Malware Analysis Report

2024-11-15 07:17

Sample ID 231119-zjvd9abd79
Target e7019ee941b030e2c7e900bbfc11a0145bb929f02a73d62a419086b800cdce9c.zip
SHA256 adcbb74a6e3a3b92324d450df007b02bc9293f35f485cd18a5b7a660610c4334
Tags
darkgate user_871236672 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adcbb74a6e3a3b92324d450df007b02bc9293f35f485cd18a5b7a660610c4334

Threat Level: Known bad

The file e7019ee941b030e2c7e900bbfc11a0145bb929f02a73d62a419086b800cdce9c.zip was found to be: Known bad.

Malicious Activity Summary

darkgate user_871236672 discovery stealer

DarkGate

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-19 20:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-19 20:45

Reported

2023-11-19 20:51

Platform

win7-20231023-en

Max time kernel

202s

Max time network

162s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e91874c5d8c2.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f79ace2.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f79ace2.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f79ace3.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICD9C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\f79ace3.ipi C:\Windows\system32\msiexec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 1736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2520 wrote to memory of 1736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2520 wrote to memory of 1736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2520 wrote to memory of 1736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2520 wrote to memory of 1736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2520 wrote to memory of 1736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2520 wrote to memory of 1736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1736 wrote to memory of 2260 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1736 wrote to memory of 2260 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1736 wrote to memory of 2260 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1736 wrote to memory of 2260 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1736 wrote to memory of 1816 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 1736 wrote to memory of 1816 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 1736 wrote to memory of 1816 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 1736 wrote to memory of 1816 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 1736 wrote to memory of 964 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe
PID 1736 wrote to memory of 964 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe
PID 1736 wrote to memory of 964 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe
PID 1736 wrote to memory of 964 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe
PID 1736 wrote to memory of 964 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe
PID 1736 wrote to memory of 964 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe
PID 1736 wrote to memory of 964 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe
PID 964 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 964 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 964 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 964 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1736 wrote to memory of 2416 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2416 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2416 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2416 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 608 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1736 wrote to memory of 608 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1736 wrote to memory of 608 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1736 wrote to memory of 608 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e91874c5d8c2.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000031C" "00000000000003DC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 56C1A786FCBB18A117DEE196F8632985

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

N/A

Files

C:\Windows\Installer\MSICD9C.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSICD9C.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\msiwrapper.ini

MD5 ae81644a23cc083570d83a137d70229f
SHA1 9854ab2472495562c1d463b5e62d9d0d3357f2c9
SHA256 8d993a204595b4d25560ac8496df569071dc43536848e47c7533d14166cb2584
SHA512 995f1bbe6bec0e3500803cad61189350bd0860b39399a0518a511df3bddf957a5697847b9b988920a49fca4b2643c7c594907d7b828c2932cf865f8a66d88dc0

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files.cab

MD5 c2861c23df5ad7a31c8ae622dc87f867
SHA1 0c50bc37cbf26c1e91f34b4a617f7ad663c78b13
SHA256 beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013
SHA512 81d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\msiwrapper.ini

MD5 ae81644a23cc083570d83a137d70229f
SHA1 9854ab2472495562c1d463b5e62d9d0d3357f2c9
SHA256 8d993a204595b4d25560ac8496df569071dc43536848e47c7533d14166cb2584
SHA512 995f1bbe6bec0e3500803cad61189350bd0860b39399a0518a511df3bddf957a5697847b9b988920a49fca4b2643c7c594907d7b828c2932cf865f8a66d88dc0

\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

memory/964-97-0x0000000000660000-0x0000000000860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\data.bin

MD5 bb8c7df11b277155036fd6f62110d818
SHA1 c7f7413f4e525822be37b33817a1755a04fec4e8
SHA256 742f8df79f6dd2bd16d00d7235f655b32b687886cda485808d1c1762ba44336a
SHA512 a568949fcef56f0db85c5f452b345f4912c8ce9435915b9380b21f97bebbcc0961e9739b8c62fa5181d527e1852c72e3bd947a56dddb0a3031c6f2c9d67e1b1d

