Overview

overview

10

Static

static

1

build-x64.msi

windows7-x64

10

build-x64.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build-x64.msi

  • Size

    5.8MB

  • MD5

    9c02a9298b97fcfc5a75fbedf08002bd

  • SHA1

    2d3bc2856c015914f2856331a0315298f3c34b0c

  • SHA256

    693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a

  • SHA512

    fafe5dddb610068cb1044c803a6d681d1739904d8e0c4b2b0fc05bcd55cf9344f69e77c8627ae73713f759117d81a78855ff937ee8650b47ab18d37cb9ca34bc

  • SSDEEP

    49152:ppUP3UhtSTK+0THkWsN8SDYdvH5eoQDWhbHHhZgWEF94FJy5jvrgFdbBUleY82cp:pp6nFDkEWoyvy5jvcdbBUkYC+XCFmpC

Score
10/10
darkgateadmin888discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

prodomainnameeforappru.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    443

  • check_disk

    true

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    VzXLKSZE

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1856
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B603C724425C5F47D9863163086E27BA
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1348
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:3056
      • C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1032
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.a3x
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:2476
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files"
        3⤵
          PID:1724
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:2168
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2044
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "00000000000003F8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      1KB

      MD5

      e94fb54871208c00df70f708ac47085b

      SHA1

      4efc31460c619ecae59c1bce2c008036d94c84b8

      SHA256

      7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

      SHA512

      2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      baf5443b1627a9f200ab7abca3dc1b4d

      SHA1

      c502c5a72dd8437bc845dbcf59cad8dac0abaa06

      SHA256

      cdf0dbbe73c566e8bf7d2cec82a2929087a9fb31ff8b1c8b980a388313391557

      SHA512

      7f5e196a9ce03f843bdea9745135acd618368d71f220cd75ecec50e476876c944fd10c52529f1fd9c619267b5c8f9093db1741f386a25a7481819277dba5cccc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      264B

      MD5

      f0ad7ae23969b408f6c37a97159fa8f3

      SHA1

      21bf1a0b5410a8dc3d01456394c1b30989d56d47

      SHA256

      550beac6c22ee01e957c6b6eb01fce86917e15c62f08260b5635bd152cfbd0b5

      SHA512

      6268c9ae184f32f4c91af35993eabdbedd8197766b2c6dc491f923c08899c43f0180031bd4ce58b06b3220d0dc82839de1fd555366155335cb9b8f97e7d79028

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab1F17.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files.cab
      Filesize

      2.2MB

      MD5

      140080dc3bd54e7b882f19e17fe7cdc3

      SHA1

      7240b2b11045c79524302fd67253bedfc9059e35

      SHA256

      4ccccbbf1a544ed11792eb7348af86a55ecfa3a09a5e2f6c5dee81893e78edc6

      SHA512

      5857452c03cea5f0175bdec02bb8ec063341a1eb28c603dd7d4946949da520d7d9b2b2dc140e8cc08c1451594e6e5f70c5ef630cceb7c553d2af68cc198c6361

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files\CoreFoundation.dll
      Filesize

      343KB

      MD5

      5610979ac5c4ec2b2298ddd0d038a3ad

      SHA1

      8c571f042ccfabaadfabdd9e0c507ffed82c1327

      SHA256

      a4750105bd0fee1c619bbc7efb133131390cfb50fd3a50b18f4c480841e2e639

      SHA512

      dd06c9dd06a2a1c545e3d502bc48904824d3aa12abe67aefff5193541769fa98c145dfdd8c08fba12f767fe84f98ea4693b1ecb27d6e5832c5a44d908355e892

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files\iTunesHelper.exe
      Filesize

      321KB

      MD5

      6c446b3f677f276c07c1c6459ed3ff72

      SHA1

      7139e1184ab7e70ee50867b7c3df3b33b4f5d870

      SHA256

      af642e0b9d2a55dcc742645a689d26ef431913ff326ab604b2b4ee1793840c5e

      SHA512

      0ace4a2c42854661c0a1fe8e69c26a360e03eea6b64e88ab8febb4e287257cd379aeea3b8981c3f5aad5b1067f5767be6616b9abd972b4d9ef0e7e969c313aeb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files\iTunesHelper.exe
      Filesize

