Overview

overview

10

Static

static

1

3bf9981051...7e.msi

windows7-x64

10

3bf9981051...7e.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • submitted
    15-02-2024 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi

  • Size

    5.8MB

  • MD5

    2999391319cda1be5dacfaf5b05062b2

  • SHA1

    c983b7dff2ea4c63f3944e639eb54d0e6b0b655f

  • SHA256

    3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e

  • SHA512

    1b9a7e5211979f37097c28122cbe99b5ec81ca3caa07944ddaba1afb2515ef3545f92bce35efa87914221016867f88b9b64c7a6a07e8e3f0cb556182047c7f27

  • SSDEEP

    49152:NpUPFUhtSTK+0THkWsN8SDYdvH5eoQDWeEHHhRgWEF9nuriG7DrFWoRRRJuGgagL:NpMnFDcEWoVoFWRGga5q

Score
10/10
darkgateadmin888discoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

prodomainnameeforappru.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    WeBiMyRU

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2936
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B6C933E9DCA7A4F321A8E95C0085811B
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2732
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2468
      • C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2292
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.a3x
          4⤵
          • Command and Scripting Interpreter: AutoIT
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:2464
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\files"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2176
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1260
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2504
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "00000000000003F0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560
    Filesize

    1KB

    MD5

    e94fb54871208c00df70f708ac47085b

    SHA1

    4efc31460c619ecae59c1bce2c008036d94c84b8

    SHA256

    7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

    SHA512

    2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1103e19e0efeb2e59dbf1c2d7a6e0cec

    SHA1

    d78046ccac499807466aa456120efd71d3146da2

    SHA256

    6e4a95bd1bd3bf39b91d4379e8c2ab347d8fafd5e22360eb6a2adf53a9a8d53b

    SHA512

    844c10a33edab020bb8f32d15553bb57b7846fa0b5dfddcb286ebb7070ca8b20b5af542b63efa253e3933888301bd5eee5ceabf12a8223c340c1275e053e7fa2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
    Filesize

    264B

    MD5

    5aa4b1d71e2bd520096d1064529f8692

    SHA1

    e21ff28f651b176c88d5bfc65936bd2779ab81b1

    SHA256

    16231c27912e8904b9826df1d05a097d8b1d5f1457f993c7956a7936151ecc9f

    SHA512

    31caba01094daf4842ff2efb18682b992017b760aa12d5efbbc577514ca6193c7e34103a0b45f2f4ffd029fa2a34042b771f8d4f001879ec63cf0992d220c6d3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    7f580ad5b50424a19b9ebf84ba2fec44

    SHA1

    25217ce239bb3b7e12020a9bb3c10c00d1833419

    SHA256

    299d7ce48c15eb7664478b0bfa102f8ce9c16d09f7b04f9cee5f4d8f32a44ea5

    SHA512

    b6749ed70c4728327f4b7d3d079cca4dc18d00c7b9d2fab0c264a8eb35b5d8a86c0621d8f24d8cd5b61a5ec6c547f67589086ecef0e5d0910c52087b16d41a84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\files.cab
    Filesize

    5.6MB

    MD5

    d339565d7c5224c45092b3aaeeb3797f

    SHA1

    c85565693714583e57fb9addb64368cc87288efa

    SHA256

    359e387871378831eb1293f41b54436abc6357733d1a573f0caff90ab1cbf07d

    SHA512

    14b3cb62aa99f53a8205783297285b38268306d4876ebdc65ab42d2c7c5613dc4b7010d3f25f2ad60747e136ff5939dca8f6a986f7161f27c0d791f4e874062b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\files\CoreFoundation.dll
    Filesize

    3.6MB

    MD5

    b4677a50c291d7c5a7f9f1b80f39a37f

    SHA1

    76d183107f9a8f89f09e25149e6e3de777b25d5a

    SHA256

    c2d43d768cebcf63e8d0c3ae8ffd2cd5070e4ac656a132b63d5e7372cef69c62

    SHA512

    bb2a3bb016cca60bd5f8a33773752e8f88bae764a6497eaaccf563da8607805b5723b30135c001f2fbc20c628e75c099410d9fd09b375c3d2901b6e7f70ba356

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\files\iTunesHelper.exe
    Filesize

    358KB

    MD5

    ed6a1c72a75dee15a6fa75873cd64975

    SHA1

    67a15ca72e3156f8be6c46391e184087e47f4a0d

    SHA256

    0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

    SHA512

    256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\files\sqlite3.dll
    Filesize

    1.6MB

    MD5

    ce6e163809f5e817ef0c259672f7a1cd

    SHA1

    123e2f032b2fc45d6d9fe482756243ed61137476

    SHA256

    28ead67d2352ddd11f963e8b23930905ecbaff371162dfdae5ed096f62eb3d79

    SHA512

    07766db4cf023bf059415a58a9e1384acb39260ba71587b4eadb99f84d307c0ab70f76390894ab786a6461a0c809f8e9fe435f7bf9b334a369a178c54b295229

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\msiwrapper.ini
    Filesize

    396B

    MD5

    7492b5cdbea480b5d05dad1637fb1bc5

    SHA1

    6c067bdcb371fd2d4b6dfaa7302b1205abd466b0

    SHA256

    3dd2272774f3114bf7e7724d8057463c63dac3831b4743fe7fd97d02e98d0087

    SHA512

    4ca0896b80fb8f1db21332ef928a0198843198c3bd775e2b61b3ffae12ad5b976de3569ed24eb98db8809c288be4bc42e0cce163b314a3b5270280430e6d96f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-9df84f6d-31d4-477f-ad75-4d5c38b890e0\msiwrapper.ini
    Filesize

    1KB

    MD5

    07d3e2defce979e69b45c62729219520

    SHA1

    1a19bcd1dfcf3509152bd8ce7b1e87a0dfb706ae

    SHA256

    ae966de2c200442dace62167499fee000b30c2c9a4e6f49f54b5d5a47cee0b68

    SHA512

    2d84e79b0692672251d9d9d7a7878c8e4f29b729ab2f558cf3f5cc382ab346b60404eaec7ce5fe92fce97c0c399d41c7d62927e98a65ab7a2bc487b7dad4ee12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarB8A.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Windows\Installer\MSI2B44.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\temp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \??\c:\temp\script.a3x
    Filesize

    474KB

    MD5

    6354b28ac4bc8fa465d80c3ea3893116

    SHA1

    0eea737ad0a1a0cb5c3f14279a05d1fba6c6216d

    SHA256

    9515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7

    SHA512

    6150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b

    Download Submit

  • \??\c:\temp\test.txt
    Filesize

    76B

    MD5

    45306f5622da212035662680f1c09e0e

    SHA1

    a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb

    SHA256

    2a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e

    SHA512

    99c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0

    Download Submit

  • memory/2292-351-0x0000000074540000-0x00000000748E8000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2292-353-0x0000000002430000-0x00000000025D0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2292-344-0x0000000002430000-0x00000000025D0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2464-357-0x0000000003720000-0x00000000046F0000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/2464-360-0x0000000004BA0000-0x0000000004EFB000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2464-361-0x0000000004BA0000-0x0000000004EFB000-memory.dmp

    Filesize

    3.4MB

    Download