Overview

overview

10

Static

static

1

ea673e0e69...b3.msi

windows7-x64

10

ea673e0e69...b3.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea673e0e6986e41a73c19dd2a9cfde3d2d4186ef52c23c1253dde2d54faca7b3.msi

  • Size

    3.7MB

  • MD5

    426a59cd5e215e9f3696c1dcc8455d20

  • SHA1

    255d113da1dc32c3b341e643c01e9f5a13e060de

  • SHA256

    ea673e0e6986e41a73c19dd2a9cfde3d2d4186ef52c23c1253dde2d54faca7b3

  • SHA512

    4b684a97aa6d3b08459b69fb610b6ad5458de56c056f79e91e164cd8914f58ed8734ea4493bbac42c18982a80ffea30d6ba4306ef722bafc49debd4b0f68540a

  • SSDEEP

    49152:TpUPbczduZ0Yx87nxODZGMFLnd+A1m4wcMO6XOf4BmCk2ZlZ:Tp1BB7nxOtFjfBwpOff4BmCk2Zl

Score
10/10
darkgateadmin888discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

38.180.60.31

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    yjuEPWsj

  • minimum_disk

    30

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ea673e0e6986e41a73c19dd2a9cfde3d2d4186ef52c23c1253dde2d54faca7b3.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4124
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1332
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F0D8A52606483E87141B5C7CB06D3181
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2244
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:1464
      • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\apdproxy.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\apdproxy.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4828
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:3416
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:3136
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files.cab
    Filesize

    3.4MB

    MD5

    2bff42a75bcda5b313b7b91261c9d85f

    SHA1

    de1be1be23a3c1d6b410c6af154d19e1e15da388

    SHA256

    b860f09732fad08ddb048b0322bc5df1a61fe7859dd91f6ca769a972bac4f5f3

    SHA512

    1056f0b1e68b4030d916cdff8fe2c1b20110fa05db6457aff6b10b93ff27c7f16eb8506469746fc19e67556ed21af094afdbaba5f1ee56f5c4c2c74a96e4bdaa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\MSVCP71.dll
    Filesize

    448KB

    MD5

    2df29d4b424715e2b514081b89937218

    SHA1

    60ecc1ac65e88ffd11ba86d227285bf46ee92591

    SHA256

    0748a4e7c5635d2aab30edabec2a733dc2a91834dc4746b718577de53592b79f

    SHA512

    9a64bbc41efb316199c64e5a335737ab6d322716f8ffed8980543451b712ab9b1fd8cdf399eef8982012d8d5ad1467a4373af4c141cdd52e5276e486367756ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\MSVCR71.dll
    Filesize

    340KB

    MD5

    86f1895ae8c5e8b17d99ece768a70732

    SHA1

    d5502a1d00787d68f548ddeebbde1eca5e2b38ca

    SHA256

    8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

    SHA512

    3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\apdboot.dll
    Filesize

    384KB

    MD5

    06d7e7bdfc530ce0d39205c652fc3d46

    SHA1

    34270099a9351408ab837f77a5e80c5508a04ca4

    SHA256

    0db8ab9e70d20a004bb0a14590d67f183f82ad6f5407299b971fb1938b53d370

    SHA512

    753d7b165480ab72c3ec2c448372df0fd6b10d4b15a1961ea9b75076b7c5d0179dcbbf67a9b09295fe41510821deae7ff0b5f7bf66b9b183c0b6c903ca8135eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\apdboot.dll
    Filesize

    192KB

    MD5

    d5d2986079613875ae8ac3d805cbb8c6

    SHA1

    440358d9876ca1de09dfa2fbe9e8be9760b3a406

    SHA256

    8c5235f0b265b23477f03c4c01a2454b1bbbf51057538a15c5356d2c17254a19

    SHA512

    d9312e435b9baeecc44767bf3b3ec900272005d1d0809d5291dec010af9d8cac215c662cd08e8065feebba06778ca5df7558792cd99a4b2696576d9793fb1721

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\apdproxy.exe
    Filesize

    62KB

    MD5

    fc9e59fe8bc4fe05382cff5c8fc59de1

    SHA1

    69423bc900644a910936d2c5828348d188e5d750

    SHA256

    a16b93c374e77f98889d7ad7f38b2282dbc5a40511541b9105b1dcf9216c3cf3

    SHA512

    1d34be70cd701b606873aaf6910ab7fa7a3c4a81e0398d9bdcf8e8aac3dd63ec888c478e45600bf7e34301bec231038e8dccb457e49db8b5ff1c0740b68d072c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\msvcp71.dll
    Filesize

    488KB

    MD5

    561fa2abb31dfa8fab762145f81667c2

    SHA1

    c8ccb04eedac821a13fae314a2435192860c72b8

    SHA256

    df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

    SHA512

    7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\msvcr71.dll
    Filesize

    128KB

    MD5

    955a6d742810e0c3e98250eb9fe78727

    SHA1

    82e54b1acbe9119c71aa45a53480b7e3c55a80c8

    SHA256

    27efea70fa0abccddbcae6615e4a70741a398670721401aed1b2d062862eed2c

    SHA512

    ef4ab06068b58bc22ec5998552bce505c9d7e70b120d321253fe1123d949940e514c12a0625ecfc00bf4f36654053f3291679170804ecc5887ec8a0f416c5a67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\files\sqlite3.dll
    Filesize