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\data2.bin

MD5 148787dfd8c9b0d3c0681f0a984cbcf0
SHA1 0456d2fd54da6e9eaa239b9620efcf17c9cf95c5
SHA256 4f1c84df725ddff0403f24080baff45abc06a1191b43c00f9847d791b7b79488
SHA512 e0e4c8fc3953e48f253f3b762f6df6ec7bce0067e6f867eb1e8e5b3921ea7eada1993f8a173ae7f29103927b4e339374425b9f2a729da075fa142a8b5440e830

memory/964-100-0x00000000001D0000-0x000000000025A000-memory.dmp

memory/964-107-0x0000000000660000-0x0000000000860000-memory.dmp

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/964-109-0x00000000001D0000-0x000000000025A000-memory.dmp

\??\c:\tmpa\script.au3

MD5 74de66e9523816a5b1dfbdb31b56cb3b
SHA1 9b0bd88932223c819d2c10d5739abdaf4f1a3cec
SHA256 91323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2
SHA512 21da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a

\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/304-117-0x0000000002F09000-0x0000000002F27000-memory.dmp

memory/304-118-0x0000000003610000-0x00000000037A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\00007-~1.PNG

MD5 94b4895b7b8a60481393b7b8c22ad742
SHA1 902796c4aee78ab74e7ba5004625d797d83a8787
SHA256 f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973
SHA512 d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\00006-~1.PNG

MD5 173a98c6c7a166db7c3caa3a06fec06c
SHA1 3c562051f42353e72ba87b6f54744f6d0107df86
SHA256 212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad
SHA512 9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\00005-~1.PNG

MD5 dee56d4f89c71ea6c4f1e75b82f2e9c9
SHA1 293ce531cddbf4034782d5dfed1e35c807d75c52
SHA256 a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf
SHA512 e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

C:\Users\Admin\AppData\Local\Temp\MW-2613ff62-9794-48d6-8401-2bb44222c73a\files\00004-~1.PNG

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-19 20:45

Reported

2023-11-19 20:49

Platform

win10v2004-20231020-en

Max time kernel

90s

Max time network

150s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e91874c5d8c2.msi

Signatures

DarkGate

stealer darkgate

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File created C:\Windows\Installer\e59011f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI267.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\e59011f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{3D6CC9D9-208A-4C2E-8054-F677C4EFB216} C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000299f28d78dcfadf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000299f28d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000299f28d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0299f28d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000299f28d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e91874c5d8c2.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5C6C9FF0404B8DFA91F90EC0523F5444

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 89.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 83.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.246.36.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Windows\Installer\MSI267.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSI267.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\msiwrapper.ini

MD5 9dbc362339c5bc171ca0430f7bdf6542
SHA1 f4344aab41396a1f47125d280106877627b86d2b
SHA256 bf671a2fc0a8a73c43a12ccd60b947180265469be0d37ea9f93389cd3b36e02b
SHA512 1df9f8abbbbd24c18bd323eedaa4f3603be0d1ba7bb9b8b97e45fe5744ba7d27ea246075ed6436d4302a28492f5ddb3e7b1856f8ab2698d229bff333648ad3d9

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\msiwrapper.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\msiwrapper.ini

MD5 9dbc362339c5bc171ca0430f7bdf6542
SHA1 f4344aab41396a1f47125d280106877627b86d2b
SHA256 bf671a2fc0a8a73c43a12ccd60b947180265469be0d37ea9f93389cd3b36e02b
SHA512 1df9f8abbbbd24c18bd323eedaa4f3603be0d1ba7bb9b8b97e45fe5744ba7d27ea246075ed6436d4302a28492f5ddb3e7b1856f8ab2698d229bff333648ad3d9

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files.cab

MD5 c2861c23df5ad7a31c8ae622dc87f867
SHA1 0c50bc37cbf26c1e91f34b4a617f7ad663c78b13
SHA256 beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013
SHA512 81d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

memory/4988-96-0x0000000000900000-0x0000000000B00000-memory.dmp

memory/4988-99-0x0000000002500000-0x000000000258A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\data2.bin

