Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

freackinghydt.msi

windows7-x64

10

freackinghydt.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/02/2024, 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    freackinghydt.msi

  • Size

    7.4MB

  • MD5

    e710dec0c27155f0025e97e4d0f08e20

  • SHA1

    d6e84785163375e534ef0eec57b49a0379a58191

  • SHA256

    d6d80231325c39b421d06eb3224ed54d958c1d643d961048176f2a93eecbb524

  • SHA512

    270ff05e36284effc04fb9ce3a446e6f5f1dc41413618b7280364acb6a62e8412120234bafff1bd911c23c9694a5f5c4f4a00f1888da79b2fb641a2102fa9b11

  • SSDEEP

    98304:mpp39PdVoYFhybZg4MqrdvwxLm6few5F0Qz5:SPdVoYFhaq4Mqrdvwxy0P5V

Score
10/10
darkgatediscoverystealer

Malware Config

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\freackinghydt.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1120
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4664
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding D3ED20C2A252B5816C882D74F1495D18
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:4248
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:1920
      • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files\NVIDIA Share.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files\NVIDIA Share.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4528
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.au3
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          PID:3088
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files"
        3⤵
          PID:2064
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:3916
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files.cab
      Filesize

      3.9MB

      MD5

      03f51b019e314f7c201488d5792a49b7

      SHA1

      6238170dbd18db8647da70e594e0089059349c35

      SHA256

      7bfebd411d108a9bb6ddaa7e9d49b1ff1ad9135b0ca17c1025c4cb33e57499e4

      SHA512

      89019c19920167529a7e10bea8d58e35829bac133a8013ef208ab09ec8ff6ae05b15c79049d380d044e9971783a40f66a2fc6c9098b48d79200976d888ff33aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files\CHROME~1.DLL
      Filesize

      798KB

      MD5

      1dc385972231a936352505a9e651055f

      SHA1

      d5742907e488ec04daec5042173e4090fe67925d

      SHA256

      37647fd7d25efcaea277cc0a5df5bcf502d32312d16809d4fd2b86eebcfe1a5b

      SHA512

      664b666b52f9c7e2e0f44c85ef4c22b302f89f1346a8209bfe84956829c952c956fb05064f29fd2eff38456ce55ac5a5422bb302f8d9b9e1f0442a28164307d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files\NVIDIA Share.exe
      Filesize

      2.6MB

      MD5

      d17014721410d6627fc8a7e8e43b45d4

      SHA1

      c01cf25fe651fd3bd3c56655b6c893f4bfc04950

      SHA256

      0e3f5fda71b47655155cb8281cdf7d67af58df7cae35af936ae6fb2e345fdbe4

      SHA512

      93830e8cde5bb11d708871408c2c90e76c90c27da5c8a406c512500cf2b288c20bab11862ecb199df8f7d9b8a03a0c1ecf94cc703596d1ab24ecd16d301ad474

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files\NVIDIA Share.exe
      Filesize

      1.6MB

      MD5

      4ec90a348e7d83d279a9942f63cc6abd

      SHA1

      fc311259c5d4f0859fb426dd09bd91b56f094fcf

      SHA256

      2cfcd3a6fb615f437bfd13a986454ba3140149d550fe50665751012d437e50dd

      SHA512

      8c71aaaa289a1f3a0fa0421062f5886587947fb658adcafcb07db7a08753ff31d6375c5e49659a12a45897d6591e912ac8f0b62b594453a8721280f4f176dc72

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files\libcef.dll
      Filesize

      1.5MB

      MD5

      d039256ab8a19cafd9a627658db065c2

      SHA1

      1816991322461460525214c567d690e936015853

      SHA256

      2233322d30d35f1fb4205dd15e4af94ac8e12afc4669ae708eb232d28b3a4ba4

      SHA512

      7b038125a4d7d1364c9dd08eb9050e4b61f507b62565fa2098835101904b296a043c14e634e6e9f5a17a7ab399b8476e3c4dedbcdbcd8ff0a83066b91ae622a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\files\sqlite3.dll
      Filesize

      1.6MB

      MD5

      4fbf52607a167240f6ca60ec81094eb0

      SHA1

      c890f722aab965c83eafcd0531fe98ad5df1046a

      SHA256

      1d3770844573dcecaf0ecfafa5841e0a9d8c94a65e8b7faf3167cd4aef38d8ec

      SHA512

      84dbc3a483d3babe53f5e5121702e90601246fb65dfc0848712dc91b0974b229753a0bcf1b16980ff7180b6f1534522a3e75b7312b939c7f7d0e2ef67d23af58

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\msiwrapper.ini
      Filesize

      448B

      MD5

      5fec4b0be9623fa836f4c3d87fc171c9

      SHA1

      3f38015bbd0fa3f9fa1c00c6dfb48b7dd7d2b04a

      SHA256

      f24856dbe5ea68b44c9203118b77840a1dbcb2664b96b471c3b3ef189f3ac4cb

      SHA512

      0ec26c83ddeb3876e927c4d5cb728161ad26a63bc61509b8738add2159936abe30988555533f8cae9e2d03e4a1d570949bd6830b234384320d1cf53fd6c9a282

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\msiwrapper.ini
      Filesize

