Analysis

  • max time kernel
    138s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2023 21:14

General

  • Target

    8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

  • Size

    8.7MB

  • MD5

    1170e2b02b92895d9db0be336d032d90

  • SHA1

    18f49619d69b057e81163bdf08eab5f355ce662c

  • SHA256

    8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7

  • SHA512

    bd1ceeee7928592e318b7f28b557bfcb97e4bb8f65f8c09001f19a746c7532f4f9d86aa54aab2866b5852921aa04a4f8de18e6c9109cc91c94c34879013c0134

  • SSDEEP

    196608:YeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9cNzvhXoZJ+:YdhVs6WXjX9HZ5AQX32WD/oZY

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

C2

http://adhufdauifadhj13.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    stanpttaHMuhnz

  • internal_mutex

    txtMut

  • minimum_disk

    40

  • minimum_ram

    6002

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    user_871236672

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3292
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1BEC7EC71DF835814B38FB3C684A18FD
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:5096
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
          PID:1472
        • C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe
          "C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3496
          • \??\c:\tmpa\Autoit3.exe
            c:\tmpa\Autoit3.exe c:\tmpa\script.au3
            4⤵
            • Executes dropped EXE
            • Checks processor information in registry
            PID:3436
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:3356
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files.cab

      Filesize

      8.4MB

      MD5

      c2861c23df5ad7a31c8ae622dc87f867

      SHA1

      0c50bc37cbf26c1e91f34b4a617f7ad663c78b13

      SHA256

      beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013

      SHA512

      81d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3

    • C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\msiwrapper.ini

      Filesize

      1KB

      MD5

      fca9361a025283fc49755b977481c0ba

      SHA1

      8c2f0a1f2fe572815f70f76b9265fbb87fbeba66

      SHA256

      b77f7a228b3d5ec7a759d8a52a1b7bfbf076f8f1ae878cc49d9d5bbaa013f8e7

      SHA512

      43329f202da4ace4f084c6de84571c6928c3fb33bf7d0b09810f94deb96cd8f3716551c42753358f524a0c1b0026fadbe704a2d72db0edf0f1c6751b4d429701

    • C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\msiwrapper.ini

      Filesize

      1KB

      MD5

      fca9361a025283fc49755b977481c0ba

      SHA1

      8c2f0a1f2fe572815f70f76b9265fbb87fbeba66

      SHA256

      b77f7a228b3d5ec7a759d8a52a1b7bfbf076f8f1ae878cc49d9d5bbaa013f8e7

      SHA512

      43329f202da4ace4f084c6de84571c6928c3fb33bf7d0b09810f94deb96cd8f3716551c42753358f524a0c1b0026fadbe704a2d72db0edf0f1c6751b4d429701

    • C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\msiwrapper.ini

      Filesize

      1KB

      MD5

      58de734c62700e45c4a81593f3c09ea1

      SHA1

      c765c537b638b3095749139207b126f9342117e5

      SHA256

      6de587737a27098a70dd2b31fc17dbcb7c35146498c612d70d1486681d9a4e30

      SHA512

      f56b2836012085e3257c58bacf44f2aea2d9c8b0f095fdf1e842094122a3dc7300228abb84e66d89d78d93cc16e11578900e0ee94f54bb883aacf8ac3fbd437e

    • C:\Windows\Installer\MSIC317.tmp

      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    • C:\Windows\Installer\MSIC317.tmp

      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    • C:\Windows\Installer\MSIE1FC.tmp

      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    • C:\Windows\Installer\MSIE1FC.tmp

      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    • C:\tmpa\Autoit3.exe

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.0MB

      MD5

      2c2f85c40a81ba583eb20087b83fff20

      SHA1

      18d97eb87d792f3ab8f50dfa1086510b0f905d36

      SHA256

      c743e24c92c08845e3e474683e51f7830c44f28985ca35cafda6e4a64f95aa7a

      SHA512

      f1165e7f8a0dd24f33710b609e3695fded7c77887b9865ac173fa1f3005c3f3a9ea516226a01292256948147a9750768e45e4648af5e7a867e684a954607d510

    • \??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6567b081-cd46-41bf-8df2-63e6ebd0cdf7}_OnDiskSnapshotProp

      Filesize

      5KB

      MD5

      cf3d16653d2f5dd5be88992a6c4f1bf1

      SHA1

      3c7e76303c375059709d15a0633f6364a105fadc

      SHA256

      5bc125c43da49d16a51e7eeb842adb1bfd12871bb2dba8d9cf4ea5b4cddb936f

      SHA512

      a6275207aca0a2550a7849f0d6976188b0622922ab5d4c5da17f23adbfba4329b87e91379e1d9789a54b1418c9a4cf32ece97b2d4437d552b57163fdd8192f97

    • \??\c:\tmpa\script.au3

      Filesize

      698KB

      MD5

      74de66e9523816a5b1dfbdb31b56cb3b

      SHA1

      9b0bd88932223c819d2c10d5739abdaf4f1a3cec

      SHA256

      91323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2

      SHA512

      21da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a

    • memory/3436-78-0x0000000004E80000-0x0000000005015000-memory.dmp

      Filesize

      1.6MB

    • memory/3436-76-0x0000000004580000-0x0000000004980000-memory.dmp

      Filesize

      4.0MB

    • memory/3496-74-0x0000000002750000-0x00000000027DA000-memory.dmp

      Filesize

      552KB

    • memory/3496-72-0x0000000000710000-0x0000000000910000-memory.dmp

      Filesize

      2.0MB

    • memory/3496-67-0x0000000002750000-0x00000000027DA000-memory.dmp

      Filesize

      552KB

    • memory/3496-66-0x0000000000710000-0x0000000000910000-memory.dmp

      Filesize

      2.0MB