Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
24/10/2023, 19:33
General
-
Target
NEAS.1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7msi_JC.msi
-
Size
9.2MB
-
MD5
69f900118f985990f488121cd1cf5e2b
-
SHA1
33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
-
SHA256
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
-
SHA512
09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
-
SSDEEP
196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO
Malware Config
Extracted
darkgate
civilian1337
http://185.130.227.202
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
2351
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
VPsTDMdPtonzYs
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
civilian1337
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs
-
Blocklisted process makes network request 54 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7msi_JC.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 44293BD0E0D4E6A687D384872B7A0E572⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-105a1538-aacb-4591-b345-6e29d0dbf352\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MW-105a1538-aacb-4591-b345-6e29d0dbf352\files\windbg.exe"C:\Users\Admin\AppData\Local\Temp\MW-105a1538-aacb-4591-b345-6e29d0dbf352\files\windbg.exe"3⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tmpa\Autoit3.exec:\tmpa\Autoit3.exe c:\tmpa\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.15⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-105a1538-aacb-4591-b345-6e29d0dbf352\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
170B
MD516c583dd4cef16479e98b8cfd61e9224
SHA140148d4ee1b587f694559e45b32e5dbf4a724269
SHA256cfdf1246e153daebe22d2cf41bc43d840593f09a4ebf9d8ae39122b95f21ab3f
SHA512f3e74d260fc06a051b883f03e064b1be1045238477696630e8eff1830841eb426ca110a6504a68cfd4fd00307feef9ffb1c9bd80c2b52ee8cc3f3489bedbba28
-
Filesize
8.9MB
MD53a4de3260c72e38f814cc2a7b2d42df7
SHA119458fb6838dd9d8be113b0b9983c7d77c12eb25
SHA256411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7
SHA5123493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e
-
Filesize
370B
MD59f464b04d5e081a34a1e57803e7ae9c2
SHA1d2484f8fd6101b62512ea48f68dfbb3953f17b7b
SHA25691c32b0868aac1df0c922b736fb570ebddf50020e8dab8de57f557795037a259
SHA512fa4139b6e7a1bd54a7865d9271a895def695d9306283b72631a61a9d72bf8088236399c012efeec43147dd7bfc8bb43dd836c78e49b73d5fc98d4b75c8bc705c
-
Filesize
1KB
MD5e74be5141a6064fffff3e623266884d1
SHA10388cb3e6e5d5a6bb093c476ddaf19eb1c473212
SHA256de2ffcb1f54ca5dafce9793a44877b21fdf3e6319264e5d9baafa9f872234dc6
SHA5122f77f40845b5d3e7b21144c3e0c260944a538040377091035ff19b0e5a7c3676ecb8f48cac5af77ad7e8df6e1da00031d3997b28bbc05b802f05d9d90cb62ffd
-
Filesize
1KB
MD5e74be5141a6064fffff3e623266884d1
SHA10388cb3e6e5d5a6bb093c476ddaf19eb1c473212
SHA256de2ffcb1f54ca5dafce9793a44877b21fdf3e6319264e5d9baafa9f872234dc6
SHA5122f77f40845b5d3e7b21144c3e0c260944a538040377091035ff19b0e5a7c3676ecb8f48cac5af77ad7e8df6e1da00031d3997b28bbc05b802f05d9d90cb62ffd
-
Filesize
1KB
MD553d0db59ee04582ea0d182fbcea3fc72
SHA1ee88870dbaa235be262651d6a9301d34c6a8db49
SHA256cfc3a04571af7f5e1f206aacb41920ec96d18d32f044c836fbdc3df35022cf3a
SHA512edb2b9f7839e43af1e6554a0d160a40441a90670ebd2f4542ab4942c2b3ffb560ef5c4d2b73a8bd2e76d063d34abeb8356fd30487f49ea401fd363893968aa18
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
23.0MB
MD525b5063e7ec0279cab22192b0234a951
SHA188f2bebe8faaad15abe02b84020fd58eea3919d2
SHA2563b4d6a2c534a7be0abadf7cfbcc6f44e1f9f9ef3649b0270b5e618cd722a9da6
SHA512a539541120748d1cede7d4306ddfaf3ca05f98633bea2582079a894cf42feed097c4d6fca60a2ac91ee7bef4968da42bb340771b69c1109509d3fbe0dbe31b23
-
Filesize
5KB
MD5c0ef3df088998868f3a1b914379dbfa2
SHA1bc9a7ddc1568e333b1cfe897fce4422d6f0bded6
SHA256553925d4623215986d9b1b4c38f699d69930ce3cf8c4455f224faa94419f468a
SHA512fe5c22c4abe2e2dd5c5f49526614cadf2ea9c59c398604cb790b1ee44d6bf1c8c8e825c9e91f60fa1eb2eb40fd4f7907a2b2258b075f086ecad9323c47acb3ff
-
Filesize
490KB
MD5e6c14274f52c3de09b65c182807d6fe9
SHA15bd19f63092e62a0071af3bf031bea6fc8071cc8
SHA2565fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9
SHA5127aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
490KB
MD5e6c14274f52c3de09b65c182807d6fe9
SHA15bd19f63092e62a0071af3bf031bea6fc8071cc8
SHA2565fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9
SHA5127aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e
-
Filesize
1024KB
-
Filesize
564KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
4.0MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
4.0MB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB