Analysis
-
max time kernel
160s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-03-2024 19:15
General
-
Target
58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994.msi
-
Size
4.3MB
-
MD5
4f238c2093606fc296f1f819c2f0fc67
-
SHA1
f8535858fcee6b96e0f49e6156fa110fc0698880
-
SHA256
58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
-
SHA512
c2422db8871d6303b5903c4b11cca3debd62cb25a406655db5a0ba407f33c9fef739371d297e5ccad45efc99e040e6ae29079b4b9325f52d54c5e780f8c346f7
-
SSDEEP
49152:jpUPN9qhCxzT+WKjSXcmNt6+XzP4BYIeBfCXqyfdo1DDDDDDDDDDPuDgO9hTnxA5:jpqCQbm+jg12f3yaiga6yU
Malware Config
Extracted
darkgate
admin888
jenb128hiuedfhajduihfa.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
true
-
check_ram
true
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
RZymDRsm
-
minimum_disk
100
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Extracted
darkgate
6.1.7
admin888
jenb128hiuedfhajduihfa.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
true
-
check_ram
true
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
RZymDRsm
-
minimum_disk
100
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer 32 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 259509051BF6E6DC1C20096B71A997672⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e1010984-d7fb-491c-a0f8-16c4523d841e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-e1010984-d7fb-491c-a0f8-16c4523d841e\files\vlc.exe"C:\Users\Admin\AppData\Local\Temp\MW-e1010984-d7fb-491c-a0f8-16c4523d841e\files\vlc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e1010984-d7fb-491c-a0f8-16c4523d841e\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c83e84a55fa0c185a2b9d200fc98d71b
SHA1ead9518e37fb624030d5eac599bb1b9a1988396f
SHA256dc2e988ac40e1b1fc44c629f24ec31b9f1d201f150e127b00ee438437d1d5f8d
SHA512d64c48d33133732f938eb1d1581e3073245ac2e56e05178eff5c9038b745564d0984c48fafb81d2b5c8728ea76167e0f497da9cca808b2ab8d3edc46bcdfa657
-
Filesize
4.0MB
MD5b617d565e52112548d239e32b05eecb4
SHA15e37585718e80f11c44537f21ecd6d1c45f44c6b
SHA25696146d2cb6aa614ffe3aac47f5e0d8a3bcf28bacb3f27bc9a80a18ede73ac607
SHA51223f2b21f4bb19eba68c39bd93964160f55611686546aee904cac925ee058a6f8f6c6e1f113cdeb7c42ca5375d83de1169051c9a001aeb1f48f322dbe5d6bcd7d
-
Filesize
1.5MB
MD53843f0f904fc531b2c528b65ada84dff
SHA17ad3a66bd8be7456ceb7a5976548cdd6c2643d8f
SHA256f3cbababb4ba75f65b4a5ec6d603ef93ed23089aef777b22db710d5bc873a11a
SHA512e099cef3bd5f80f9e861f97e6c7ddace0adddfb26e316c76a4d66cda7942c2e46f6f66ed6ca9a6d06a587645c6a01527f542420e3720d462d6b09d5fe44cbf5c
-
Filesize
1.6MB
MD5775d01ac4a84cf493c27759ae6b55355
SHA1e27078488d12e7ab7feff45fe2b2b7f60d72b0f3
SHA256e894e2781806b306298f85a1af60b1ca38b4695bde30cf6839518e10501b6b5a
SHA512b6168b83deb2c95e88b6eb4e1fbc1bf7f3a3353e6fee9b016f5e25472ed202225aed0338f196fbcd116a480d6708487191afa8be4a21cd5316f90f6167d1c978
-
Filesize
966KB
MD5035860e139ba6db1b38d5346cb6ff5b6
SHA1d515303cbca3a8ae7a0463fecd418d81b314e650
SHA25616197a321fc7b0a2a311e689621fe4a7cd50fdcb2d163973a31e4fd6352232d7
SHA51214dab9108d85af72001631130923b94483dd1440f24a8eedad41756db3030c5e11e80ec894922c389e09c86e8b721bcbd8594bd3646f484560f89963a7e18cc7
-
Filesize
430B
MD5dc5bd47ab9a7e563f63f048a98ae969e
SHA1c8aa1af228645a538b064fee690f95e63fdc9c94
SHA256e7a1292ecae8b0c2f7a02efa545e125c5a83565596cbbb70e7a2574e3de1e0cb
