Overview

overview

10

Static

static

1

27022024_2...an.msi

windows7-x64

10

27022024_2...an.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27022024_2353_scan.msi

  • Size

    5.7MB

  • MD5

    50c85e84f91c3b7f1811380aeae9d606

  • SHA1

    7703c4ec1ea28c2b9785eb02b5c11b7b226155eb

  • SHA256

    ef989e3924e2f9e3fe7ec53fd870124b8f9174275428c36e03a991a55ce5ad54

  • SHA512

    e5b2930d2c44d27af969f96b2040045b6a9a6d6ad6cd500a3b01b7b789e713f8bd6dc867a7d6bfc39b87004bfb67744899cb5e94e37bef142aa2f0e21fe7d02c

  • SSDEEP

    49152:opUPXXhs0/Te0LjgIAkr5VbSPn9VISBdxXhYHGphbEEoGVupQMKk+/GTeonv3c9M:opEpoVR0mVERDCjk+Onva46G

Score
10/10
darkgateadmin888discoverypersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

remasterprodelherskjs.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    kiQRLFmc

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 13 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\backgroundTaskHost.exe
    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
    1⤵
      PID:4180
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\27022024_2353_scan.msi
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:368
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1344
        • \??\c:\windows\SysWOW64\cmd.exe
          "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s C:\ProgramData\dadhhed\ & rmdir /s /q C:\ProgramData\dadhhed\
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
          • \??\c:\windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:3312
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:4080
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2644
          • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
            "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
            2⤵
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:2456
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
          • Enumerates connected drives
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding 11EB63E8EFC8BB7FEC2D9E7EF77746A1
            2⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:4100
            • C:\Windows\SysWOW64\ICACLS.EXE
              "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
              3⤵
              • Modifies file permissions
              PID:3104
            • C:\Windows\SysWOW64\EXPAND.EXE
              "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
              3⤵
              • Drops file in Windows directory
              PID:4060
            • C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\files\iTunesHelper.exe
              "C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\files\iTunesHelper.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:64
              • \??\c:\temp\Autoit3.exe
                "c:\temp\Autoit3.exe" c:\temp\script.a3x
                4⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4360
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\files"
              3⤵
                PID:4920
              • C:\Windows\SysWOW64\ICACLS.EXE
                "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\." /SETINTEGRITYLEVEL (CI)(OI)LOW
                3⤵
                • Modifies file permissions
                PID:740
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2164

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\dadhhed\aeacaeh
            Filesize

            1KB

            MD5

            b2192f6fd4b164532da0969a7c0dd6fa

            SHA1

            a4202495d8f8a93274c4c68901b340a14f83bffe

            SHA256

            57ae02a083beb64d39fb9b21e1310d5a3f9afd04591f172db22697481ab64ab0

            SHA512

            924a30337a2f38d1f9f71c1278d77c761c716b36dc56a7465bb3f1dac63fe03ca01dbdd4c46c101537e868a0b03a40e3c977787f99fe829ab1e948c373df1248

            Download Submit

          • C:\ProgramData\dadhhed\cgbdkde.a3x
            Filesize

            472KB

            MD5

            796b432ee10b1ec0a9bc04826ba3dc89

            SHA1

            bf76504a2a25e1fc28b4bae913786a946b645164

            SHA256

            2041c229f99181a383b53f12865d44d495843809c70e7097dd6c07dc6d3e8836

            SHA512

            560ebe6693894ef4bc1ac8a752e34d0ff8b4ab1836a9ba237decd19a04c6d70399b1baf01c2c94c5a73ee1929505e4a9ef82176466f408ebab8cf739143f9c69

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5
            Filesize

            1KB

            MD5

            4c2dc8538c1bde45fbdbbec1eea02383

            SHA1

            83d9366fbb02acf80393740be6833a32e689063b

            SHA256

            44e4bd92d16ddfd3cd99dc1b8cde896cba86d590e020cc744c938244a9dd6c76

            SHA512

            62e33f3491bd1f44aaadfcbad70f262285899e17cd7fd9bf04b896d512b8a84da2007b1e7b9b457ec47711b16a5ac2e006a3ffe8ce4c752bfb5890488b6c75b5

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
            Filesize

            1KB

            MD5

            839c9dd8ae7b0ed8415129b00cb8eea8

            SHA1

            3b826b8c1e0bbb7809cd44264fe329e7875d46f4

            SHA256

            84db190e553c91b118fad5ee5d8116af6e7d0889043ada9730d358ffe19ab0bf

            SHA512

            0bdf466b72680f76c30fa0aba34a0d511635a94f80cccb79e7ce197379b48dea78386dfbeebfd35dbf172aad45f94818b5f435d121f128839ace0492a7ba161d