    128KB

    MD5

    e31d6a0c380885cd3a13fb51e4ec6d56

    SHA1

    299fa222932020274aa656d70c09e165fc6f85ea

    SHA256

    5a50f64d7af23cf09577d7e392ccce76a89e5638afe85c6339456341ef96174e

    SHA512

    bcaf756a901ade53e2709b5fdd2a1e9131c7b73d3b79fb2f4be5d17441c6a4e20d365b3388558c36f38aec1452fe9870135a93ad8407674af85376e0bfb8ec56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\msiwrapper.ini
    Filesize

    440B

    MD5

    ca65caebe16c6dcc3906fcf178425e00

    SHA1

    ee9e40e49f2894f3bb8e4b1ca7f169e72cf2bc41

    SHA256

    5492e1f693f6d180ebf182ca007a5845070ee2946c65b1fdc5547ed8e31cdf48

    SHA512

    432fa47275046802929bf3b593afd1ea6c703332f834214add54bb59ad0aeabc4335a29a2ff460ca55bddfcf9083fbc3a9006053fa3966e60b100c15f2205d70

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\msiwrapper.ini
    Filesize

    1KB

    MD5

    7b73c415917fd3b80d580ecc22dfb449

    SHA1

    42e23da61ccaed433b304a5bc9eef850ef9f04a3

    SHA256

    838365f756925b6528d8d93db92828083ab9b5a5ef3b8209b92dbaa1553a2897

    SHA512

    52a6dc8286cbdbeb070490ac00d3697356f4ea74cea3a544e5d139676cc87100bb162e20d2b4021a17bd126970efc31dafefc868e905c5f0cc5dd03401be1324

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\msiwrapper.ini
    Filesize

    1KB

    MD5

    5e6630b75c0fa72df1672bf84e7441c2

    SHA1

    44165a3ac41d07aa1c3d9cae9a40d15bd9e8ccdd

    SHA256

    48a2b492341a7f0c6f422aeb8a17539522cda8d4c47cd7a04d81d0a59b7cbea2

    SHA512

    d58b3c069bc7230767db8d1192bb049f4ff6e53b63fdc761f051c5e3fe4e19b7cfa2c33ddf978517549be627ec46fba8865609bd40d97041669da430f066b387

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-a4da7563-7c0a-424f-9552-48eda7e895cb\msiwrapper.ini
    Filesize

    1KB

    MD5

    c3e25099336d60229539906266ce0639

    SHA1

    fe65d33e5b1a9cf077db5db1aea2c2f3a1bb4a62

    SHA256

    a1e11e16c7425d2d54ad5ad3c750edacdbed425d2c9f425a66bbfb3115374717

    SHA512

    49ee38a254f31b599ca3cbf3585ddd271c987bba97bff6987e34b2971724e62496ce4db0f35a95852b13fbdb936ccce071b4550ae8634ec7d540e970c80722e2

    Download Submit

  • C:\Windows\Installer\MSI8B96.tmp
    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

    Download Submit

  • C:\temp\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    143e978e2a7df2a5c450f2032d8c0594

    SHA1

    f72a72037458ca3756cbf8420cb888bed0eb814b

    SHA256

    407803717149aa77a0b811f1fefe160a03411f1802fadc57de1a285ea1fdcc3f

    SHA512

    bb34067070b165a892e3d43a4c2cb5d89e19eff28abb235010b655af9892c8fcf0febc9bb09dabbaa5cf17ae32ad79dc4f1d7486fc90681ef31a3dffd5b4541c

    Download Submit

  • \??\Volume{5a066776-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9fc908d9-33bd-469d-8c5e-cfa9ac44f623}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    8e709630dfdc773ba638e79add175d35

    SHA1

    e837239766923b26959ac33cfce7e9fae735cc2b

    SHA256

    382634b2d33fb258212ca5d15cdb973db5e79f45c5fa6e5f6539377d3b9385f1

    SHA512

    d5a426a45ed93cc3e299e438a647e4926b6e7974e59bced97001ba376f009061235802354864115495087b67d2a97db3f067ded49e4c9bef1e45c1500edd1d76

    Download Submit

  • \??\c:\temp\script.au3
    Filesize

    595KB

    MD5

    07b5686c91ff17a1d86271601f9904b0

    SHA1

    99fd675e912909af895a917c950e5ecc37b67869

    SHA256

    64e1563ceef99893a1fe4ba93cd38763a68f2db5537545a08061e83af9fe299b

    SHA512

    321e27bb1cb5c020b4979c6dce687fb734cf24a8a6e420850019d087e61ec902dbb97e7ed164c9b7fbd7f8996eaf6c4e0bb65775355e8a7075b239424dd780c6

    Download Submit

  • \??\c:\temp\test.txt
    Filesize

    76B

    MD5

    4b1e3cb8c33b582a74656ec001aaaf7a

    SHA1

    576cfd0d0538ca5ab90183139473895c3b8440ba

    SHA256

    99426e8b0d9b6366436d7db6883c98d6a8c2e5825b13a167a0c7495494182276

    SHA512

    b7899e2236be8702f2852233f37cb98732e2f1ac97b909d0fdce216721d02337b4b3f5045464e2d13ac9c7e2320f56c574f7654aa348e96cba5932d1f7edba4f

    Download Submit

  • memory/3416-103-0x00000000049B0000-0x0000000005980000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/3416-104-0x0000000006100000-0x000000000644E000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3416-111-0x0000000006100000-0x000000000644E000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4828-91-0x0000000002680000-0x0000000002824000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4828-94-0x0000000073630000-0x0000000073724000-memory.dmp

    Filesize

    976KB

    Download

  • memory/4828-95-0x0000000002680000-0x0000000002824000-memory.dmp

    Filesize

    1.6MB

    Download