      1KB

      MD5

      8029a38c01d97e02c765e82cd06c9c05

      SHA1

      5736fa8e91299847ee898580cb46fd06f951f670

      SHA256

      00c1bd3c37c6abc4f478385f979d83090f835e231e2cc7f86b073e125761bf26

      SHA512

      168999e84d6d3c5fb9be7bac552322205840a3b80a5fe5f9dde2aea7a8c877a95b8deb7ff414440c30bf5c354baea3c8e52f148fc1f35a5104a6b157e6e548c0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-40194eaf-8fad-4f14-8c44-6474381b9cf2\msiwrapper.ini
      Filesize

      1KB

      MD5

      210c6ff9a43e847accb171d25d9c0c81

      SHA1

      49d6b846a29b667189168de48a65b8048923cd3a

      SHA256

      f6e0ded7ef7d15b1e0f568c043760e27ef9083a8920c32319bf831c097efaf5f

      SHA512

      a8b02ac6d7629237651077b803aec7abce796946cbb1b1c8ec57ec6e8dc68cbe8c5ccb65db058806cb5ef13fc4ebf8f2895f2a3e529966bc4496b8f623171775

      Download Submit

    • C:\Windows\Installer\MSI6B2.tmp
      Filesize

      208KB

      MD5

      d82b3fb861129c5d71f0cd2874f97216

      SHA1

      f3fe341d79224126e950d2691d574d147102b18d

      SHA256

      107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

      SHA512

      244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

      Download Submit

    • C:\temp\Autoit3.exe
      Filesize

      760KB

      MD5

      5a9871b35a1e12961c0e591ce047f37f

      SHA1

      fef05eb123999898ce2e80ea65f8f729cc6b7394

      SHA256

      464b2008aee1513913168b347a5ba9cc8577e2ff3e513e4cbab71299b1c86fff

      SHA512

      39ae2c4d725e557ee7a8ff3ac609980f8dca4c69d6cd59efc6bf6c902fbd5dc473f94392d4a8d943d6c871e0e6a1ad7eba46400e803930cdc115330191338387

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      13.5MB

      MD5

      eab140c46344f3742287e301407bd191

      SHA1

      3c56e48287904f48b3d47bab5d4bc4ea9421215f

      SHA256

      c1034623626ab80c5a5f29f3a7e5ae8fb6ca098aded8b9344b0cf1c95a7e9ffa

      SHA512

      c8d81b64a95db4682a670cc3013919067376eecbfa9cb69dfddd9202ee9536cf413a723f6e81b07ac7790d6c6d2c41d9c463c7dae4a36a1f4171d6bf3eb30a49

      Download Submit

    • \??\Volume{d253324a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7390a8c6-a313-436f-9252-5071b2134e21}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      0ee11cf713f555dbc3b964cfb61bfeaf

      SHA1

      ec85f7a8e623b919e01b7177c25f5266d1d7e785

      SHA256

      b466108fcad2dfb674b321199662b1339fb0fee039d019b9918549b908ee6e80

      SHA512

      68301838c1f9f7976a36ddbc970ca8cc6f0604dead1fc8b996570260bb5cabf283f7cc7230afe1fe72ffaa1ea1184b11eff3b048f38d3b6ca5177db039c56988

      Download Submit

    • \??\c:\temp\Autoit3.exe
      Filesize

      795KB

      MD5

      e0fab39c371fbdbb4911f69845f5ec2b

      SHA1

      ee282fc8069501f7681cb071e968aa4763765a26

      SHA256

      ff12863a87e74332ee8c0444174f618367a63f1b322f35530f51b9111cc5a0b7

      SHA512

      357efd7022e2d88115b26f10905e0b802420e717f7f9475e9915a35a21bafe6ee9bc9cfc90ce0eb008e0975f2fdfed9a178d1e256f462d17ea4a6133ccd34ff8

      Download Submit

    • \??\c:\temp\script.au3
      Filesize

      562KB

      MD5

      f2234dc24c830b81149a94d2c5d54e88

      SHA1

      7cb784db3bb2703a64e25c0863cb91ac25c92f32

      SHA256

      95b45cd112424a61de0680230d4affd0102cef13a49f6aecbc819425f4827756

      SHA512

      0b1e79a1f647a7680beebf3ed2ab8821167ff02519cb28a71529326d484f5f68b26a20f23323d2005844f9ef70e920b0728426730d799a5adad37c46236de212

      Download Submit

    • \??\c:\temp\test.txt
      Filesize

      76B

      MD5

      8dfd483cc870677e05511543cf1ccda0

      SHA1

      6b9cda15c54549c85603a3fec6e571dc965623c7

      SHA256

      8310f9b7636e8e7272229888a5e36e5e51a1e601968a6aee76d42abe2f60daa9

      SHA512

      fa459969d08b7e3d4a348c41d8b0edfba19b322171bfe4457bdfd5cf1b205da6b38b6ba3f1f59a8060a952e8f95fb4d3a8a5a443dbac3e6a6e9a5f544d6480da

      Download Submit

    • memory/3088-90-0x0000000004630000-0x0000000005600000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/3088-91-0x0000000005CB0000-0x0000000005FFE000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3088-94-0x0000000005CB0000-0x0000000005FFE000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4528-93-0x0000000076900000-0x0000000076A8C000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4528-95-0x0000024B95490000-0x0000024B95646000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4528-81-0x0000024B95490000-0x0000024B95646000-memory.dmp

      Filesize

      1.7MB

      Download