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5
            Filesize

            540B

            MD5

            63a9ec494d3115d109eb2a2e5204d944

            SHA1

            8df877a5d535834aada078e61e5e12a1989b69a7

            SHA256

            de4c517ceed1455264637e74e08babf78231d0e216fb580db427783379815960

            SHA512

            8c396f9f19d2f4c34914635660ae17ad51c37a7a06e015c351f7aa88b38d8061afede40063a4ce81f1953d8431130fb99ad3b27a5204dee26c4fc523e464fb56

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
            Filesize

            536B

            MD5

            7c55d47d3d144897d3e6daaafa2d1008

            SHA1

            b05089eedf5542646cdc88625f0fc87aee0fefe5

            SHA256

            5620d075a8ce84bacc2794f02d6166c382eaa1a634202e3e85107ce0d5d00dba

            SHA512

            4681aa4ed90c5789f88f53d900e3757c668ed04ae06a98b9d04b4891b1e279b3529c5610757db8c8df14427caffa5b89396d8849337be8294ccf19423a468982

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\files.cab
            Filesize

            5.5MB

            MD5

            bb81408a83f1847cad5980e414f03ec4

            SHA1

            16b68d995073051b2b402828a223c5ff9c41cb81

            SHA256

            600e8804e5f59fea6556560cb6c0e0bb3cfb737f9bf0bf1ef47b61e0a476501f

            SHA512

            d0210f7fc4b1246c616e042f06d6da1a996808b733e81aa29212d541c3c67e653db5c6581a228c8966e00bbe99775b7db9baf2e0288abaad55a4efc5aa203c0a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\files\CoreFoundation.dll
            Filesize

            3.5MB

            MD5

            611316682efd2557c66869a263f07268

            SHA1

            a7f925001aabffccc4a7a33dfdf8a96be5c26182

            SHA256

            6ccd7aac79ca59fd85898433f484bfa2ffe9a21a907103d46c4e9dac7a19d909

            SHA512

            f7992a7d4f51af84df992551ba7748fee7a8acfc56717d7723426ddcb46b3ae3b083728da6c11815893310b8e61063132511c115604122f4fbb4d26450676125

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\files\iTunesHelper.exe
            Filesize

            358KB

            MD5

            ed6a1c72a75dee15a6fa75873cd64975

            SHA1

            67a15ca72e3156f8be6c46391e184087e47f4a0d

            SHA256

            0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

            SHA512

            256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\files\sqlite3.dll
            Filesize

            1.6MB

            MD5

            28e23801281d2e707d3ed138f58f6dd6

            SHA1

            16bfbbc67131bcc9e8faa6942404372ee16620b0

            SHA256

            fffce40b94c53bcda5af093d74b7642fa3eb0fb5ece7dba493b8e9da8ae0f9db

            SHA512

            df6ca7ab1b352c41eeb0e1bfa98211d5568038879a1b332a821ad50d9d48d89bdef85d282c27cc899b3f00acb9c9447d1637ab8353bf1d93d74079f6e0ef9a20

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MW-85bd0e7c-44b3-4757-81f0-b0d0de4f9591\msiwrapper.ini
            Filesize

            1KB

            MD5

            d67aba756e1b8ac955f5bdbeaea296fd

            SHA1

            830c84dd7720c133c53a51b2c5292e0846a9dcdd

            SHA256

            f22419cecd603937180f12f7c6effd041d838fc745b276619d870d8ca67d0b95

            SHA512

            7e0a2bb2a8bf43d952afbea86a9d40ae541488f3e055f4ffaf7a42b2e230de4bde7e3639ef822499b453b555cea59eafe4a05c8a7dae93ebaada5df381eae402

            Download Submit

          • C:\Users\Admin\AppData\Roaming\FFaCabF
            Filesize

            32B

            MD5

            986f69e5a37ee760a58a7ea90df1c235

            SHA1

            b0403c1818fabd9f46cabd061c5a83dc02f88dfe

            SHA256

            e0e44af0e94677d883556c9637f5077cc2e4b652cc473d1f98d4257976ad68ab

            SHA512

            31bcd52391c85aafd87cbc5b86c49a0f0e341c8ae94356c34b6a42f63a6f861623bb018d07fb3b9569929e5e61be2d86bbf17d6a93c866d88679b563a0ae6cd2

