Analysis
-
max time kernel
87s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:09
General
-
Target
mkreafr.msi
-
Size
4.3MB
-
MD5
4f238c2093606fc296f1f819c2f0fc67
-
SHA1
f8535858fcee6b96e0f49e6156fa110fc0698880
-
SHA256
58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
-
SHA512
c2422db8871d6303b5903c4b11cca3debd62cb25a406655db5a0ba407f33c9fef739371d297e5ccad45efc99e040e6ae29079b4b9325f52d54c5e780f8c346f7
-
SSDEEP
49152:jpUPN9qhCxzT+WKjSXcmNt6+XzP4BYIeBfCXqyfdo1DDDDDDDDDDPuDgO9hTnxA5:jpqCQbm+jg12f3yaiga6yU
Malware Config
Extracted
darkgate
admin888
jenb128hiuedfhajduihfa.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
true
-
check_ram
true
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
RZymDRsm
-
minimum_disk
100
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Extracted
darkgate
6.1.7
admin888
jenb128hiuedfhajduihfa.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
true
-
check_ram
true
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
RZymDRsm
-
minimum_disk
100
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer 36 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
\??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exec:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\mkreafr.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5F60A5C64E34699380A02F46286E9AB62⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2f8243e1-a9cd-45ae-8d9f-47df1343be81\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-2f8243e1-a9cd-45ae-8d9f-47df1343be81\files\vlc.exe"C:\Users\Admin\AppData\Local\Temp\MW-2f8243e1-a9cd-45ae-8d9f-47df1343be81\files\vlc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2f8243e1-a9cd-45ae-8d9f-47df1343be81\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b3ff29da2ea956cbf16afd9723087616
SHA17b060dd4b3756c0a13078ed68ae8c45b49a635e9
SHA2564d0e30cb63741a74d9ba2e0e5404eabd077046564400a480696c53bcac6ba8e3
SHA5126dc8f4c4395def102e9225ba005c302aaecd9be1e894bb9d4eb5ec1b32c8edcc351371bdf84cc03058bca223ee88f98a732d7228de6bce5df1e79a3735893551
-
Filesize
4.0MB
MD5b617d565e52112548d239e32b05eecb4
SHA15e37585718e80f11c44537f21ecd6d1c45f44c6b
SHA25696146d2cb6aa614ffe3aac47f5e0d8a3bcf28bacb3f27bc9a80a18ede73ac607
SHA51223f2b21f4bb19eba68c39bd93964160f55611686546aee904cac925ee058a6f8f6c6e1f113cdeb7c42ca5375d83de1169051c9a001aeb1f48f322dbe5d6bcd7d
-
Filesize
1.5MB
MD53843f0f904fc531b2c528b65ada84dff
SHA17ad3a66bd8be7456ceb7a5976548cdd6c2643d8f
SHA256f3cbababb4ba75f65b4a5ec6d603ef93ed23089aef777b22db710d5bc873a11a
SHA512e099cef3bd5f80f9e861f97e6c7ddace0adddfb26e316c76a4d66cda7942c2e46f6f66ed6ca9a6d06a587645c6a01527f542420e3720d462d6b09d5fe44cbf5c
-
Filesize
1.6MB
MD5775d01ac4a84cf493c27759ae6b55355
SHA1e27078488d12e7ab7feff45fe2b2b7f60d72b0f3
SHA256e894e2781806b306298f85a1af60b1ca38b4695bde30cf6839518e10501b6b5a
SHA512b6168b83deb2c95e88b6eb4e1fbc1bf7f3a3353e6fee9b016f5e25472ed202225aed0338f196fbcd116a480d6708487191afa8be4a21cd5316f90f6167d1c978
-
Filesize
966KB
MD5035860e139ba6db1b38d5346cb6ff5b6
SHA1d515303cbca3a8ae7a0463fecd418d81b314e650
SHA25616197a321fc7b0a2a311e689621fe4a7cd50fdcb2d163973a31e4fd6352232d7
