Overview

overview

10

Static

static

1

doomday.msi

windows7-x64

10

doomday.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doomday.msi

  • Size

    3.7MB

  • MD5

    426a59cd5e215e9f3696c1dcc8455d20

  • SHA1

    255d113da1dc32c3b341e643c01e9f5a13e060de

  • SHA256

    ea673e0e6986e41a73c19dd2a9cfde3d2d4186ef52c23c1253dde2d54faca7b3

  • SHA512

    4b684a97aa6d3b08459b69fb610b6ad5458de56c056f79e91e164cd8914f58ed8734ea4493bbac42c18982a80ffea30d6ba4306ef722bafc49debd4b0f68540a

  • SSDEEP

    49152:TpUPbczduZ0Yx87nxODZGMFLnd+A1m4wcMO6XOf4BmCk2ZlZ:Tp1BB7nxOtFjfBwpOff4BmCk2Zl

Score
10/10
darkgateadmin888discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

38.180.60.31

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    yjuEPWsj

  • minimum_disk

    30

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\doomday.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2520
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0CD2240C8F74F2069E6B7F00943CED8E
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1348
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:3104
      • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\files\apdproxy.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\files\apdproxy.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3576
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:4188
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:3572
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\files.cab
    Filesize

    3.4MB

    MD5

    2bff42a75bcda5b313b7b91261c9d85f

    SHA1

    de1be1be23a3c1d6b410c6af154d19e1e15da388

    SHA256

    b860f09732fad08ddb048b0322bc5df1a61fe7859dd91f6ca769a972bac4f5f3

    SHA512

    1056f0b1e68b4030d916cdff8fe2c1b20110fa05db6457aff6b10b93ff27c7f16eb8506469746fc19e67556ed21af094afdbaba5f1ee56f5c4c2c74a96e4bdaa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\files\apdboot.dll
    Filesize

    931KB

    MD5

    884e21631c0b78aea630fbe540d84778

    SHA1

    a9f4eea988debc35d0aa60efbdee6708c2cc1655

    SHA256

    51d197826bb62d23d4d926c914409ea8c66de149418cdd43137ddf1cafffe347

    SHA512

    2ab6994e822f6174f10264c70d02857a8eb47ddc9f10b414f2e314d5f5d996bd50886a47f58eafffec6f8b823b6d14715320a9f6e332934801182d57e298b714

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\files\apdproxy.exe
    Filesize

    62KB

    MD5

    fc9e59fe8bc4fe05382cff5c8fc59de1

    SHA1

    69423bc900644a910936d2c5828348d188e5d750

    SHA256

    a16b93c374e77f98889d7ad7f38b2282dbc5a40511541b9105b1dcf9216c3cf3

    SHA512

    1d34be70cd701b606873aaf6910ab7fa7a3c4a81e0398d9bdcf8e8aac3dd63ec888c478e45600bf7e34301bec231038e8dccb457e49db8b5ff1c0740b68d072c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\files\msvcp71.dll
    Filesize

    488KB

    MD5

    561fa2abb31dfa8fab762145f81667c2

    SHA1

    c8ccb04eedac821a13fae314a2435192860c72b8

    SHA256

    df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

    SHA512

    7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\files\msvcr71.dll
    Filesize

    340KB

    MD5

    86f1895ae8c5e8b17d99ece768a70732

    SHA1

    d5502a1d00787d68f548ddeebbde1eca5e2b38ca

    SHA256

    8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

    SHA512

    3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\files\sqlite3.dll
    Filesize

    1.6MB

    MD5

    13914f35fce12f03d0a3f3eda68b1b8e

    SHA1

    5490e690e87d944bf5186d13e5f3a5a23d0c350f

    SHA256

    b6c0d1c8dfb907ce2d5bc7e493cfb1c5e1940f200475327dded1d3390c1d5c96

    SHA512

    ac06235fd132b36a80979f34aab4b382de3e33f0d91cdc8a94c9da09e7fbd65c13ae52dcf191671e46d9f390e62471a2c509fee81c666f4904e4a2e231e4d0ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\msiwrapper.ini
    Filesize