      336KB

      MD5

      5a0b421744aedd37867d1ad07904af08

      SHA1

      680ecc86a79c4e5aedb94f389f47b75e7f503096

      SHA256

      e3c29803ebad8d0643ee63668a464fc7e5043cda67de381c1a98c51117e907f8

      SHA512

      24fa4cd93914f7db3aff19f7538836e22010ccdc3bc416fb5b7034ea009c2bbe3eb4a65d73184625cc2ffb812d07482128ad4801c3e3e49663aa98fd9275b4ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files\sqlite3.dll
      Filesize

      315KB

      MD5

      26cb21c0b85a30ee7c5bd79691a70ce3

      SHA1

      5dfc074fce314f59795aad6f51ad30572745fada

      SHA256

      8d79be94e4c3a3d90b54ef0c58684e64bef69816568201e3c4ffe71fb0df2234

      SHA512

      9057218978f280b068413e3579e71c177807d6c5929616b093a29c7969a5befac7a51418a61606423c8a4f14cc4dc918d2ff94236f33752d97b1840ec3c36987

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\msiwrapper.ini
      Filesize

      1KB

      MD5

      74dc1265a88b0bbd1dc01bdd1664336a

      SHA1

      2a10ad50e45ea2be4396473d69fb0c821936013c

      SHA256

      867a1d740345325f1711d32c6dc09450ff95801cc51f3e651b5137baed55e2bf

      SHA512

      3656a46dfaeef2ea2113e2d5d0ebb6abf23c0992d03bc457b5540b0dd26c90832af59457e2d4868caae39397790ed3eabc7e72e2363d1a8f65acf926b5124064

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar1F29.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar5149.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit

    • C:\Windows\Installer\MSI8CF3.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit

    • C:\temp\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • \??\c:\temp\script.a3x
      Filesize

      473KB

      MD5

      33ca8bc4ac593027fd3e83ba44be54fc

      SHA1

      07e2e129a5b0a694d38ac29bc21f74eda100519f

      SHA256

      2296f929340976c680d199ce8e47bd7136d9f4c1f7abc9df79843e094f894236

      SHA512

      05f6f03e69a7d31686f422e422d61161bde45173a6453fdf0392a7a084c9bd69c7c0ed11eb7a37281481eea14497e95c51dfaded21e2ff943fee3f371592db61

      Download Submit

    • \??\c:\temp\test.txt
      Filesize

      76B

      MD5

      e0cb113b19ce53ef7b72edbb0a4937dc

      SHA1

      2499a76ad9ec4a44571bfd8083e09b23373f9f69

      SHA256

      03bed76f17b8574d05e84b81f81c09a33b1ae1555c2caf4783e059b689879ab6

      SHA512

      0b046a6d16d22c0faa3eb729d9b74bfbc87f3cc847fd5ddfa89e573893d215841bae320f0697090b9a30778a07210929ac9c440fca884e920b369698d90a17ca

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files\CoreFoundation.dll
      Filesize

      216KB

      MD5

      216cd5648a92207eedeb4e83bbbc2e2a

      SHA1

      0bd85759f0c898bc7082c0bf230a7f73c741985c

      SHA256

      26f727df93598342e20099948edbe151fa58b1d266f83a7c690d2935e2decece

      SHA512

      466e48dc06425f8240f2baebc844b9c7b39217262f26caba831e740c5d445f4009b94526673003584b0e8a5f4d7b7eddb458aff4c64474066c3611a2782372b5

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-c7bc4f3b-493a-43c7-8fd7-10b03a719a90\files\iTunesHelper.exe
      Filesize

      358KB

      MD5

      ed6a1c72a75dee15a6fa75873cd64975

      SHA1

      67a15ca72e3156f8be6c46391e184087e47f4a0d

      SHA256

      0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

      SHA512

      256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

      Download Submit

    • memory/1032-349-0x0000000002400000-0x00000000025A0000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1032-355-0x00000000741E0000-0x0000000074588000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1032-357-0x0000000002400000-0x00000000025A0000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2476-365-0x00000000036E0000-0x00000000046B0000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/2476-366-0x0000000004B60000-0x0000000004EBC000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2476-367-0x0000000004B60000-0x0000000004EBC000-memory.dmp

      Filesize

      3.4MB

      Download