Overview

overview

10

Static

static

1

independert.msi

windows10-1703-x64

10

independert.msi

windows10-2004-x64

10

independert.msi

windows11-21h2-x64

10

Analysis

  • max time kernel
    1188s
  • max time network
    1199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-02-2024 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    independert.msi

  • Size

    4.0MB

  • MD5

    484bea10f5d2a0c4bdfa342e133033c6

  • SHA1

    6860971d489198df13c64a295999ba3cc7c9c654

  • SHA256

    846f339f39e82f358fe5d0985afde119563754c9a8030dc237eac1a963a8bbf4

  • SHA512

    ce74de9217edd30ad96e00dea9ac8783284c26f93e7271f45e406880b46dbdcf8d71feafa26881d069b8b20b62e66e4a0fc3ccd428512fa45af319663720f20e

  • SSDEEP

    49152:bpUPCczdSZ4Yx87nxODZGMFLnd8q67DZQlXvAoxS1mvXpiIg7W:bpSBx7nxOtFjOq67DcO1mh

Score
10/10
darkgatediscoverystealer

Malware Config

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\independert.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4496
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4420
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 093C9A968381DD48854ABA39DF680228
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2296
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:1448
      • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\apdproxy.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\apdproxy.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3860
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:3304
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:3716
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files.cab
    Filesize

    3.7MB

    MD5

    b5a1995210150c6e9d362e967d83b590

    SHA1

    f4642b8b5e125863cea56196b584cefa5861aebd

    SHA256

    e0a36182df70d6af3289ea7c430874b8281db531c767beab5131f6726f5635a2

    SHA512

    94ad3c4e539ef8cb50dfb81e4c1ca6ffeb3da18718c40a77b0c160354b7994896b54edc8ec94a552395d7fd529d95bc16e4e5baedd8c91a8fdb8777c85e00901

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\MSVCP71.dll
    Filesize

    488KB

    MD5

    561fa2abb31dfa8fab762145f81667c2

    SHA1

    c8ccb04eedac821a13fae314a2435192860c72b8

    SHA256

    df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

    SHA512

    7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\MSVCR71.dll
    Filesize

    256KB

    MD5

    4aab2590f065c890a2fcb2e539545621

    SHA1

    cd278d30451446fa948178dfe1b7d562651a35a6

    SHA256

    69db7cf715da48da66b11172eea92997a4ed10005a9d15de21d47fac8895c0cc

    SHA512

    5b0568a3ad136230ec05204a81525b06b3d234b28322decc1a2d675847cff7ec64658f32c1accd41f9ca47bd391068d285e35aecaff2ae29b6515d8017de1187

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\apdboot.dll
    Filesize

    256KB

    MD5

    68894a522dcbd7e11fda3e56cecb1131

    SHA1

    a55cb6b810814250878864082d2959d2b1f2eda2

    SHA256

    3559a2dfca34d1eb29796f1aae16a406ebc2034c251a901490eaa2ca4cc3c953

    SHA512

    cf8e259d36140f63eff45c30eb2c3a4b303933b365cde4048cbda205c8509cc97e5996688d17fee98f69f9b73291937a3d4a5f14e16ff86444f4d10157913ae5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\apdboot.dll
    Filesize

    931KB

    MD5

    7514fa4d5d1162f631ed5fea0884c0f4

    SHA1

    a39e56a89b546b1ad55e531e62240586b9489234

    SHA256

    e1f5396d6c9e0d82c45fb48c723460709706398078546bca83e123ca9eb4036f

    SHA512

    5822def0a35098f80cd570f79a848b639681d21eae4c79479e562907c58c42a218ba786df7ab328532dee1e8f6bc3a7da5c1529f17b93d759df328603ec02b32

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\apdproxy.exe
    Filesize

    62KB

    MD5

    fc9e59fe8bc4fe05382cff5c8fc59de1

    SHA1

    69423bc900644a910936d2c5828348d188e5d750

    SHA256

    a16b93c374e77f98889d7ad7f38b2282dbc5a40511541b9105b1dcf9216c3cf3

    SHA512

    1d34be70cd701b606873aaf6910ab7fa7a3c4a81e0398d9bdcf8e8aac3dd63ec888c478e45600bf7e34301bec231038e8dccb457e49db8b5ff1c0740b68d072c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\msvcp71.dll
    Filesize

    317KB

    MD5

    ceab1ccbe89db316be9f4b476534a1fd

    SHA1

    8ac0de087bcdb7a6af5fceedec5d91ab2c5fe226

    SHA256

    f7252a8dac60279a6bc214d17c326c8aa7292e4da98de59d133036c3b1f68d72

    SHA512

    0cbd277feb9a34386098b83717d2712be11f8a19210bad6a2be9dde7b0b3ccdcd422c03eeaba4dd6b5b56506a69a140901fe7d1bc539be2ac6f1f2b63ca08aa3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\msvcr71.dll
    Filesize

    340KB

    MD5

    86f1895ae8c5e8b17d99ece768a70732

    SHA1

    d5502a1d00787d68f548ddeebbde1eca5e2b38ca

    SHA256

    8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

    SHA512

    3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\msvcr71.dll
    Filesize

    14KB

    MD5

    55b325966718cdc2453545fbc7776151

    SHA1

    c204c320788a7a04e3b5f058b08361733b05a48e

    SHA256

    e299bff65512174da07de95515e5e3dc53868511484d3abe3f4f9eb6a43c1425

    SHA512

    1fb5baa85a4bb862da601b9af3a69ba4e6c1efcef843ce4b7af4b864b61da886339bdbf67143e1889b23f6927a963c88fef4d23212c04bc2e84673869c32e1d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\files\sqlite3.dll
    Filesize