MD5 148787dfd8c9b0d3c0681f0a984cbcf0
SHA1 0456d2fd54da6e9eaa239b9620efcf17c9cf95c5
SHA256 4f1c84df725ddff0403f24080baff45abc06a1191b43c00f9847d791b7b79488
SHA512 e0e4c8fc3953e48f253f3b762f6df6ec7bce0067e6f867eb1e8e5b3921ea7eada1993f8a173ae7f29103927b4e339374425b9f2a729da075fa142a8b5440e830

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\data.bin

MD5 bb8c7df11b277155036fd6f62110d818
SHA1 c7f7413f4e525822be37b33817a1755a04fec4e8
SHA256 742f8df79f6dd2bd16d00d7235f655b32b687886cda485808d1c1762ba44336a
SHA512 a568949fcef56f0db85c5f452b345f4912c8ce9435915b9380b21f97bebbcc0961e9739b8c62fa5181d527e1852c72e3bd947a56dddb0a3031c6f2c9d67e1b1d

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

memory/4988-104-0x0000000000900000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\msiwrapper.ini

MD5 37d0ed27698ba9b9704b1abc5c0705b9
SHA1 36b8ef86ffed22d43e40da129412ad309b208b80
SHA256 60a130f01773ca8dae8ddc1829efd9da021090987b590e093b88f1fe05024321
SHA512 7f0df0311f41c528ab19220ab09ca79736e091e6fd6c1d9b483b8e8af6d4a729ad4808759cf502f247f3ae24add6f7b364bb67e906d8ae79e91cce0fda627215

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\00007-3546315030.png

MD5 94b4895b7b8a60481393b7b8c22ad742
SHA1 902796c4aee78ab74e7ba5004625d797d83a8787
SHA256 f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973
SHA512 d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\00006-3546315029.png

MD5 173a98c6c7a166db7c3caa3a06fec06c
SHA1 3c562051f42353e72ba87b6f54744f6d0107df86
SHA256 212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad
SHA512 9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\00005-3546315028.png

MD5 dee56d4f89c71ea6c4f1e75b82f2e9c9
SHA1 293ce531cddbf4034782d5dfed1e35c807d75c52
SHA256 a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf
SHA512 e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

C:\Users\Admin\AppData\Local\Temp\MW-6ff3f255-3341-49b2-b761-eba1fd83b3dd\files\00004-4001132497.png

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

C:\Windows\Installer\MSIBC0.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

memory/4876-120-0x0000000004040000-0x00000000041D5000-memory.dmp

memory/4876-117-0x00000000036B0000-0x0000000003AB0000-memory.dmp

memory/4876-123-0x0000000004040000-0x00000000041D5000-memory.dmp

C:\Windows\Installer\MSIBC0.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\??\c:\tmpa\script.au3

MD5 74de66e9523816a5b1dfbdb31b56cb3b
SHA1 9b0bd88932223c819d2c10d5739abdaf4f1a3cec
SHA256 91323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2
SHA512 21da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a

memory/4988-105-0x0000000002500000-0x000000000258A000-memory.dmp

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

\??\Volume{8df29902-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{94e23eb0-d1d2-41cc-9553-9d3d3197df86}_OnDiskSnapshotProp

MD5 183f7d1bf471caf479e7302dc1be64c9
SHA1 de27808bf9e667900b8d76dd8a0747c2b7b731f1
SHA256 c5fe9e02a657a929ca5247ed935db0e3d5b981ef1f4f3b7f505606d3c74b7c8d
SHA512 5bd0b4dfbef51ea02405705b6883fea39b6aab26c2a3fa9eedb292225d20397a5e449bfc1a63073437068fec5fe722affdaa8ec3390d69269ca1df23a92c5e09

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 a097baf7339792bf45b26e31d417cc2f
SHA1 bcb892351854d770dbdf8ebc40f3df681784ed25
SHA256 df6c57e7137101e3ad91ea4a10508fab9d3dba3c09d496623b2ba7f94af8c2ce
SHA512 188c7745f53f55c5ea7154f3fbaede25413db9c9b23b1c8d70743ce9792400f4745df9db2051890645e12b69c095c68c666a0d268570c4aec85c545b873cf228