            Download Submit

          • C:\Windows\Installer\MSI4229.tmp
            Filesize

            208KB

            MD5

            d82b3fb861129c5d71f0cd2874f97216

            SHA1

            f3fe341d79224126e950d2691d574d147102b18d

            SHA256

            107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

            SHA512

            244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

            Download Submit

          • C:\temp\Autoit3.exe
            Filesize

            872KB

            MD5

            c56b5f0201a3b3de53e561fe76912bfd

            SHA1

            2a4062e10a5de813f5688221dbeb3f3ff33eb417

            SHA256

            237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

            SHA512

            195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

            Download Submit

          • C:\temp\baekfec
            Filesize

            4B

            MD5

            8c98dd0f4339580b484e480420947c49

            SHA1

            e59e0cc124473892978d6205fdb4f2a6e28075f1

            SHA256

            0b1b520af87716324c9c13d0ec4ce0c31302281307e8d11b94606619b6756f0f

            SHA512

            b985780cb3dbd3523de39a15dac9c9e37ab5b7155a96bd2cb6b3c758553cfae5ebf8526dec840568391d3f85ed1df0ac56d898b54c36c359d412d2b4ec582bfb

            Download Submit

          • C:\temp\hehbbdb
            Filesize

            4B

            MD5

            d6f9f64ccf004fde9866ef256ecaca8d

            SHA1

            3679c10e383d48d6a428275b7e9e12fcfd3f9f26

            SHA256

            f31dbc2e6387f8ef73ebd7525bdb5eee41bf521fa18c2431055784d8df306326

            SHA512

            19b3ba78850682031bab87876dac7305c53aeb3bc72b4015ec0ca6262b637cf18ec40cbf3bf56d860162aba6643df85a334b9f238db3f27ef3616334766710ce

            Download Submit

          • C:\temp\hehbbdb
            Filesize

            4B

            MD5

            998a6a56eecb26b99467c25c55cb70d4

            SHA1

            9b695122cb1d46c50991504f9087b62846aa2914

            SHA256

            74c52595179ed0787ef9bf1ffc7aed30afcba243bf00cfc5032c09bfbaf1d848

            SHA512

            abc9b6ba7de46216b9eca3cd0e16ef9096c3bb11e6bd888a8d5d1623057e62912bc65469431e370616cf2c238cc4e555208d26ea0fdb670ea899b3d6783d6199

            Download Submit

          • \??\c:\temp\cacbffg
            Filesize

            4B

            MD5

            0da599ee24102cf7cc7d4bdb9400809e

            SHA1

            7f68a07c6c2fbac476d906b40a0bf949eee323e8

            SHA256

            5acfd15a3143060bf661e999e734f10a11d1cb94cfbb02b3b38af0db6ab1b944

            SHA512

            79d44dafc1a6a67717915bb6f0e1789659280181bfa654270c7c81e6afc56ec500af24274e6543834179b973bacfcee41940a4aee244fc7cc82aec520213c1c8

            Download Submit

          • \??\c:\temp\script.a3x
            Filesize

            468KB

            MD5

            a37df78b6d7563d9743cba9648d84795

            SHA1

            c829f4591b4f748a92db4b49f2b1a2fa3d33c675

            SHA256

            87c47284b340901d82c08c59094040c6e2f39be420893aedc080a16bb11be6a8

            SHA512

            1407168740250b3126acd9633b330a14dcfdace0aa8b1f06f13c45e6fdfdd6836e87b2dd32ffecbbc5c490e74e8103a4399b2ef87ed147062d5f3535a1c7f118

            Download Submit

          • \??\c:\temp\test.txt
            Filesize

            76B

            MD5

            4c5219e9f08372b225eb835b6b55237e

            SHA1

            9266c1757a89a5f9ce0c957b7aaf1ad2e1aa6c9a

            SHA256

            e7f6186b6d7e84a845339f0fc3c1786fa346dff658e24fd60bb6117cea853713

            SHA512

            b07d312bb67ec6a46aaacca7593687405d67fcce62dd6fde5df498140b5c19eb1db85b9555f327a0c462840e0fe02e4e369a846af11ae5fb24bf1a616005d2f5

            Download Submit

          • memory/64-91-0x000000005CD40000-0x000000005D0D0000-memory.dmp

            Filesize

            3.6MB

            Download

          • memory/64-93-0x0000018B8FC50000-0x0000018B8FDEE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/64-85-0x0000018B8FC50000-0x0000018B8FDEE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/1344-122-0x0000000002900000-0x00000000030A2000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1344-109-0x0000000002900000-0x00000000030A2000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1344-133-0x0000000002900000-0x00000000030A2000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1344-116-0x0000000002900000-0x00000000030A2000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1344-128-0x0000000002900000-0x00000000030A2000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1344-123-0x0000000002900000-0x00000000030A2000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1344-124-0x0000000002900000-0x00000000030A2000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/2456-129-0x0000000002660000-0x0000000002E02000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/2456-127-0x0000000002660000-0x0000000002E02000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/2456-121-0x0000000002660000-0x0000000002E02000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/2456-132-0x0000000002660000-0x0000000002E02000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4360-99-0x00000000065E0000-0x000000000692F000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4360-112-0x00000000065E0000-0x000000000692F000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4360-98-0x00000000050F0000-0x00000000060C0000-memory.dmp

            Filesize

            15.8MB

            Download