Overview

overview

10

Static

static

1

build-x64.msi

windows7-x64

10

build-x64.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 10:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build-x64.msi

  • Size

    5.8MB

  • MD5

    2999391319cda1be5dacfaf5b05062b2

  • SHA1

    c983b7dff2ea4c63f3944e639eb54d0e6b0b655f

  • SHA256

    3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e

  • SHA512

    1b9a7e5211979f37097c28122cbe99b5ec81ca3caa07944ddaba1afb2515ef3545f92bce35efa87914221016867f88b9b64c7a6a07e8e3f0cb556182047c7f27

  • SSDEEP

    49152:NpUPFUhtSTK+0THkWsN8SDYdvH5eoQDWeEHHhRgWEF9nuriG7DrFWoRRRJuGgagL:NpMnFDcEWoVoFWRGga5q

Score
10/10
darkgateadmin888discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

prodomainnameeforappru.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    WeBiMyRU

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2740
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ADE117B1F327745285B27669D012DE3C
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2768
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2456
      • C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2756
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.a3x
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\files"
        3⤵
          PID:636
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:1040
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "00000000000003A8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      1KB

      MD5

      e94fb54871208c00df70f708ac47085b

      SHA1

      4efc31460c619ecae59c1bce2c008036d94c84b8

      SHA256

      7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

      SHA512

      2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      4fe1b82bbaedda2df1d5f6963d77f630

      SHA1

      245ee35debbe7e2e97c25db99c784d8571ab8f6f

      SHA256

      fae9f06bb58b58c40e03957ed231757651d6b94470ea3004e02a74cd3e9c8085

      SHA512

      be16ca41ed828438e50c0ccdb789a73144be4e526dee8a6f59d7e7b52c2f4e0564b0aa02c94cc042702efb0e92580e6dc315da836c1fea01ddca5f007fcf677f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      264B

      MD5

      0405a863cf6e8a87de3b2f6df9f6601f

      SHA1

      9056a0b8d7b0ea85e3c41bae98d5d7506287a0c4

      SHA256

      77d0ed879fe69b29bd7dc187d1928a4f1cb62115def7e90a8120ab6e50819625

      SHA512

      609c03a147a4f582caaacb4e78bfdbd1bb49bb72d1afff88673630d3bdc229479ddb469ed5ee557f94f7b6e938884fde9d474c81964b143134f96db52f12b43c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab167F.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\files.cab
      Filesize

      5.6MB

      MD5

      d339565d7c5224c45092b3aaeeb3797f

      SHA1

      c85565693714583e57fb9addb64368cc87288efa

      SHA256

      359e387871378831eb1293f41b54436abc6357733d1a573f0caff90ab1cbf07d

      SHA512

      14b3cb62aa99f53a8205783297285b38268306d4876ebdc65ab42d2c7c5613dc4b7010d3f25f2ad60747e136ff5939dca8f6a986f7161f27c0d791f4e874062b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\files\CoreFoundation.dll
      Filesize

      3.6MB

      MD5

      b4677a50c291d7c5a7f9f1b80f39a37f

      SHA1

      76d183107f9a8f89f09e25149e6e3de777b25d5a

      SHA256

      c2d43d768cebcf63e8d0c3ae8ffd2cd5070e4ac656a132b63d5e7372cef69c62

      SHA512

      bb2a3bb016cca60bd5f8a33773752e8f88bae764a6497eaaccf563da8607805b5723b30135c001f2fbc20c628e75c099410d9fd09b375c3d2901b6e7f70ba356

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\files\sqlite3.dll
      Filesize

      1.6MB

      MD5

      ce6e163809f5e817ef0c259672f7a1cd

      SHA1

      123e2f032b2fc45d6d9fe482756243ed61137476

      SHA256

      28ead67d2352ddd11f963e8b23930905ecbaff371162dfdae5ed096f62eb3d79

      SHA512

      07766db4cf023bf059415a58a9e1384acb39260ba71587b4eadb99f84d307c0ab70f76390894ab786a6461a0c809f8e9fe435f7bf9b334a369a178c54b295229

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\msiwrapper.ini
      Filesize

      396B

      MD5

      6ac974003a70944e6be33361d9651947

      SHA1

      c23d18be774123513c2fca46a6cc81e20dbd9456

      SHA256

      fa683474451dceebccf4c1e2d6704ccf5ee12a580ecabd67d257728fd4184b91

      SHA512

      d958f3ae3529457fe6b43e703aa763049b3955248a8126e0329c9659489b989eebf2a1b7ccc7e673234ccfa63734ddb8e66cc51f872776543d6a450c82c4f943

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\msiwrapper.ini
      Filesize

      1KB

      MD5

      36e0337e1cb9eafc7c404f073c979d84

      SHA1

      ebd5577bc18fc0bb2f009727cfc04efefafe1c0c

      SHA256

      1b5d407f3ffb07355488d298f28326d9714f736ac8cfc85ec9f9fe8f745c1b0c

      SHA512

      8aa75026c8cc6cd0beea4ef6ba1304f9835fb7001bc5a8fd01140a227ec755ea6644fda604d4549c257d9e01fe13b881d1804d3aeaac84166574891826e438fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar1682.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar186E.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit

    • C:\Windows\Installer\MSI3BC7.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit

    • C:\temp\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • \??\c:\temp\script.a3x
      Filesize

      474KB

      MD5

      6354b28ac4bc8fa465d80c3ea3893116

      SHA1

      0eea737ad0a1a0cb5c3f14279a05d1fba6c6216d

      SHA256

      9515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7

      SHA512

      6150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b

      Download Submit

    • \??\c:\temp\test.txt
      Filesize

      76B

      MD5

      45306f5622da212035662680f1c09e0e

      SHA1

      a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb

      SHA256

      2a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e

      SHA512

      99c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-ee10bded-36f4-4e1d-ae8d-1a7032bc5c42\files\iTunesHelper.exe
      Filesize

      358KB

      MD5

      ed6a1c72a75dee15a6fa75873cd64975

      SHA1

      67a15ca72e3156f8be6c46391e184087e47f4a0d

      SHA256

      0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

      SHA512

      256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

      Download Submit

    • memory/2756-348-0x00000000023F0000-0x0000000002590000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2756-357-0x00000000023F0000-0x0000000002590000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2756-355-0x0000000074460000-0x0000000074808000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2788-363-0x0000000003740000-0x0000000004710000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/2788-364-0x0000000004BC0000-0x0000000004F1B000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2788-367-0x0000000004BC0000-0x0000000004F1B000-memory.dmp

      Filesize

      3.4MB

      Download