Overview

overview

10

Static

static

1

693ff5db0a...7a.msi

windows7-x64

10

693ff5db0a...7a.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi

  • Size

    5.8MB

  • MD5

    9c02a9298b97fcfc5a75fbedf08002bd

  • SHA1

    2d3bc2856c015914f2856331a0315298f3c34b0c

  • SHA256

    693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a

  • SHA512

    fafe5dddb610068cb1044c803a6d681d1739904d8e0c4b2b0fc05bcd55cf9344f69e77c8627ae73713f759117d81a78855ff937ee8650b47ab18d37cb9ca34bc

  • SSDEEP

    49152:ppUP3UhtSTK+0THkWsN8SDYdvH5eoQDWhbHHhZgWEF94FJy5jvrgFdbBUleY82cp:pp6nFDkEWoyvy5jvcdbBUkYC+XCFmpC

Score
10/10
darkgatediscoverystealer

Malware Config

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1976
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADC0B688B2BBC74D03C138D9A315DDB7
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2624
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files"
        3⤵
          PID:688
        • C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files\iTunesHelper.exe
          "C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files\iTunesHelper.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:336
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:1520
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004B8" "00000000000003A0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
    • \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.a3x
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:1656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      1KB

      MD5

      e94fb54871208c00df70f708ac47085b

      SHA1

      4efc31460c619ecae59c1bce2c008036d94c84b8

      SHA256

      7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

      SHA512

      2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      b877af2946ddc039e859de2f1561ef03

      SHA1

      07e2b9c8d753df66c4009ddf0ab66d5f7187e837

      SHA256

      d35eb5f7c761c23a85aef591b0b0e18c56758945bbb90b18225a7cf77bf5f12f

      SHA512

      86e8384acfc8d2378013ddb13d6e0c5eded87428f144a2adb4421d46fe4f4823b0d91200891bd0f011cf0db01cb10ae4b26257061fd2c37e76df9495166c2c74

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      264B

      MD5

      b6e5d9579026e134e4581866ec8980f3

      SHA1

      d30fea49792a4fd69b8c730c0cb39064a00596fb

      SHA256

      06ebbc156fea7b0bd2529d954bb0ea5229ff0fb49a38b82cfebd420549ddc38c

      SHA512

      768ccb68d53e9a35e3eb2a7c66a6bf4d1fd1c76efc6398f1e04c9586fc9f77f16da82dd83be09242c0e796a4fade38c76548558066046cd30315f154c1b5b949

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab5266.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files.cab
      Filesize

      471KB

      MD5

      6a332ed6900dc40aba153297c2587721

      SHA1

      05816ad507426b13b5493c167f76c50b904a338f

      SHA256

      28eb4535130226f66f31bb029a48a3c5af43b5c66841be48f5c5285e530cd947

      SHA512

      8d5e84f236d0f51a2221283bc2de16d0d0ee35cd9327e14afc46a0e6f8150efbbae174ecb0041216568b378af567459c49c416beb0be8eace50fdf798125a579

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files\CoreFoundation.dll
      Filesize

      143KB

      MD5

      0428336d37ed3ea0c53a75654e11c314

      SHA1

      f749c1a535f814bf56610bf96fa4f4d0e29d41e5

      SHA256

      c3fdec7cedbe4858805a1bcb3a10905b997922944d5b006230f8918a70fb400b

      SHA512

      19cc503f73312a22130b0c347a5a302c30033430154ac733b59be909fdc0114467407c51d63c5fbeccff63831171ebb0a9d55c0be1e3d15c71a21d6d7a933821

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files\iTunesHelper.exe
      Filesize

      224KB

      MD5

      04f0a660dddd58e8490ae5b4f088b6db

      SHA1

      d9dc2f1f0eb6e8ce22e96f42d208906d65b78fb3

      SHA256

      c9a6804b2ecf44e5728b3a57521d07c93de825b35af4cbc185345a3a745e24f8

      SHA512

      aa7cb0569f1dca6f093dbd2cda860e02e15c16f7b57f14b5613d8fe4f9313f47a9f1a38b0d45d6307bbdba81538c84f279cd3dfa232366eafa2fac79aad4e90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files\iTunesHelper.exe
      Filesize

      152KB

      MD5

      6081b59ad62598e7c04a4e245140d085

      SHA1

      84bd71967ac93ed9d791d6551bda14cfee20328a

      SHA256

      74918b8fe0a37839357d7b9de4801793d4ba5d14ab86c4aa4dcd5cf555a53dde

      SHA512

      fb53c17cac3777c116cd2eae17a7be7b5ff60a36a52d5b0919d89cf946e601d8fc2ebef0e6d627a2cc7c62e79b04297bd3f31924ead58b4cc414a2353e5cc951

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files\sqlite3.dll
      Filesize

      280KB

      MD5

      acbf7e85704d46672d31b9d20580e5b5

      SHA1

      9225c1010205e97acbf2e49e3ea5eef02c140897

      SHA256

      345ed68915189dabab7691639e7787c5b28f87f18217c5a0736cbdcbb787c5c3

      SHA512

      46539cebb8c564b758d43e8d233285f7d68643448584e3623d2ffd95390b6cfafacaa166aa03d3b4ceb2d4d122ef3d484a46a920cb2380682228691638293457

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\msiwrapper.ini
      Filesize

