Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

693ff5db0a...7a.msi

windows7-x64

10

693ff5db0a...7a.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi

  • Size

    5.8MB

  • MD5

    9c02a9298b97fcfc5a75fbedf08002bd

  • SHA1

    2d3bc2856c015914f2856331a0315298f3c34b0c

  • SHA256

    693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a

  • SHA512

    fafe5dddb610068cb1044c803a6d681d1739904d8e0c4b2b0fc05bcd55cf9344f69e77c8627ae73713f759117d81a78855ff937ee8650b47ab18d37cb9ca34bc

  • SSDEEP

    49152:ppUP3UhtSTK+0THkWsN8SDYdvH5eoQDWhbHHhZgWEF94FJy5jvrgFdbBUleY82cp:pp6nFDkEWoyvy5jvcdbBUkYC+XCFmpC

Score
10/10
darkgatediscoverystealer

Malware Config

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1720
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C785C0D0B286769612B7811B5E17B6F5
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:2504
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:2052
      • C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2868
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files"
        3⤵
          PID:1768
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:2852
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2044
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C0" "00000000000005C8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.a3x
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:2968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      1KB

      MD5

      e94fb54871208c00df70f708ac47085b

      SHA1

      4efc31460c619ecae59c1bce2c008036d94c84b8

      SHA256

      7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

      SHA512

      2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a288c65c55d7c9520e7e7d8b07142df1

      SHA1

      517a0cbf65defdcb8e1e330302596d4db3f85c10

      SHA256

      e07a6dc6991279f2a312179a222465f56a4af927503aec15d38c6f0bb1dc1326

      SHA512

      8aca8f3a3c587a569cd5e9863572e5d30e8a8af122436259dcad2e5ce80d32a5d402822e384cbe0c8b53e395ee515d294053cb74795eeb5f0587a4c07b4f6f1d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
      Filesize

      264B

      MD5

      4a9e33a982722f9d469f459481bdf6b0

      SHA1

      010fc25243b8edcf1cdd5098639428c052df6300

      SHA256

      d045b50b31fa90af4e0f92671780ecdb6e02bf1be1f357cbc0fd2ae875413fc2

      SHA512

      cd09bac8e19242d8e00ea4c5625f94f0981b89538eda4160b979c4c434919f9a69c72f2794ced320c50e1bb7a1fb265e732c1e9b6b523a51047b11bf69426b4b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA565.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files.cab
      Filesize

      80KB

      MD5

      f6966bb33975847a9bb174cc2d881a96

      SHA1

      4b5e5b5a0628005e295fb156565af91878615d01

      SHA256

      6b7cbf6332aec00adedce0d29bff7d1c2f575e91d370cf6a57ac7dde1ce04376

      SHA512

      a7b58dffbf35e80fcfcc073bce17abf04b0f51f48ca3a3f45a37cbcbad1064ce9192abe1601dcbc4cb456d38eca352839a363451455ce7c662a3caa96f51aef2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files\CoreFoundation.dll
      Filesize

      173KB

      MD5

      3e5bd32ecaf03684b3b9637b0a18a995

      SHA1

      60a2a2f92b900ad780d01e78d18250475f7ae8f3

      SHA256

      1c74b49a5aa4b727e872c2b491f247e86cfc4684d535be796248d307871815bd

      SHA512

      ce03ed18d0b2c67035f9d1ce41161da18add34df3c82147b393a4f2387a49a8f0e82a424b6cee61af0f63a8033928ef80e27c679af10a796d95f5f3d682f4bb5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files\iTunesHelper.exe
      Filesize

      134KB

      MD5

      04feb97dc5cbed4fc9be6a4be32e9896

      SHA1

      899a06ef8c5a74dcf732b7b5cf7440561ca287ec

      SHA256

      5254b1e9f8af4b601e6144217781e280999393bde19a25609fa0acb5a10cb9cd

      SHA512

      29dde5dcca4d28a8e722995e572390611986a193c3daa8c175a542e0ecfbe223ae1029c6ae5d7ab2670909fc57e6822b5210d50afbd58b688327b6da1aa81cf1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files\iTunesHelper.exe
      Filesize

      214KB

      MD5

      37dd105e47ba1b21c339dbc9529bfe88

      SHA1

      d86852350c4e8865825e5fff4d327db44901d27b

      SHA256

      1f484fbf6da10cbe2fb7ff119ed612ffea5e0a52c6ff8a7d7fe587032caa44b1

      SHA512

      ae325c26c2f07b69d653366a1c05a6386cb0c469aab9c155c611dffcb0ce5e9c3b658d8dc95b957294145b06a340b7881afbb3d325fd524b9f63e41064dfb3eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files\sqlite3.dll
      Filesize

      54KB

      MD5

      6b7a0d9a712e1d16d61d3db4569385ab

      SHA1

      4f553129bf92d57608d62587d70f18168e269679

      SHA256

      569c0a64e55bf33a1abbfe620a964fbae2cb89aa3b49b8f96f150b03329d0aa6

      SHA512

      a022cbdace39b0e59ab8174f885a79be11291e85bf2f4636c9275809c931ba3644b9460df87f06d4ce34218c73411d17fd417b9aadb751c3c006bb24da2fda5e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\msiwrapper.ini
      Filesize

