Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
02-02-2024 01:54
General
-
Target
mkreafr.msi
-
Size
4.3MB
-
MD5
4f238c2093606fc296f1f819c2f0fc67
-
SHA1
f8535858fcee6b96e0f49e6156fa110fc0698880
-
SHA256
58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
-
SHA512
c2422db8871d6303b5903c4b11cca3debd62cb25a406655db5a0ba407f33c9fef739371d297e5ccad45efc99e040e6ae29079b4b9325f52d54c5e780f8c346f7
-
SSDEEP
49152:jpUPN9qhCxzT+WKjSXcmNt6+XzP4BYIeBfCXqyfdo1DDDDDDDDDDPuDgO9hTnxA5:jpqCQbm+jg12f3yaiga6yU
Malware Config
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer 38 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\mkreafr.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D38109A02F684A8267E1567F98A71D742⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f1e5de13-6775-4513-92ea-239e7ef0abde\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-f1e5de13-6775-4513-92ea-239e7ef0abde\files\vlc.exe"C:\Users\Admin\AppData\Local\Temp\MW-f1e5de13-6775-4513-92ea-239e7ef0abde\files\vlc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f1e5de13-6775-4513-92ea-239e7ef0abde\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD533efe0234cfff17d594873e8b635884d
SHA10151b3d0572eaa43d67407fbc7a782f15652805f
SHA2567ac90d9d6671c689180d9360c28d9f98e042b445b329e7f9d5f1986cf474cb52
SHA512b302b0c99156dfbbc38ad0bd8f1d8c7f4ca87d2406a7160bd752c4415c6920464abe6627f00e4f39eee9194c806aa8243c32d638f23517fbe8917d07218d14f0
-
Filesize
466KB
MD5caf6d14ee91108f878d6108071d72b7a
SHA16166b2db78c93bdb24dc693b18a8bc6f1cd96fe6
SHA2563182937fdba31b1fe9f18f78e0901fe8d3bac7ed72b87f8409dcd19e2e1f4184
SHA51274b46ffd50acf54055e05ac12b8167b8f4976de345f478b648f71c05cf8f1f9cb584cdc2711d605aaea05c1f0fb643028ef8524e0f9144b0ab2975792c9681c9
-
Filesize
425KB
MD5cd05e846f193c3d992c10f6baebb2a5f
SHA1f2f40e1fa4aa566a1e4ef6d224756653366956d4
SHA256ed366750ecc3c84a595b55d224117f0717a2bbf142a264149a1c9716a794f8e8
SHA5120181aa3530f38b507f856d825a1739d6bcb78ef02664e87ee97bb912cfb10bea97f247c364708896dd20011772783c1b4413e81100689e27ec280e41415f369b
-
Filesize
460KB
MD5d71e08eedc3438c9cefae58c06a316f6
SHA1fc7b57305cdbf9bd7cf72e5e64f1ff4d829dfe84
SHA2568096cf50fa6ca37f5c864e8e021ca9bcf633cf2c7a6ce2ecce1629063090d505
SHA512f6c187d9bfdc20cefd0a7fa8d2d87e5e9de0d7b54aa113ab13a4cff8d635e2cc64e97d4a6300ec99c4906aed9badce627daa5402c34443f200c748d4ed5f6976
-
Filesize
276KB
MD5d389617aa8db0590de74236151dcb03e
SHA1314233cab4cb60b6d50f1f9218813ab021c454c2
SHA2560600cdce037d32e985fc74895c158de8581caf5a6d4c132a0a5d37519243af38