      1KB

      MD5

      ce078c4e46cef4c9c96c1416599f7e56

      SHA1

      a5649a1b9fe30cacaa7d90c878a6f94080000a8d

      SHA256

      fd44b69de3af023dfcab964ab4e70844ba56ae3b72308e8d98c85faadfcab1b0

      SHA512

      ab25d8817df3c32aa3e173eba73f3adcaf77a4efb9a324406a3d3d85f180139c7e73293fbba24e87521973a5410079c1bf2e5c4538817223723a211d65bac90b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar52A7.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Windows\Installer\MSIAAFD.tmp
      Filesize

      123KB

      MD5

      2675aeca05ff9bb993c7d213f8c7ac13

      SHA1

      89839078c5f26ed6141ebd4dfb48a6c87565cabb

      SHA256

      1890f6bc4b24ad0c5bcab13ea26919e89142c4e66309a275fc8423873e14ed22

      SHA512

      66c278183e1d9830211cc318ab435ee002e226c1e4fbfd432234485f683d80215a66bfd124012ead28f9213d187e440fbf5a9a87f010abfdeca5712b0a360101

      Download Submit

    • C:\temp\Autoit3.exe
      Filesize

      146KB

      MD5

      7bea23fdaeea2c9c2a470d261377d382

      SHA1

      d94bf98dcb7435dc0d194eccc4c0eb26692cd20c

      SHA256

      8a294ac4f14dad039fca8bc29c5ee20eed13b0c5461f80bdc97a1d74b6671ab8

      SHA512

      8a0f951731d53bd6c1e1c62ad3e29cb7ad92d083008d30364ee8ddd61190ad488df9e1b13ecf68b3d53d8ec54573b7bf9539cdf025ff0f55b38cb051a3b2c650

      Download Submit

    • \??\c:\temp\script.a3x
      Filesize

      52KB

      MD5

      3a1de11f6c5d7cb7c3c3d972b768df18

      SHA1

      b9db97940a0964c034ba8aee5438ad1ae19d96c2

      SHA256

      5d084307c5df3e996df622bf77de4b77a4726ff99ffe9f0e348c1c25f85ccc2b

      SHA512

      01e2f9608a70c813bb248cb0986f8dcbe0c58dc1bf4e004479d947573c4c239bcd101e91c6297cf848f543058b58e9b4b62b161a4b82ef6da547f50137a526e3

      Download Submit

    • \??\c:\temp\test.txt
      Filesize

      76B

      MD5

      e0cb113b19ce53ef7b72edbb0a4937dc

      SHA1

      2499a76ad9ec4a44571bfd8083e09b23373f9f69

      SHA256

      03bed76f17b8574d05e84b81f81c09a33b1ae1555c2caf4783e059b689879ab6

      SHA512

      0b046a6d16d22c0faa3eb729d9b74bfbc87f3cc847fd5ddfa89e573893d215841bae320f0697090b9a30778a07210929ac9c440fca884e920b369698d90a17ca

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files\CoreFoundation.dll
      Filesize

      236KB

      MD5

      786b5caff57f5d0c2b9ffc8e8b09b2d1

      SHA1

      c1e61fd7a3fd677dcd815a52fc8c767432ca1d2d

      SHA256

      fff2a8bcd0df0b8390440e5c227ba9e5ee0f72286fb100f6292f4d81ee4ac557

      SHA512

      ed7c71fe4096314bfe2b30224190d40d706feab125ed5d9bf84bdb80cfaa265e6983a5bfdb7d5701f90f7f340d5e769e21842cf239562343ffcd38a079bfd2f3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-d3619db8-1914-4d92-afb1-d2856f5ce3aa\files\iTunesHelper.exe
      Filesize

      161KB

      MD5

      79c2b95ee01840c4dc189bd58f162474

      SHA1

      6892599d0149eb407946a13499dad166e7a56973

      SHA256

      cb1c6c2a17f5111279d2c8385d8942a2bbe5d32419eb61e989d4ac32a638716e

      SHA512

      6584ab91971e0734e1fb0a941cfaf18a8eb30cfb3bab1b9169d87dcd4b198f83acb452a8fd31fb2ad604fe77a0ea3822494a86ba7338e073fcbc335dd84698be

      Download Submit

    • \Windows\Installer\MSIAAFD.tmp
      Filesize

      114KB

      MD5

      8c8de3aed2c53c2ad3ec7e91ecd54da9

      SHA1

      8ee2c18d57146d2242d431df704231ffa827b87a

      SHA256

      e2007368620d1f84a25aa05b7d90cab6e16cddd5fa5442d22a57249bae14e8a7

      SHA512

      f6f8a3322d00bb74824624b2975b98907fc9527ff0b1de33bd009f1cc63921e02016d964c65ddb5eb717469d8d7fc74227550c93a07918323995d5dd77f5d5fd

      Download Submit

    • memory/336-337-0x00000000023C0000-0x0000000002560000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/336-343-0x0000000073D10000-0x00000000740B8000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/336-344-0x00000000023C0000-0x0000000002560000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1656-353-0x00000000036D0000-0x00000000046A0000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/1656-354-0x0000000004B50000-0x0000000004EAC000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1656-355-0x0000000004B50000-0x0000000004EAC000-memory.dmp

      Filesize

      3.4MB

      Download