      1KB

      MD5

      480ad5a93746ecc7034f846b13a446ba

      SHA1

      0b4077f13069ed08d287093b34096a1e83414feb

      SHA256

      9a54fe03b0ac18e101a782d09adef604b537ed4e544aa4b63852608f5eea19ec

      SHA512

      feb92d8a0bfa03c5f23a1c217f045bce2a324aefb4de865e85fdfee6783167670eb546725e442c33fc2cbe2d39b7707b236951b6be881f82a93f32fa221f5efd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarA588.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Windows\Installer\MSIFB20.tmp
      Filesize

      136KB

      MD5

      dd7d0540ad3ed9efec7f9ab43cfafad9

      SHA1

      ca90fe2116cc20288ccc22542a6c87cad9020fc0

      SHA256

      2456de7052aa12b04f2b25e6bc95d354bfab630eb6492335534528d71d4268da

      SHA512

      3045c213206ee74b1cb27bcf48ac42ac187420e6dd197f4ef289dbb8193aec986181f3a797a625bc075fc518503bb2f5dbf35804f47cad8d8f41c9efb7611d89

      Download Submit

    • C:\temp\Autoit3.exe
      Filesize

      73KB

      MD5

      47440eb812e05a65170dae3c32cd8c25

      SHA1

      b126cc79c7f2cd092a68351b943293602250f274

      SHA256

      31c0a048a41d4615f916ffab45793493dcbe532248bf8ac729b9d3a34afd0497

      SHA512

      3accb5b16ff5180ef754f11bd9e1701bf55be45c9cd40e8aa0906ee1aa78d017d18c1f34d65def030f308a11a0c6ef4a77ff361e2348602b827cd4a15749ae70

      Download Submit

    • \??\c:\temp\script.a3x
      Filesize

      186KB

      MD5

      79c2e01bd54d0e24bfa27d8c1396382f

      SHA1

      65f93cee4155087c435d51f3dc9670a5d0efc6b4

      SHA256

      267fff0689b573f13235294ad23724f15cddac6ff5d0f52198c4b97f78279b80

      SHA512

      e8ac88c25eb54c0968943a49ee4fc3613b14e0a133d4bfe43554df339e6854523aa2427a6070640ba85cfa83ee34f91695af107e881b78e5e989421b69eb8d3c

      Download Submit

    • \??\c:\temp\test.txt
      Filesize

      76B

      MD5

      e0cb113b19ce53ef7b72edbb0a4937dc

      SHA1

      2499a76ad9ec4a44571bfd8083e09b23373f9f69

      SHA256

      03bed76f17b8574d05e84b81f81c09a33b1ae1555c2caf4783e059b689879ab6

      SHA512

      0b046a6d16d22c0faa3eb729d9b74bfbc87f3cc847fd5ddfa89e573893d215841bae320f0697090b9a30778a07210929ac9c440fca884e920b369698d90a17ca

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files\CoreFoundation.dll
      Filesize

      106KB

      MD5

      39780828555fd76612abcda75503ffd6

      SHA1

      7ec496765d89a84a2e82737dbe4190c2fca6e348

      SHA256

      510ff7b2aed21df59959b0441527a90b7659db948652eb2132c069794eed2b9d

      SHA512

      7fba22abf20407887520532cf1d097da4b91e5a03755caae0d472385daea432e71fb311e68b52fd86286c55c5d9cc2cf5bef9a8994cee6ef51e3621d112aae82

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MW-6c0cb91d-bb87-4ef2-ad21-a1e75f0d2f39\files\iTunesHelper.exe
      Filesize

      192KB

      MD5

      65740f9db4bd64669cfada2d677ee4ab

      SHA1

      64d88c8fcee6e2d133ca79f65f4857514710c326

      SHA256

      ef7c2b4def66d0e653aaaaf088bb69fc8a37eacda3bc54d8ca0c83d2a7841399

      SHA512

      fab318afcdc696d0998786f98af4038164757f60dc261f008875f757f48401f1795c7328e2be759c57d4342fb6c47fc5214a98ba66d3c8bd9c1674918df3954d

      Download Submit

    • \Windows\Installer\MSIFB20.tmp
      Filesize

      70KB

      MD5

      d8dd1b9adde9a8e0c848eae496b85594

      SHA1

      90388d3d5268c4e6a801ec1cfac2a7816bb40390

      SHA256

      55dfe7286e351321402cda88c1d76cf1a11f4cd3276f4a5387d08b7aa7b5bc0b

      SHA512

      b5977c7b0fbe8f5d32676f4c327d4c9d8e79add9711088759446f1762d33524e9c15445046104d7a3874fb7fcfc0a020746f5e7117e83e29086278a1642183e8

      Download Submit

    • memory/2868-345-0x00000000022D0000-0x0000000002470000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2868-343-0x00000000742A0000-0x0000000074648000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/2868-336-0x00000000022D0000-0x0000000002470000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2968-350-0x0000000003690000-0x0000000004660000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/2968-351-0x0000000004B10000-0x0000000004E6C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2968-355-0x0000000004B10000-0x0000000004E6C000-memory.dmp

      Filesize

      3.4MB

      Download