    1.6MB

    MD5

    35d5a969682f0b969679c750f03fc652

    SHA1

    bcb91829d0412c7f2621a23763fd9b1aaccd8e68

    SHA256

    ef6324f89ee491906dc9d177b78527585b8764a80554be51bb8a3d9873b0a119

    SHA512

    f53b6a191f64f477ba0ae01d5bea083be8ec88de45d8d04e6be7f18be7c2dcb45446d2e29270052d7950031aada31dce835075a987dfa470635eb44b9b16704b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\msiwrapper.ini
    Filesize

    1KB

    MD5

    3ea2c46bb40912c0457d82a2c002fffd

    SHA1

    7f22e962e1fe5d1efacec801b76915cc488c1550

    SHA256

    98fc65eb0778baf7d27e5e87d034799a7fc24042df9f690a8f0a799ef22a50c9

    SHA512

    c0281cec66a9184ff32cad59b4ca20e2d4462203b4a73810102ce79afc2f9111eaddf5d50b3c7ce105a4c760e0edcdf277443e64dad0d2cc2b0bd52456d32054

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-73c3e399-1205-4ce6-8e51-af9bb11fb20c\msiwrapper.ini
    Filesize

    1KB

    MD5

    0d4b4096f73b5c7645d1de1a990c8e67

    SHA1

    1f63315986232dec3ba54f3c8d64eb98d24d7b8c

    SHA256

    393aad0bfbdc9d239db2a64179b5659dc43266173680da7aebea02af408e499e

    SHA512

    e36fc3ec321461a653069cada3270d0444fe5ff7f2b60d03130db49d34d210e3ed6c9169efd2fe1abbe728a511dd043d47988421536dda89a2de6bc969dbd0ba

    Download Submit

  • C:\Windows\Installer\MSI2E98.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\Windows\Installer\MSI2E98.tmp
    Filesize

    45KB

    MD5

    036ddf6ceae759b238bb486717aeadfe

    SHA1

    c971e8d83f6af11369e76aca6e71637262c3442d

    SHA256

    a47e0ad3d43d9bb34483cf4b0891eca9d1abea137678ecbd97f266aa120ce566

    SHA512

    9e34b09ffa4ce374766ac30edd1d2936a058a091c1ccd5fbdd869dce81e203b30d3b69f9683f3fec5f648f6ce2546db2f5d6ca1570401dce4a29b3ad18d49982

    Download Submit

  • C:\temp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    5531c1313b2c432641e1658123814ab6

    SHA1

    78e7a28fe2d9b0374980002836e3cec71cae9963

    SHA256

    8b3b0a0814ac8fd9978d6a86a428625e8a039f3c13a388889afafae0c6131cb4

    SHA512

    cf62621b1b879b15dfce0996b210bff0d568c166217dc02a62cf0ebe43688364b3e508ef827a7abc3961cc1fc5236ae4c948fecaed7d6d6527a8faa5675efe2c

    Download Submit

  • \??\Volume{57af6234-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{49c66387-a8cf-4840-9df2-475f9c30b5a2}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    5926a62e49417cc7f2078c1c5fd07187

    SHA1

    16f153bec8ea1de15d6fe63922bae0f6b8fc86ce

    SHA256

    932e74c747a5470068a56395b3db842aac87af99124d001f4f4c6c7778d93fa2

    SHA512

    6b18162bddcf0b6b5efbb996ff52f5cb51c95d561478d1b3214ecf89b791e5a089fdbc74b60d7e7643a6bd2fc4fcc11bb198370bf8a048c44a704d80015d92dc

    Download Submit

  • \??\c:\temp\script.au3
    Filesize

    910KB

    MD5

    5ae10e98b7f01a0433b18c66dd7ff7d3

    SHA1

    7043ab94fcd76c9a7afb91e2adae691358796eb5

    SHA256

    c83870e8f4884f6653ad7fe43d43e9ab8d6c8b3c295d10f1f1921acd8f1e42a8

    SHA512

    4c337d91ca76844dbebd186df0a165efea46a0234b8472f7b4fcc9c844917eb7a8449fc3e3e9006e8f5ad3e1df716d19f7dd212cfdf44268caaa3ea72f53aeb8

    Download Submit

  • \??\c:\temp\test.txt
    Filesize

    76B

    MD5

    af2e30edcb89c0b9ca2bc4ccc519e5b0

    SHA1

    c93d528cd43890fef9841708a825b02133a07734

    SHA256

    f8b5bfd9bff557bcd6326949ad261e74edc463350a276fb080a250f76284de45

    SHA512

    4279afcf1f76d411b766e51ee207b8cb5dc5914c409359387b74ed0fc1f26db134592fdd4030b650e05d7fd7f7d5ffb4c0d5f3e67b548c224fa910b880db35d8

    Download Submit

  • memory/3304-109-0x0000000004C60000-0x0000000005C30000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/3304-110-0x00000000065E0000-0x000000000692E000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3304-116-0x00000000065E0000-0x000000000692E000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3860-100-0x0000000002630000-0x0000000002823000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3860-99-0x0000000073AD0000-0x0000000073BC4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/3860-92-0x0000000002630000-0x0000000002823000-memory.dmp

    Filesize

    1.9MB

    Download