SHA51207165de238fb50c43711bbecbe88a73c491319714bc0a3b5239a3a0f927ceb37ce3add8a49f578928d4c0c28e964647df2e2c3fe74102f347bd1c1adec7ebaf3
-
Filesize
284KB
MD5cf9c52325994c4b11107018778d8d35c
SHA12b81003101a1367605a40045e390d44ef28fb381
SHA256d2b91364078edbd3b32b229e4c15326cbb8d4a14c56fd272e61e237fb326cb91
SHA512f6640ad17125eb9d25cff034f40c23dd6e21e33e68b7c89f525a676b6feaf7b485472ea93e3fb0e3a0c4889f337dba20ee9e395638e44dafa90166c59e83aea4
-
Filesize
411KB
MD574e6732323ffe1648b6225c962ce0ed0
SHA178fa5a36bc0a5cabd318f7696baf17384223862f
SHA2560c15f643da97fe3ecdd2e9a0e64687fd9c2cf7605dc37363a366a8e7b0e1098d
SHA512365f1f727ff362e63ee0e6cf141bc32a6e56dccef1d460bf13bde7636265fbac7a3b52044a1ebc1add0c49ffe4feb3c84909326abf90b9a6f9ee40f6d9d08b3d
-
Filesize
252KB
MD51b01b65f562a83062e9debef902ba14c
SHA1bb80ece2faaecc8deff3f0eeb804270a58200dd8
SHA2566ecc90da9c9803ef99715ec4664fa22252aaa2a693a147e26830132a258f49aa
SHA5123f26371ddfbcd05e8ec8472bbe7727b4f00c97dbcd37e4f963ddcc0990701de694de88082d369024d4a4d808a589ec795b9ac9fb67093e919bf3f957d531aca5
-
Filesize
1KB
MD5ccd21a751b36cb266235f72b5a835d1d
SHA1a3fc7c35c7db22ab07834043228645a9dd12439f
SHA256c529c92e33c5346be87d9a5daa6fe82ced083927b0692c1e91d87457a7c1e9de
SHA51295ff855aa2ed7e018f6e13df3589d583d899ed0042ccc306cc67d7aa80138e3c24a02b1d1abf8fefee643297eff85817ca2c3d53c4d9967a3995a7274d0cf007
-
Filesize
1KB
MD5f30d8915db7bffaa831e90f27dd2bc3a
SHA1000450e76de1b848c1ad305a3a789a71412935fb
SHA2563e74cdffcc246173677f685c6555ff5cee8e78105b82151b6cdfc440203115bb
SHA512cf094ff4006155361bf6359befbee251ec8fd5e941f952126997cd4d1c0c934c8fc66c241cb7208124cb1d003005e56cacfaba6fd472b0508f566787b75c6f08
-
Filesize
32B
MD594830daf2ae7b62846a681285c8af545
SHA10700f0696b09e4135721888f558551c1b8d43937
SHA256dcdbc9ad0741d9d52cbcd21ccd7fdd8afdb06d7fa528c61231d6653c9fc6c1dd
SHA5128b95a91a04c3191680373d0b291e3d2f977729f206b74e0f7d8ca1cb2fff307a1cda678958b5f5aa54eca9105c76a36ae4b89e2ded2c95c22245f4b0efcc4558
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
77KB
MD5bfc82eafa5253dcfc2f18d19dad81ba6
SHA12da5ef81a3ad41a4820863db64856da79443d498
SHA256d4145bf93453fb90445c65a95d9c6b2d54df09273234a8250c835a36737fddab
SHA5123ddbbc926c726fb0db2ec9386f32906315210d5dd6d86d83b44696ef2227e2462237483813dd30ebcc18a091fa9ed037753474026c0a623b03741679a7b80c77
-
Filesize
72KB
MD594986033495e23e165fbe13e21f7f022
SHA1d6ebcccfea68852ba7917aa2c873a26769cda6de
SHA256b9c2e429ab756c3889f3b990429c2948be57b9ee37b4b7db600955d7590520e9
SHA512e07d368ead4cd4f8a39cff27ed931f933c682b15f1fc830bc29318d232aae8c6ff31f961424d70b4e1ff3739950054ba7a4035695c40881dc973c24c68017a3a
-
Filesize
275KB