SHA51214dab9108d85af72001631130923b94483dd1440f24a8eedad41756db3030c5e11e80ec894922c389e09c86e8b721bcbd8594bd3646f484560f89963a7e18cc7
-
Filesize
1KB
MD5cbe25c967df99b5a0d07e6ff71d340be
SHA10cf7fa1520f2969cdf67126caac955dc1496d1db
SHA2562a15ec16fcc3d98605c8aecac4f4a19687da30274b668cbc54312bf8fe6e9303
SHA512db009a1fbb2faaf5665fc9fdc54e67ce4505e699c816592c27e60dbf03b06faa1eb900115493597bcf585b64be92bff4c2d347489ad8d2598c54558678477ade
-
Filesize
1KB
MD5a2a690c55abc7a2e103c3f8294c5b407
SHA190aad28ad626929e4f3b65eb1e75053a759a0df5
SHA2562a41a73e128724e7d9fc57fcc3b4321cd7bd1116ac25e244df17111fa1fc413d
SHA5124556814b458f7fc6ace694fbccf02040f51c217dff82739cc79b6f3b8785cb853cd8bef510d6bd5b7f7334d84952ce8b388d0e7f88468e91843cf821c873a9f3
-
Filesize
32B
MD5491e5f893ead962fac9c457530de6a83
SHA17f2a555c82f153825d72f40e004c91fd85c5739c
SHA25657dd6144d3b0dad81c28372f0efb51fea82f1dc5912bdcd151286917efcb95b4
SHA512e9960103165a516445d4deaa2283e52e3332169921d773313ae7c0d4ecd5d1d49b2bec6c2062070aa9f91900f08f6452173febd1b68b560710c1e50802ef970f
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
4B
MD53479cef8a43269551bd5d0bc804264af
SHA12cb65a9528673b2751650f3cbf3e14aff93e5d5d
SHA2566c8d70cbbacadf0d382166b5c0ababc86a779a328a562374e07157a33c401709
SHA5127e6caa0a5d3de4e1850b78a5f48e1b865b703f01194b65e41d82a5fe313fdcc868bd5aaec70f35bce770c93838401a041487ddb44eda5d0149f4f8779886c528
-
Filesize
4B
MD5efeddf2027c217abbcca6bcaac20720b
SHA152c1f33046a11ea8dbe66ea8132c51ecd1b9af37
SHA2565a37c046d78ec49c43c88c4d00387a2013497a1bc4e3ecab1d876683b746ef23
SHA51266588aa1265d2077936d150d275954ab96d73362be5a158cafe75fcd5b5b1ee99c1dd50b731c5985b4e631a99a441315295bf1ef209ffef7eae677b1d3355084
-
Filesize
23.7MB
MD5505964c25b91f3178be959584c3d3b5f
SHA18aa0063790a168bc61fc4b585d4be31db64f21e8
SHA25670978ddca87318cb3b6f5ee1b094b1b02b90c990d172c2e65adb7ea40647fe40
SHA512822dd7ada05902ae59fd0817671c50940f70fa938c0006487fa617fc9e205a137bae8afcc45079e5b5e70dee42f418933fc3c1b1048058ed1b17e28ad53b73d1
-
Filesize
6KB
MD512a728e2fe4a4d09a75f87ca64e6d24a
SHA196e041fd6be8dd8e708e094a635f50785e9e3c2f
SHA2565f9aa32a92ffb64a47f81a46093fc03203f6a9c759c10af03213a8603c2cb3b3
SHA51209f70d217d6f9ca37b67541b250fcce2c768fb2833ed4d35f48e2eafe489fe16726cbdd6203a6691b809fd1c955f37572289e85b8414d2419f09c1e9cb48e247
-
Filesize
466KB
MD5caf6d14ee91108f878d6108071d72b7a
SHA16166b2db78c93bdb24dc693b18a8bc6f1cd96fe6
SHA2563182937fdba31b1fe9f18f78e0901fe8d3bac7ed72b87f8409dcd19e2e1f4184
SHA51274b46ffd50acf54055e05ac12b8167b8f4976de345f478b648f71c05cf8f1f9cb584cdc2711d605aaea05c1f0fb643028ef8524e0f9144b0ab2975792c9681c9
-
Filesize
76B
MD5eb493e70c279b059272d93eb86156a25
SHA1cc6d75663d2647ce59741958b9334d9319dc1e40
SHA256c5c350d106264a59acb4049244933261da379b6fc5577b519cfc113c83fb1e31
SHA512c4617f8d45d00bf3fbe6a1ab4b25052e2012e2f2783022528d625618956814ab6497a82800f14592eda1886903d88a075ffeff29d72bec8c4817927b9dcac514
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
992KB
-
Filesize
1.6MB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
15.8MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB