3.exec:\tmpa\Autoit3.exe c:\tmpa\script.au34⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3436
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:3356
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5c2861c23df5ad7a31c8ae622dc87f867
SHA10c50bc37cbf26c1e91f34b4a617f7ad663c78b13
SHA256beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013
SHA51281d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3
-
Filesize
1KB
MD5fca9361a025283fc49755b977481c0ba
SHA18c2f0a1f2fe572815f70f76b9265fbb87fbeba66
SHA256b77f7a228b3d5ec7a759d8a52a1b7bfbf076f8f1ae878cc49d9d5bbaa013f8e7
SHA51243329f202da4ace4f084c6de84571c6928c3fb33bf7d0b09810f94deb96cd8f3716551c42753358f524a0c1b0026fadbe704a2d72db0edf0f1c6751b4d429701
-
Filesize
1KB
MD5fca9361a025283fc49755b977481c0ba
SHA18c2f0a1f2fe572815f70f76b9265fbb87fbeba66
SHA256b77f7a228b3d5ec7a759d8a52a1b7bfbf076f8f1ae878cc49d9d5bbaa013f8e7
SHA51243329f202da4ace4f084c6de84571c6928c3fb33bf7d0b09810f94deb96cd8f3716551c42753358f524a0c1b0026fadbe704a2d72db0edf0f1c6751b4d429701
-
Filesize
1KB
MD558de734c62700e45c4a81593f3c09ea1
SHA1c765c537b638b3095749139207b126f9342117e5
SHA2566de587737a27098a70dd2b31fc17dbcb7c35146498c612d70d1486681d9a4e30
SHA512f56b2836012085e3257c58bacf44f2aea2d9c8b0f095fdf1e842094122a3dc7300228abb84e66d89d78d93cc16e11578900e0ee94f54bb883aacf8ac3fbd437e
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
23.0MB
MD52c2f85c40a81ba583eb20087b83fff20
SHA118d97eb87d792f3ab8f50dfa1086510b0f905d36
SHA256c743e24c92c08845e3e474683e51f7830c44f28985ca35cafda6e4a64f95aa7a
SHA512f1165e7f8a0dd24f33710b609e3695fded7c77887b9865ac173fa1f3005c3f3a9ea516226a01292256948147a9750768e45e4648af5e7a867e684a954607d510
-
\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6567b081-cd46-41bf-8df2-63e6ebd0cdf7}_OnDiskSnapshotProp
Filesize5KB
MD5cf3d16653d2f5dd5be88992a6c4f1bf1
SHA13c7e76303c375059709d15a0633f6364a105fadc
SHA2565bc125c43da49d16a51e7eeb842adb1bfd12871bb2dba8d9cf4ea5b4cddb936f
SHA512a6275207aca0a2550a7849f0d6976188b0622922ab5d4c5da17f23adbfba4329b87e91379e1d9789a54b1418c9a4cf32ece97b2d4437d552b57163fdd8192f97
-
Filesize
698KB
MD574de66e9523816a5b1dfbdb31b56cb3b
SHA19b0bd88932223c819d2c10d5739abdaf4f1a3cec
SHA25691323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2
SHA51221da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a