Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
01/12/2023, 06:28
Static task
static1
General
-
Target
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll
-
Size
2.7MB
-
MD5
6376c4e1fa2dcb1c73f178b675ea5840
-
SHA1
c46e52b896bf3b53a6878d2b2386a9dc40377f19
-
SHA256
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
-
SHA512
d967d2e60b743bd57489c9edd0cf9d820d0ea749402be2dcb7b2e14a82828aa4c981b9fa32470d9f5fb208152e673eb3b9daf0485c53680548f5ea2619537494
-
SSDEEP
24576:dHZrhn7olvHbxA7qQCzt/s7ry5SnCo44Bg85mwFXyEOdT1ZAIe9ae/K4wMIQb6Vo:dpqt7sU9s7r/HvCKPP
Malware Config
Extracted
darkgate
A11111
http://trans1ategooglecom.com
http://saintelzearlava.com
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
XiOwgXyDLNDEpj
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
A11111
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 212 created 4088 212 Autoit3.exe 56 PID 212 created 3604 212 Autoit3.exe 54 PID 212 created 3888 212 Autoit3.exe 57 PID 212 created 3068 212 Autoit3.exe 50 PID 212 created 3596 212 Autoit3.exe 63 -
Executes dropped EXE 1 IoCs
pid Process 212 Autoit3.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe 212 Autoit3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1240 2120 rundll32.exe 71 PID 2120 wrote to memory of 1240 2120 rundll32.exe 71 PID 2120 wrote to memory of 1240 2120 rundll32.exe 71 PID 1240 wrote to memory of 212 1240 rundll32.exe 72 PID 1240 wrote to memory of 212 1240 rundll32.exe 72 PID 1240 wrote to memory of 212 1240 rundll32.exe 72
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:3068
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3596
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\tmpp\Autoit3.exec:\tmpp\Autoit3.exe c:\tmpp\test.au33⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:212
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
492KB
MD5dbd1ca08a1b009d1abab3def6ffa967b
SHA1f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA2561744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA5126b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb