Malware Analysis Report

2024-11-15 07:17

Sample ID 231119-z3mhrabf43
Target 8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.zip
SHA256 9fbc0396a2da0e9097e0ba9b18d52b57984903fd19106b3923ee26da761419fb
Tags
darkgate user_871236672 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fbc0396a2da0e9097e0ba9b18d52b57984903fd19106b3923ee26da761419fb

Threat Level: Known bad

The file 8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.zip was found to be: Known bad.

Malicious Activity Summary

darkgate user_871236672 discovery stealer

DarkGate

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-19 21:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-19 21:14

Reported

2023-11-19 21:19

Platform

win7-20231020-en

Max time kernel

117s

Max time network

122s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f7700fa.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7700fb.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f7700fa.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7700fb.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI38A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1780 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1780 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1780 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1780 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1780 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1780 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 548 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2996 wrote to memory of 548 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2996 wrote to memory of 548 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2996 wrote to memory of 548 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2996 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2996 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2996 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2996 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2996 wrote to memory of 1320 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe
PID 2996 wrote to memory of 1320 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe
PID 2996 wrote to memory of 1320 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe
PID 2996 wrote to memory of 1320 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe
PID 2996 wrote to memory of 1320 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe
PID 2996 wrote to memory of 1320 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe
PID 2996 wrote to memory of 1320 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe
PID 1320 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1320 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1320 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1320 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2996 wrote to memory of 1892 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1892 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1892 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1892 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1932 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2996 wrote to memory of 1932 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2996 wrote to memory of 1932 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2996 wrote to memory of 1932 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "00000000000005AC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AD85A486E95EA8340E1880310069C0B2

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files"

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

N/A

Files

C:\Windows\Installer\MSI38A.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSI38A.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\msiwrapper.ini

MD5 fc613b74a9887946ba1a51b8b0b4e2a8
SHA1 85cc94ffa75e2e4e047f330816b1667dc47c9b1e
SHA256 54e35e8ed01c779359618e8c70c6501c10ae955b106bf4eaed8e458454ebeca1
SHA512 cc12073e57a4df53aa79a6662570016ee7bb309aa0d0ee9bdff166c5fd0d5e0f31ca19503c491d5d43a9147fd1203623d209a2ea2ffeba44d3cce6431393fbef

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files.cab

MD5 c2861c23df5ad7a31c8ae622dc87f867
SHA1 0c50bc37cbf26c1e91f34b4a617f7ad663c78b13
SHA256 beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013
SHA512 81d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\msiwrapper.ini

MD5 fc613b74a9887946ba1a51b8b0b4e2a8
SHA1 85cc94ffa75e2e4e047f330816b1667dc47c9b1e
SHA256 54e35e8ed01c779359618e8c70c6501c10ae955b106bf4eaed8e458454ebeca1
SHA512 cc12073e57a4df53aa79a6662570016ee7bb309aa0d0ee9bdff166c5fd0d5e0f31ca19503c491d5d43a9147fd1203623d209a2ea2ffeba44d3cce6431393fbef

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

memory/1320-95-0x00000000004E0000-0x00000000006E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\data.bin

MD5 bb8c7df11b277155036fd6f62110d818
SHA1 c7f7413f4e525822be37b33817a1755a04fec4e8
SHA256 742f8df79f6dd2bd16d00d7235f655b32b687886cda485808d1c1762ba44336a
SHA512 a568949fcef56f0db85c5f452b345f4912c8ce9435915b9380b21f97bebbcc0961e9739b8c62fa5181d527e1852c72e3bd947a56dddb0a3031c6f2c9d67e1b1d

memory/1320-98-0x0000000000290000-0x000000000031A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\data2.bin

MD5 148787dfd8c9b0d3c0681f0a984cbcf0
SHA1 0456d2fd54da6e9eaa239b9620efcf17c9cf95c5
SHA256 4f1c84df725ddff0403f24080baff45abc06a1191b43c00f9847d791b7b79488
SHA512 e0e4c8fc3953e48f253f3b762f6df6ec7bce0067e6f867eb1e8e5b3921ea7eada1993f8a173ae7f29103927b4e339374425b9f2a729da075fa142a8b5440e830

\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1320-105-0x00000000004E0000-0x00000000006E0000-memory.dmp

\??\c:\tmpa\script.au3

MD5 74de66e9523816a5b1dfbdb31b56cb3b
SHA1 9b0bd88932223c819d2c10d5739abdaf4f1a3cec
SHA256 91323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2
SHA512 21da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a

memory/1320-107-0x0000000000290000-0x000000000031A000-memory.dmp

memory/3056-111-0x0000000002F90000-0x0000000003390000-memory.dmp

memory/3056-110-0x0000000003650000-0x00000000037E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\00007-~1.PNG

MD5 94b4895b7b8a60481393b7b8c22ad742
SHA1 902796c4aee78ab74e7ba5004625d797d83a8787
SHA256 f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973
SHA512 d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\00006-~1.PNG

MD5 173a98c6c7a166db7c3caa3a06fec06c
SHA1 3c562051f42353e72ba87b6f54744f6d0107df86
SHA256 212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad
SHA512 9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\00005-~1.PNG