MD5db8705e44706d0c8d49f961a51800d91
SHA17160fa818d056835fa7da66ed74ea99a260cef3f
SHA256691902fd90067e3dbb2790f108f266186414ab23bd85869a30fbae52319f3f59
SHA5126a8a88185c8e891063c66e70c1d5a80dd13658139e6ea5317ad7c6f2e849756581dac4f5698d3c26a97e16461a944252b3c96c5bd87c5e653d5ab51b59149b60
-
Filesize
4B
MD51555887dcd5a4c47f27eb96a96dc7991
SHA1958e46b77c6a53158d696e3ee354c10c8fefaeb8
SHA2562f8cf229e93dee95b98e97153c672af07a8452d0a24f58bb289e8217038747a6
SHA51268aa3759fbbc7a7b40073961b037949811b1cbd2452c23646b28105e6e5b1075e39671dc9ef4317adc293330492fbcb3c7e5a1f29541530542d366935aad3ee6
-
Filesize
4B
MD50a84edc0020e2c45abda89158a184c39
SHA1186a0290cf2a064804cc8c6b218ad5eda43d8e08
SHA256c7e863057017d79df46913aa2a72fc26a59076ea5b7aa177f0c49182e214c1c0
SHA5121fc7ecc03faf0c786d22361c67debe66282e2a8d7454a8c4b559dfbab722042d2b2e774cf76bf29e147e6d4f76f3eb3dc5ed3e91b4bca96488d52885313f70ff
-
Filesize
3.0MB
MD56909d7a200a48d1798cf80c9118f380c
SHA1fa40130095f44cc450583a05632883bc9743b961
SHA256a48fb544d818345a099300ce50a133c0c768578816dec28f6947bec3de174a7a
SHA5124adb5a90e863c794e2176369e31ac83ef73976d2de762519326ed3da20ba9fdbd90a5a7fb133a9d93c11a545e83099334fd6a5507f1ac7380ee52627121031a8
-
Filesize
6KB
MD5709d9ea776ce63038ff0d02eddbdd44a
SHA1cc09890c156cacd890502d9572a99213f950c001
SHA2563e214247bf175896dc9e379a38da0b8a90c1db69cb5f1521671a75b772b265f9
SHA512212d968657a1968899da07c312a2afac65e4ad9b523481312cf4c6afcf76ab89c0bd022749f038db03fa0f4e6452b07542e4b12795c28acc1293e25a5426a3ca
-
Filesize
162KB
MD52eb15cded95a860fd386a7c7fc6aa537
SHA104e6612ec0b78d284436b532ed0417ebe040be8b
SHA2564c8d76a65f18d55fef5961e375f493aa597b74e7d350a9afb5130817a6df739a
SHA512cba763c8ef5cf1bc197c1046181e78cb09de6236d4d0a877576a26e5a11a0be00e08926eed3a8c39e228ffe4d2fe166a0171e111dfd1c097402030a445535707
-
Filesize
322KB
MD5bece66571aeb95a56f7e4aab9fe38cb3
SHA15fa9de1fd3eabf283b4b8de08e781bf6c7ce8354
SHA2567541b9d87486a41c5dd785240c16b864a614e0c65f104891786bf76a74f6c72d
SHA51202eb779238fc385102ec029c7339a48096f0ba4b803ead6254c77d528f5c146859349aef9639607a2868282385ceb813738bc774616738c92ff1c3544de424fb
-
Filesize
76B
MD5eb493e70c279b059272d93eb86156a25
SHA1cc6d75663d2647ce59741958b9334d9319dc1e40
SHA256c5c350d106264a59acb4049244933261da379b6fc5577b519cfc113c83fb1e31
SHA512c4617f8d45d00bf3fbe6a1ab4b25052e2012e2f2783022528d625618956814ab6497a82800f14592eda1886903d88a075ffeff29d72bec8c4817927b9dcac514
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
1.6MB
-
Filesize
992KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
15.8MB
-
Filesize
3.3MB
-
Filesize
3.3MB