Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
02-02-2024 01:14
General
-
Target
58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994.msi
-
Size
4.3MB
-
MD5
4f238c2093606fc296f1f819c2f0fc67
-
SHA1
f8535858fcee6b96e0f49e6156fa110fc0698880
-
SHA256
58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
-
SHA512
c2422db8871d6303b5903c4b11cca3debd62cb25a406655db5a0ba407f33c9fef739371d297e5ccad45efc99e040e6ae29079b4b9325f52d54c5e780f8c346f7
-
SSDEEP
49152:jpUPN9qhCxzT+WKjSXcmNt6+XzP4BYIeBfCXqyfdo1DDDDDDDDDDPuDgO9hTnxA5:jpqCQbm+jg12f3yaiga6yU
Malware Config
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer 38 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9D3C94FB57862A7C128B6EC23324335F2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3a2d5ef7-e0a8-45c5-a947-1ba3d7f0015b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-3a2d5ef7-e0a8-45c5-a947-1ba3d7f0015b\files\vlc.exe"C:\Users\Admin\AppData\Local\Temp\MW-3a2d5ef7-e0a8-45c5-a947-1ba3d7f0015b\files\vlc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3a2d5ef7-e0a8-45c5-a947-1ba3d7f0015b\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ce6d9e61b00c30df326b0be4d78f9e3
SHA1bf6124a61d022feb26dc163c81bacf48402c3379
SHA2560da3bdc868ed01ed61933d4219488e32fbcbf30db4c98648176305ea8f448cf9
SHA51266206623741d2f4c1be0e68885a2c452eecf5de8e5a86050e36bad0e02f889512da1ed7e15f926b661804055c726f881539775342239040c7970c64baaded0c1
-
Filesize
4.0MB
MD5b617d565e52112548d239e32b05eecb4
SHA15e37585718e80f11c44537f21ecd6d1c45f44c6b
SHA25696146d2cb6aa614ffe3aac47f5e0d8a3bcf28bacb3f27bc9a80a18ede73ac607
SHA51223f2b21f4bb19eba68c39bd93964160f55611686546aee904cac925ee058a6f8f6c6e1f113cdeb7c42ca5375d83de1169051c9a001aeb1f48f322dbe5d6bcd7d
-
Filesize
1.5MB
MD53843f0f904fc531b2c528b65ada84dff
SHA17ad3a66bd8be7456ceb7a5976548cdd6c2643d8f
SHA256f3cbababb4ba75f65b4a5ec6d603ef93ed23089aef777b22db710d5bc873a11a
SHA512e099cef3bd5f80f9e861f97e6c7ddace0adddfb26e316c76a4d66cda7942c2e46f6f66ed6ca9a6d06a587645c6a01527f542420e3720d462d6b09d5fe44cbf5c
-
Filesize
1.6MB
MD5775d01ac4a84cf493c27759ae6b55355
SHA1e27078488d12e7ab7feff45fe2b2b7f60d72b0f3
SHA256e894e2781806b306298f85a1af60b1ca38b4695bde30cf6839518e10501b6b5a
SHA512b6168b83deb2c95e88b6eb4e1fbc1bf7f3a3353e6fee9b016f5e25472ed202225aed0338f196fbcd116a480d6708487191afa8be4a21cd5316f90f6167d1c978
-
Filesize
966KB
MD5035860e139ba6db1b38d5346cb6ff5b6
SHA1d515303cbca3a8ae7a0463fecd418d81b314e650
SHA25616197a321fc7b0a2a311e689621fe4a7cd50fdcb2d163973a31e4fd6352232d7
SHA51214dab9108d85af72001631130923b94483dd1440f24a8eedad41756db3030c5e11e80ec894922c389e09c86e8b721bcbd8594bd3646f484560f89963a7e18cc7
-
Filesize
430B
MD5dc3a56862732d47111848e99f541098f
SHA13e99a00b7e02770eb1dad297dc44a8358ef4182c
SHA256049c5710ccbb1cc06aab8849f8d729095b3741ecdcfda2c2cc328484f81e9bc7
SHA5124eca792da99ff63882e5431406e3e6de7ae65187aed0cf18065c3b37608fbbdccb89eb3b8aee7b956d20373eabd1aba57637e7fa8ab29a130070ced62321f166
-
Filesize
1KB
MD58f7312131fe8cee7a6a4606be2a008e9
SHA1dc6b51cba86cbca9e113989ca28f6e40517be2ac
SHA25677ab1e1860fa07a9791f29d59da89380cac56b3082110282d47f652cd8876b9d