MD5 dee56d4f89c71ea6c4f1e75b82f2e9c9
SHA1 293ce531cddbf4034782d5dfed1e35c807d75c52
SHA256 a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf
SHA512 e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

C:\Users\Admin\AppData\Local\Temp\MW-df39d49c-aa42-45fa-abff-6fda62deed61\files\00004-~1.PNG

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-19 21:14

Reported

2023-11-19 21:20

Platform

win10v2004-20231023-en

Max time kernel

138s

Max time network

165s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC317.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE1FC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59c029.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e59c029.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE1DB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{3D6CC9D9-208A-4C2E-8054-F677C4EFB216} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3584 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3584 wrote to memory of 4728 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3584 wrote to memory of 4728 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3584 wrote to memory of 4728 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4728 wrote to memory of 5096 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4728 wrote to memory of 5096 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4728 wrote to memory of 5096 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4728 wrote to memory of 1472 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 4728 wrote to memory of 1472 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 4728 wrote to memory of 1472 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 4728 wrote to memory of 3496 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe
PID 4728 wrote to memory of 3496 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe
PID 4728 wrote to memory of 3496 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe
PID 3496 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 3496 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 3496 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 4728 wrote to memory of 3356 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4728 wrote to memory of 3356 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4728 wrote to memory of 3356 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1BEC7EC71DF835814B38FB3C684A18FD

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 67.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 48.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\Windows\Installer\MSIC317.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSIC317.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\msiwrapper.ini

MD5 fca9361a025283fc49755b977481c0ba
SHA1 8c2f0a1f2fe572815f70f76b9265fbb87fbeba66
SHA256 b77f7a228b3d5ec7a759d8a52a1b7bfbf076f8f1ae878cc49d9d5bbaa013f8e7
SHA512 43329f202da4ace4f084c6de84571c6928c3fb33bf7d0b09810f94deb96cd8f3716551c42753358f524a0c1b0026fadbe704a2d72db0edf0f1c6751b4d429701

C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\files.cab

MD5 c2861c23df5ad7a31c8ae622dc87f867
SHA1 0c50bc37cbf26c1e91f34b4a617f7ad663c78b13
SHA256 beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013
SHA512 81d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3

C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\msiwrapper.ini

MD5 fca9361a025283fc49755b977481c0ba
SHA1 8c2f0a1f2fe572815f70f76b9265fbb87fbeba66
SHA256 b77f7a228b3d5ec7a759d8a52a1b7bfbf076f8f1ae878cc49d9d5bbaa013f8e7
SHA512 43329f202da4ace4f084c6de84571c6928c3fb33bf7d0b09810f94deb96cd8f3716551c42753358f524a0c1b0026fadbe704a2d72db0edf0f1c6751b4d429701

memory/3496-66-0x0000000000710000-0x0000000000910000-memory.dmp

memory/3496-67-0x0000000002750000-0x00000000027DA000-memory.dmp

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3496-72-0x0000000000710000-0x0000000000910000-memory.dmp

\??\c:\tmpa\script.au3

MD5 74de66e9523816a5b1dfbdb31b56cb3b
SHA1 9b0bd88932223c819d2c10d5739abdaf4f1a3cec
SHA256 91323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2
SHA512 21da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a

memory/3496-74-0x0000000002750000-0x00000000027DA000-memory.dmp

memory/3436-76-0x0000000004580000-0x0000000004980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-391564b5-846b-4765-8063-7e0c6cf406cd\msiwrapper.ini

MD5 58de734c62700e45c4a81593f3c09ea1
SHA1 c765c537b638b3095749139207b126f9342117e5
SHA256 6de587737a27098a70dd2b31fc17dbcb7c35146498c612d70d1486681d9a4e30
SHA512 f56b2836012085e3257c58bacf44f2aea2d9c8b0f095fdf1e842094122a3dc7300228abb84e66d89d78d93cc16e11578900e0ee94f54bb883aacf8ac3fbd437e

memory/3436-78-0x0000000004E80000-0x0000000005015000-memory.dmp

C:\Windows\Installer\MSIE1FC.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSIE1FC.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6567b081-cd46-41bf-8df2-63e6ebd0cdf7}_OnDiskSnapshotProp

MD5 cf3d16653d2f5dd5be88992a6c4f1bf1
SHA1 3c7e76303c375059709d15a0633f6364a105fadc
SHA256 5bc125c43da49d16a51e7eeb842adb1bfd12871bb2dba8d9cf4ea5b4cddb936f
SHA512 a6275207aca0a2550a7849f0d6976188b0622922ab5d4c5da17f23adbfba4329b87e91379e1d9789a54b1418c9a4cf32ece97b2d4437d552b57163fdd8192f97

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 2c2f85c40a81ba583eb20087b83fff20
SHA1 18d97eb87d792f3ab8f50dfa1086510b0f905d36
SHA256 c743e24c92c08845e3e474683e51f7830c44f28985ca35cafda6e4a64f95aa7a
SHA512 f1165e7f8a0dd24f33710b609e3695fded7c77887b9865ac173fa1f3005c3f3a9ea516226a01292256948147a9750768e45e4648af5e7a867e684a954607d510