Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
submitted
13/02/2024, 03:00
General
-
Target
693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi
-
Size
5.8MB
-
MD5
9c02a9298b97fcfc5a75fbedf08002bd
-
SHA1
2d3bc2856c015914f2856331a0315298f3c34b0c
-
SHA256
693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a
-
SHA512
fafe5dddb610068cb1044c803a6d681d1739904d8e0c4b2b0fc05bcd55cf9344f69e77c8627ae73713f759117d81a78855ff937ee8650b47ab18d37cb9ca34bc
-
SSDEEP
49152:ppUP3UhtSTK+0THkWsN8SDYdvH5eoQDWhbHHhZgWEF94FJy5jvrgFdbBUleY82cp:pp6nFDkEWoyvy5jvcdbBUkYC+XCFmpC
Malware Config
Extracted
darkgate
admin888
prodomainnameeforappru.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
443
-
check_disk
true
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
VzXLKSZE
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Darkgate family
-
Detect DarkGate stealer 3 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 57D0FCB1BBE9BA0E03461771F48CE9322⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files\iTunesHelper.exe"C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files\iTunesHelper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x4⤵
- Command and Scripting Interpreter: AutoIT
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "0000000000000554"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1KB
MD5e94fb54871208c00df70f708ac47085b
SHA14efc31460c619ecae59c1bce2c008036d94c84b8
SHA2567b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86
SHA5122e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
344B
MD594e6c35c03bd1698f55a00b30539de03
SHA1f3b67740c5d7d8f797540927f791964fe7b87102
SHA256d7ad0905c6c3f512b3533ad024186f363e2797ece808ed05b7108d8bae533659
SHA5125a9b23318e3a14dd004ecaa4fb80aa88c8e94eefc4e257e9743495179192a29cb736371eb9cd5e11fb092bef27d48c60aead06836ec2e4ec8c7436234a5e1136
-
Filesize
264B
MD5a714385dde4a8c9956693f1240b5cd93
SHA10201e72a3f95ee45885a444b3847516cb8eebb29
SHA2564c30757b95f8e51da088cb6e3ed9ae8ed847a780113d0602302c3c7fef0de7ab
SHA512b0719e25a2ef5c990839af21bcbc8b22db93af99fb177822dbb008129b41de39773886c251d72d5c69343f976e8898325d6f6e1a3032ca50c40428882ed97482
-
Filesize
242B
MD58eace49fb447abf27a0c1ebed6303f99
SHA187d0cccb5f0a7b6a4f24aea4a2e879e6a0533015
SHA256e0cead6d7496469a5cef1e2794771ce216d747b8a8c765ca902ad4b03be0fa6b
SHA51238f8fa987379d8371514e6acac3548c28197369e764c2258a79e823ba8033efbec19c07bcfc8e8b8a9913020bf35f10ddb8b40eb8002788c77527c648ccf8697
-
Filesize
5.6MB
MD5a6f0fa38c1ef89290ee787f7577993ad
SHA11b03510e8c5a1a3c976086327ebab3c8acc19550
SHA256599ab65935afd40c3bc7f1734cbb8f3c8c7b4b16333b994472f34585ebebe882
SHA5129040548c6937e93168e57c1b3d18c20d21702d9632096191bab84929f18de0bce4cc31bb0f178b9d34f9259e6176bc4a8d5b86fe21ceec0b5a24ea2809acc68c
-
Filesize
3.6MB
MD53b81ffed1e2d61f739bb241e395ce563
SHA1ce08355cb95ab3d1ad177eb641acfa0339ce73d4
SHA256f049356bb6a8a7cd82a58cdc9e48c492992d91088dda383bd597ff156d8d2929
SHA51206ee1ca4b102d90bd1390c9e7fefecfa7fd8ebc131a8fd24d76a0aa51655cb254b021ba05ca976910395c08658171f0f8c1f6b1fec0fbc6c9ec5b906fddb606d
-
Filesize
358KB
MD5ed6a1c72a75dee15a6fa75873cd64975
SHA167a15ca72e3156f8be6c46391e184087e47f4a0d
SHA2560d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda
SHA512256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03
-
Filesize
1.6MB
MD50f64a8b96eee3823ec3a1bfe253e82be
SHA1e47acbb2fb97d05ce5222ba2737a5b0c0f039a0c
SHA25617158c1a804bbf073d7f0f64a9c974312b3967a43bdc029219ab62545b94e724
SHA5124d08d96bfe4ed497ca01d6f76acf1f5138d775b56556923b24e1e86cbd26fd54b6f517c8d3211b80332f90fe46cb77e347280636dc984ded2da8842aff9a5f43
-
Filesize
1KB
MD55635c5a9a82aa0dd8fcf901849208edd
SHA1e3b2b7c35cf5bd26792e82717262e9d19cea0e56
SHA256c05f3bafba1a17fcce72b10d6b54c91abe6d9d04250dda4efe15277b12a36bb2
SHA5120e4f531b88c4c828e73ae22ed0a40bbe28a9227cb2dab13d2d68c187ef3556e6e7c9656da814b82e557e65c5cbcfefef800b03ca1354b405fd58e18325c9d3f5
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
473KB
MD533ca8bc4ac593027fd3e83ba44be54fc
SHA107e2e129a5b0a694d38ac29bc21f74eda100519f
SHA2562296f929340976c680d199ce8e47bd7136d9f4c1f7abc9df79843e094f894236
SHA51205f6f03e69a7d31686f422e422d61161bde45173a6453fdf0392a7a084c9bd69c7c0ed11eb7a37281481eea14497e95c51dfaded21e2ff943fee3f371592db61
-
Filesize
76B
MD5e0cb113b19ce53ef7b72edbb0a4937dc
SHA12499a76ad9ec4a44571bfd8083e09b23373f9f69
SHA25603bed76f17b8574d05e84b81f81c09a33b1ae1555c2caf4783e059b689879ab6
SHA5120b046a6d16d22c0faa3eb729d9b74bfbc87f3cc847fd5ddfa89e573893d215841bae320f0697090b9a30778a07210929ac9c440fca884e920b369698d90a17ca
-
Filesize
15.8MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
1.6MB
-
Filesize
3.7MB
-
Filesize
1.6MB