SHA51262a1b9e966c1b731f46aff1121cc53aee06f73b724e79fe4b2dcf717b58622724199f25271c1008721df8e420347d0e5821daac017859d3572cc09057822828f
-
Filesize
1KB
MD5ab2f9bd698a4eff1beac15cbbdba6d5b
SHA1ad0afb54dbefee606182fe5bfa30eedc8ef692af
SHA256e998d4c561e8d69cfa9be04c2f452fdbb67bbc48b7183accfbff86fdc3ec8d71
SHA512e95abd4104522eab46e4cfce48c3a28f567cf482cc5bf79a1744656216dc20b0df7a00ecb78ac5517756fe6a3372f378a70ea98898c0e1934164a76df7df492e
-
Filesize
1KB
MD53e07b348d06f578be1991a83df4fe49f
SHA1ad2f777ea045bac1ebf675dad10f4938837de244
SHA25637a897d59f84981357189be75839a2c5ecce9047884f7d14725a9fdb12e42eba
SHA5124d5866c4f836cbbe367bcd765b7c2e1db200d4646aace30a4601a3d3ba2da16e4bd6e22ee195cce4dd8ce07929dca7f9ce1bebf440f4a79ff790248cff2977eb
-
Filesize
32B
MD596df88187ac5fe402f17588732e830c9
SHA132bf3418ed43f9748c8dd0b311eda2a5ef79aec6
SHA256905192fc75f546cfd6e6c5e5d0ed5c232554ed83d4e0085c91116335bcf42965
SHA5125c21eda9014b584e9922738d74c4a963537460fded1a44bdb38e622ff818700a23640b875ce9a7d8aa72f7cc4b804e5fba47965a7ecade5b97eac16f1f43c497
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
4B
MD5d1aca9131f7df5d5fe7c13fcecd25a51
SHA154fca64c6fee578c005def9275559503cbb90243
SHA256a1a939c7527de98016d09e3e110ff21a898247be2025c8db130f8af1a9773751
SHA512c166369c0c413cdb9657a492a1acc492f0e3d1286a288ec9517d32b76a7f34f496bfa73157e75e2bc0e8847e737a38dc66edd63bedb564caaaa541a89afcd72d
-
Filesize
4B
MD5313708740badd2a15f5270157dd4959c
SHA15bc453c53feafee2521165489edb307f685046c3
SHA25640ae3fb94244c4bbe647a2bd676b19bab9a5ddc7c479fa132fa37312f21f714d
SHA512e9b365132729cf2083f263a5706bcaee5df3bb778418d3aff88b59c4e9312e5113d04f20bab9e3e90b778b01d9a063ebd71f6b3731a675c70cdb4b9261243934
-
Filesize
23.0MB
MD56894044420a0977e31a1bd049b144d29
SHA1b4037bc7317f5b6e6bf7744058dbd0138e9b84ff
SHA256ebdf0bced05a4ce5a5eeed3e277c2dfe037ea8b58fe7ff22c960d80eb3397d81
SHA512f14335153a889f935aed0ec1302c1f9ed2e0bb0c78c86f89aa40d3376c871219a768e75593d8ec0c52c0c0c4888e823d3d4ba5b13ab63a513c8c947124b42f47
-
Filesize
6KB
MD59ea11c3d74f296d254935dce2ac9211b
SHA139abc908b95820100370e68fcffde665fd091f01
SHA256c9a196a9cdd8487b6a732d16c0198b55f2f17934b1d94556e77a00cb342b9380
SHA512b1508abd358c2a605c37a120a2f6628b1e53694b12c3335a0df852e547e3c3533902bfb9a3e5b61d0c7fc6d3460cfab41180f5202879d385f0d472cdcca43f69
-
Filesize
466KB
MD5caf6d14ee91108f878d6108071d72b7a
SHA16166b2db78c93bdb24dc693b18a8bc6f1cd96fe6
SHA2563182937fdba31b1fe9f18f78e0901fe8d3bac7ed72b87f8409dcd19e2e1f4184
SHA51274b46ffd50acf54055e05ac12b8167b8f4976de345f478b648f71c05cf8f1f9cb584cdc2711d605aaea05c1f0fb643028ef8524e0f9144b0ab2975792c9681c9
-
Filesize
76B
MD5eb493e70c279b059272d93eb86156a25
SHA1cc6d75663d2647ce59741958b9334d9319dc1e40
SHA256c5c350d106264a59acb4049244933261da379b6fc5577b519cfc113c83fb1e31
SHA512c4617f8d45d00bf3fbe6a1ab4b25052e2012e2f2783022528d625618956814ab6497a82800f14592eda1886903d88a075ffeff29d72bec8c4817927b9dcac514
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
3.3MB
-
Filesize
15.8MB
-
Filesize
3.3MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
992KB
-
Filesize
1.6MB