    1KB

    MD5

    0653f6b7276dd20817e7e966e2e6dd39

    SHA1

    32cd2f5d556b981f6867d33a7aaf2f61106699f0

    SHA256

    636d6769576c1ce42747c38abbe00d0a8953703bb16273350c86e7d7b13902fe

    SHA512

    3fe1e12fa650b123ad1e00ec6d9402f7357d35e0c412001b9897982dba8fb7ea4c17b26ded574a5e7b47c204ace51bf0ebf6fa3d7c2906d4bef79defe9b4a53f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-4c092f10-4d8e-468e-93ce-729d314d517e\msiwrapper.ini
    Filesize

    1KB

    MD5

    28a4c11be2b2935abc70abd76dc2cc7c

    SHA1

    9eed0e53338c0bbb9119a639eef5a8a1a77407a0

    SHA256

    0a0d1c28bf915807db7479199eb8a654a198fd1b29226f79713aba04515672f6

    SHA512

    d5927e57ec25c5957351fc5c8cf141339001b2df0612b7dfb368b824166afa88919ceb9b8c105c236072bd7a2c3e883dd412551592649261b839b1fd2b79b3a0

    Download Submit

  • C:\Windows\Installer\MSI67C2.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\temp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    2.3MB

    MD5

    86366d9d23ff38cb25abd3093d9c2084

    SHA1

    7888787076c276ca5fd1315d39f56d326d03c23e

    SHA256

    f4acaf227aa68b89916061cf3ee91cc04e3ac0913c9c3dcca09ef6d0f0c68ee2

    SHA512

    2eb55ed130af3c8f87bb459a87e923a2cd5146f07e8070a8717c15e2db66faa65569a34f613c332e179aa6dec4edb1bf8781b89743272381c9a7313ce3d5f036

    Download Submit

  • \??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{22a77b69-7c00-4549-9aac-2ccece5ae0b0}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    47380862bb1e4d93f11a3d49b8e177da

    SHA1

    28f06946f855cf6fba91834cdb34224f5341d0ba

    SHA256

    59129eb39f9fd3857b9095db833721de894d5c6b663892fc65771ccd482a411c

    SHA512

    cd00ad9c0cf6b41266159634d0899a14e5a9d3095ab4b10fe7de724ec7a196f8b9c20e979ed81c44435cc0928c2aae9f479c2eda03926df24f542d28903dc077

    Download Submit

  • \??\c:\temp\script.au3
    Filesize

    595KB

    MD5

    07b5686c91ff17a1d86271601f9904b0

    SHA1

    99fd675e912909af895a917c950e5ecc37b67869

    SHA256

    64e1563ceef99893a1fe4ba93cd38763a68f2db5537545a08061e83af9fe299b

    SHA512

    321e27bb1cb5c020b4979c6dce687fb734cf24a8a6e420850019d087e61ec902dbb97e7ed164c9b7fbd7f8996eaf6c4e0bb65775355e8a7075b239424dd780c6

    Download Submit

  • \??\c:\temp\test.txt
    Filesize

    76B

    MD5

    4b1e3cb8c33b582a74656ec001aaaf7a

    SHA1

    576cfd0d0538ca5ab90183139473895c3b8440ba

    SHA256

    99426e8b0d9b6366436d7db6883c98d6a8c2e5825b13a167a0c7495494182276

    SHA512

    b7899e2236be8702f2852233f37cb98732e2f1ac97b909d0fdce216721d02337b4b3f5045464e2d13ac9c7e2320f56c574f7654aa348e96cba5932d1f7edba4f

    Download Submit

  • memory/3576-90-0x0000000002670000-0x0000000002814000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3576-96-0x0000000073B00000-0x0000000073BF4000-memory.dmp

    Filesize

    976KB

    Download

  • memory/3576-97-0x0000000002670000-0x0000000002814000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4188-110-0x0000000004CF0000-0x0000000005CC0000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/4188-112-0x0000000006460000-0x00000000067AE000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4188-113-0x0000000006460000-0x00000000067AE000-memory.dmp

    Filesize

    3.3MB

    Download