SHA5123baf73a8d7c6b5b69d55b55cf87ac38c3f1c202f249bf7427cf8d339d99e4602130dc0f91fad394b670049a9122d0d75ae66ed5baea63eb562abee7bb616f765
-
Filesize
1KB
MD5fd5c57615cfaf7a0587054ebd9262825
SHA19f1870db8fb309fd1539b41095e1456f298125d5
SHA25670b334d4d6852dd54af7e64d8c97d6aa6d5ae0b166675d6d47034dc0a1d8951e
SHA512bdf9b7c97880927af264e00f55b4f32fa3497fb0e12632c829bae8e5f4d5bff0f9bc4bc888f9098e78052267e65d2898a42eb0713a5a9e24d6f8a1b9074bab24
-
Filesize
1KB
MD51060ec1d24dc5686bd768523fb5bdbb2
SHA10fb5469c30f1a07db96d3f02f4ec6f40ae5003db
SHA2560cd83183c1dae27df6f298276fa6ea36640db1b7c3c7bc0809f826deac948f8d
SHA512ad1d8ee736694b6a72025b99528aa054ce93c6bcc96c9cc5f20320e036dedf8c0bff89441cca31eea97cfbc7b4a8b6bd15db92f344fd9681e734af070aed301a
-
Filesize
1KB
MD5e9895d1c16265acf792eba53adc3388e
SHA188f1de71b3dca1ccf7266d7491bba12ede471abb
SHA256b224068545bb22b9702cd77a1661de315a24fef3185ed27f09dceb09dd3fb773
SHA512c11cb52b39af7e8c9361e9626956dc358c5319b768aa6717e5f335f15fc75da5cd64533751c6908b7b3f4951f90b8c6c4b16889e32627bda5a7012297c1e9884
-
Filesize
32B
MD5cd07604bcbb3d96d80714e74d8c6b620
SHA1972f4484df03881616798b83f6a534b8e63de253
SHA2564ed51d32e87bcb6998b2304c0bcac50931d8d0c9eb65ede9007b7b223b0585b1
SHA512ea07d1c3d13d931db9d9e32be854ce33e272f48b27c6df646b5f70077e4c211491b84625fe514f93f98af66bb42e7e18bdc331f7a7f889b1c456e05997bf2219
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
4B
MD5ce5f9940474fcdd5f83f8b91055178f1
SHA19cd75cc286b536befa4b9c9f49c3809e763a57d2
SHA2569c9db04a9611be0bb645d584eb8657b8a4cb507ea6892bf9aa512522ae4e7cdd
SHA51289b14dff1f04e092eb0a856727d33eb6b064522c99c594b6d9690d1ba7de99f00de0efc28c85a14074e2dad507909d1b8fc3c6b36fc74feea4a80d495241f3cb
-
Filesize
4B
MD5cc89229eb5c8a1adf1dafe0209dbdba2
SHA187d3318605511b6fabcf27a56459956f6f16aa1c
SHA2565d9c86f9b23c19394ae1237cbd9f0340f9237886d9492daa9b2efdda39e56fa6
SHA512b386db81f3feeb5c45f77f39e584e88eb1039538cebacd9366531d7a6075d4aa63a781815ee210db1ded8f43af34c69acf96caa0fe4ee317056d4f0dad355a51
-
Filesize
3.6MB
MD530d914e8b72feb81426559492bd6fa6a
SHA18f5dd58c5f2ecc41407861985f67b4b441a63697
SHA2561b1088bca435ff71d32976e4298f77252ed841601a842fd78368ae1da05337e7
SHA512e0756daeca8237cf66a3ceeed7b67444e5ea73f3d6995a74be8be6967471a5b92276bf91b1dfc2b16904036ded8577f06108dcb3de3a4c11d4b86c9506d038d5
-
Filesize
6KB
MD58aa1740bdf2b5e560d16bc020fcd611e
SHA1c3ad42398a91e66e52beb189149b6a71e5991ef5
SHA256c3bca4c4cefbdcb30cbf7bea37a628bd5fee2f554608774660026b1a5215645c
SHA51212ab82db5cfdc526d4b80a16bf45c24d79d3f87fe41129d2e71d361395ba510aa2a95c2d7872a60bbb3021d26e69505b9e4e3eccaf740f2b901a1d77d411de19
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
466KB
MD5caf6d14ee91108f878d6108071d72b7a
SHA16166b2db78c93bdb24dc693b18a8bc6f1cd96fe6
SHA2563182937fdba31b1fe9f18f78e0901fe8d3bac7ed72b87f8409dcd19e2e1f4184
SHA51274b46ffd50acf54055e05ac12b8167b8f4976de345f478b648f71c05cf8f1f9cb584cdc2711d605aaea05c1f0fb643028ef8524e0f9144b0ab2975792c9681c9
-
Filesize
76B
MD5eb493e70c279b059272d93eb86156a25
SHA1cc6d75663d2647ce59741958b9334d9319dc1e40
SHA256c5c350d106264a59acb4049244933261da379b6fc5577b519cfc113c83fb1e31
SHA512c4617f8d45d00bf3fbe6a1ab4b25052e2012e2f2783022528d625618956814ab6497a82800f14592eda1886903d88a075ffeff29d72bec8c4817927b9dcac514
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
1.6MB
-
Filesize
992KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
15.8MB
-
Filesize
3.3MB
-
Filesize
3.3MB