Overview

overview

10

Static

static

1

build-x64.msi

windows7-x64

10

build-x64.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • submitted
    14-02-2024 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build-x64.msi

Score
10/10
darkgateadmin888discoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

prodomainnameeforappru.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    WeBiMyRU

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1188
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4772
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9B7214E610DBD3959DDBD6BA406EC153
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2688
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2316
      • C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3652
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.a3x
          4⤵
          • Command and Scripting Interpreter: AutoIT
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:1876
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\files"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1960
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4580
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5
    Filesize

    1KB

    MD5

    a14f13e0ad3655accfa076a86be83270

    SHA1

    c063ae0d2585461d6764262022a3552633e6b13f

    SHA256

    f0b6fea8d25739f266ec87b69c03312d3546f007956fec579964543dbd5d1481

    SHA512

    123f12e60753f4247a424a20cc62804c6f7203544f941d892bb14a7b1991128bcdfc8b582ee5c6d3ffb00bfd73b0ba56d5825087ee0228bfab9b1f2f54a581f3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
    Filesize

    1KB

    MD5

    84bd57d7afe698b38fa67c861398d573

    SHA1

    3659b332a06e88b031cd5e3852af4c4fc99d1a3e

    SHA256

    cc8781173b1baec58fda6dafc2bdb181e89650d26ff3ef17bb951d9489878fa2

    SHA512

    a248e62b9d8163319b4866c25970ee507094284c0f165765638c19da690246578bef8f1d21ff6cc765f7ff58b5a6b60856b55587bbc72056f96457949b46c6bf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5
    Filesize

    540B

    MD5

    237254eac077a8d11d50528a6c629fe6

    SHA1

    2ec0a66805d4b80fe690a68f18497498ede48e68

    SHA256

    d561736f559b362d5e78d74c27891281f4c10c717eb223b1e323d2fb60c42097

    SHA512

    51b14c26b4b83cbb847177bd7c69860095bf608f0833e9f2948bc23d416283016da26c5ece6524393477590c27e4f856fc1e45c49d19818775de121e4ec42eb4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
    Filesize

    536B

    MD5

    9420a103ac3e298d289051142557fce7

    SHA1

    27f67d743aaf980bfc2b3a9d0078fc2e5c9e93a4

    SHA256

    f738d437a6ab7743c8f96b38cb28446a6a458efda1cc4465b04da75c817dc7f9

    SHA512

    9fa6dcdcdbdd547849eda02371cf97e80dbc39fc877613d43ce2fcea4c87564160c0b6f6d0807876e3f772ac2aa2eb8c0178155335e0dfa7353834efb7c90662

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\files.cab
    Filesize

    5.6MB

    MD5

    d339565d7c5224c45092b3aaeeb3797f

    SHA1

    c85565693714583e57fb9addb64368cc87288efa

    SHA256

    359e387871378831eb1293f41b54436abc6357733d1a573f0caff90ab1cbf07d

    SHA512

    14b3cb62aa99f53a8205783297285b38268306d4876ebdc65ab42d2c7c5613dc4b7010d3f25f2ad60747e136ff5939dca8f6a986f7161f27c0d791f4e874062b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\files\CoreFoundation.dll
    Filesize

    3.6MB

    MD5

    b4677a50c291d7c5a7f9f1b80f39a37f

    SHA1

    76d183107f9a8f89f09e25149e6e3de777b25d5a

    SHA256

    c2d43d768cebcf63e8d0c3ae8ffd2cd5070e4ac656a132b63d5e7372cef69c62

    SHA512

    bb2a3bb016cca60bd5f8a33773752e8f88bae764a6497eaaccf563da8607805b5723b30135c001f2fbc20c628e75c099410d9fd09b375c3d2901b6e7f70ba356

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\files\iTunesHelper.exe
    Filesize

    358KB

    MD5

    ed6a1c72a75dee15a6fa75873cd64975

    SHA1

    67a15ca72e3156f8be6c46391e184087e47f4a0d

    SHA256

    0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

    SHA512

    256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\files\sqlite3.dll
    Filesize

    1.6MB

    MD5

    ce6e163809f5e817ef0c259672f7a1cd

    SHA1

    123e2f032b2fc45d6d9fe482756243ed61137476

    SHA256

    28ead67d2352ddd11f963e8b23930905ecbaff371162dfdae5ed096f62eb3d79

    SHA512

    07766db4cf023bf059415a58a9e1384acb39260ba71587b4eadb99f84d307c0ab70f76390894ab786a6461a0c809f8e9fe435f7bf9b334a369a178c54b295229

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-6117711d-96e5-48cf-9ce9-0682bb9adee8\msiwrapper.ini
    Filesize

    1KB

    MD5

    9cd825128c5ac550d3ea050024f2a836

    SHA1

    227f790b5e7b233c5155c53d959242033e1d01e7

    SHA256

    a1f4ba245d3a2d63537db564aac2e5c3b038e94fcbcc55897e0d77fd0af6fb3a

    SHA512

    ad19100a6a9a6bf3af5a16f7e5f518cb45b36edd2fcb90c286ec805c6247544261905da37fb0b5b382bb10d557515fc05f40a47767e0d22868f8b33e240bdacf

    Download Submit

  • C:\Windows\Installer\MSI73D8.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\temp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    6a3456c0b9ba1edc17dfbe248f935d9f

    SHA1

    0b076d1e004c084aa5863c62d8d9e2aec9165fe1

    SHA256

    3cd8092a949a5aa2f7c989fe70c22dcf5c4fb3ec584f3913b07476554f7ae8bf

    SHA512

    915fcb5352d0d86adfb4d2ad0c746706362ad25bbb2d7b0ed739d360b6d6af6b7a30efacfcfe5695e8c65b0ba7b682e1a2551b612a6f82292c2952a5fe48ca4b

    Download Submit

  • \??\Volume{119bf5f3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{32b5decd-68cd-46ed-bc0e-5268e10bf0ec}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    bcee4b8acebcf77c9c78ce1124137e55

    SHA1

    4c55554b08e018ecf507665b1cb2772b92ba0628

    SHA256

    b7f827e3df553914330c872d3868bb93df152d6e8826dfebed224c0ff73308dd

    SHA512

    6a7391b4bb69dee9405ef6bac823b8f2ede1892b99a3f284298597dccae0f99f45e98f4b644dde60b9386243bcffd66fe9898506bd1a057e35b0452c0da1d146

    Download Submit

  • \??\c:\temp\script.a3x
    Filesize

    474KB

    MD5

    6354b28ac4bc8fa465d80c3ea3893116

    SHA1

    0eea737ad0a1a0cb5c3f14279a05d1fba6c6216d

    SHA256

    9515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7

    SHA512

    6150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b

    Download Submit

  • \??\c:\temp\test.txt
    Filesize

    76B

    MD5

    45306f5622da212035662680f1c09e0e

    SHA1

    a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb

    SHA256

    2a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e

    SHA512

    99c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0

    Download Submit

  • memory/1876-104-0x0000000005FB0000-0x000000000630B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1876-105-0x0000000005FB0000-0x000000000630B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1876-103-0x0000000004AB0000-0x0000000005A80000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/3652-106-0x0000000074310000-0x00000000746B8000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3652-107-0x00000148FF710000-0x00000148FF8B0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3652-95-0x00000148FF710000-0x00000148FF8B0000-memory.dmp

    Filesize

    1.6MB

    Download