Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • submitted
    13/02/2024, 03:00

General

  • Target

    693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi

  • Size

    5.8MB

  • MD5

    9c02a9298b97fcfc5a75fbedf08002bd

  • SHA1

    2d3bc2856c015914f2856331a0315298f3c34b0c

  • SHA256

    693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a

  • SHA512

    fafe5dddb610068cb1044c803a6d681d1739904d8e0c4b2b0fc05bcd55cf9344f69e77c8627ae73713f759117d81a78855ff937ee8650b47ab18d37cb9ca34bc

  • SSDEEP

    49152:ppUP3UhtSTK+0THkWsN8SDYdvH5eoQDWhbHHhZgWEF94FJy5jvrgFdbBUleY82cp:pp6nFDkEWoyvy5jvcdbBUkYC+XCFmpC

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

prodomainnameeforappru.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    443

  • check_disk

    true

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    VzXLKSZE

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Darkgate family
  • Detect DarkGate stealer 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3040
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 57D0FCB1BBE9BA0E03461771F48CE932
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2596
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2600
      • C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2996
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.a3x
          4⤵
          • Command and Scripting Interpreter: AutoIT
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1724
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1672
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1628
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "0000000000000554"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

    Filesize

    1KB

    MD5

    e94fb54871208c00df70f708ac47085b

    SHA1

    4efc31460c619ecae59c1bce2c008036d94c84b8

    SHA256

    7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

    SHA512

    2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    94e6c35c03bd1698f55a00b30539de03

    SHA1

    f3b67740c5d7d8f797540927f791964fe7b87102

    SHA256

    d7ad0905c6c3f512b3533ad024186f363e2797ece808ed05b7108d8bae533659

    SHA512

    5a9b23318e3a14dd004ecaa4fb80aa88c8e94eefc4e257e9743495179192a29cb736371eb9cd5e11fb092bef27d48c60aead06836ec2e4ec8c7436234a5e1136

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

    Filesize

    264B

    MD5

    a714385dde4a8c9956693f1240b5cd93

    SHA1

    0201e72a3f95ee45885a444b3847516cb8eebb29

    SHA256

    4c30757b95f8e51da088cb6e3ed9ae8ed847a780113d0602302c3c7fef0de7ab

    SHA512

    b0719e25a2ef5c990839af21bcbc8b22db93af99fb177822dbb008129b41de39773886c251d72d5c69343f976e8898325d6f6e1a3032ca50c40428882ed97482

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    8eace49fb447abf27a0c1ebed6303f99

    SHA1

    87d0cccb5f0a7b6a4f24aea4a2e879e6a0533015

    SHA256

    e0cead6d7496469a5cef1e2794771ce216d747b8a8c765ca902ad4b03be0fa6b

    SHA512

    38f8fa987379d8371514e6acac3548c28197369e764c2258a79e823ba8033efbec19c07bcfc8e8b8a9913020bf35f10ddb8b40eb8002788c77527c648ccf8697

  • C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files.cab

    Filesize

    5.6MB

    MD5

    a6f0fa38c1ef89290ee787f7577993ad

    SHA1

    1b03510e8c5a1a3c976086327ebab3c8acc19550

    SHA256

    599ab65935afd40c3bc7f1734cbb8f3c8c7b4b16333b994472f34585ebebe882

    SHA512

    9040548c6937e93168e57c1b3d18c20d21702d9632096191bab84929f18de0bce4cc31bb0f178b9d34f9259e6176bc4a8d5b86fe21ceec0b5a24ea2809acc68c

  • C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files\CoreFoundation.dll

    Filesize

    3.6MB

    MD5

    3b81ffed1e2d61f739bb241e395ce563

    SHA1

    ce08355cb95ab3d1ad177eb641acfa0339ce73d4

    SHA256

    f049356bb6a8a7cd82a58cdc9e48c492992d91088dda383bd597ff156d8d2929

    SHA512

    06ee1ca4b102d90bd1390c9e7fefecfa7fd8ebc131a8fd24d76a0aa51655cb254b021ba05ca976910395c08658171f0f8c1f6b1fec0fbc6c9ec5b906fddb606d

  • C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files\iTunesHelper.exe

    Filesize

    358KB

    MD5

    ed6a1c72a75dee15a6fa75873cd64975

    SHA1

    67a15ca72e3156f8be6c46391e184087e47f4a0d

    SHA256

    0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

    SHA512

    256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

  • C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\files\sqlite3.dll

    Filesize

    1.6MB

    MD5

    0f64a8b96eee3823ec3a1bfe253e82be

    SHA1

    e47acbb2fb97d05ce5222ba2737a5b0c0f039a0c

    SHA256

    17158c1a804bbf073d7f0f64a9c974312b3967a43bdc029219ab62545b94e724

    SHA512

    4d08d96bfe4ed497ca01d6f76acf1f5138d775b56556923b24e1e86cbd26fd54b6f517c8d3211b80332f90fe46cb77e347280636dc984ded2da8842aff9a5f43

  • C:\Users\Admin\AppData\Local\Temp\MW-58bfe197-5fe9-4ff6-aea4-d00e3d803bd2\msiwrapper.ini

    Filesize

    1KB

    MD5

    5635c5a9a82aa0dd8fcf901849208edd

    SHA1

    e3b2b7c35cf5bd26792e82717262e9d19cea0e56

    SHA256

    c05f3bafba1a17fcce72b10d6b54c91abe6d9d04250dda4efe15277b12a36bb2

    SHA512

    0e4f531b88c4c828e73ae22ed0a40bbe28a9227cb2dab13d2d68c187ef3556e6e7c9656da814b82e557e65c5cbcfefef800b03ca1354b405fd58e18325c9d3f5

  • C:\Users\Admin\AppData\Local\Temp\Tar1E4F.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Windows\Installer\MSI3DBA.tmp

    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

  • C:\temp\Autoit3.exe

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • \??\c:\temp\script.a3x

    Filesize

    473KB

    MD5

    33ca8bc4ac593027fd3e83ba44be54fc

    SHA1

    07e2e129a5b0a694d38ac29bc21f74eda100519f

    SHA256

    2296f929340976c680d199ce8e47bd7136d9f4c1f7abc9df79843e094f894236

    SHA512

    05f6f03e69a7d31686f422e422d61161bde45173a6453fdf0392a7a084c9bd69c7c0ed11eb7a37281481eea14497e95c51dfaded21e2ff943fee3f371592db61

  • \??\c:\temp\test.txt

    Filesize

    76B

    MD5

    e0cb113b19ce53ef7b72edbb0a4937dc

    SHA1

    2499a76ad9ec4a44571bfd8083e09b23373f9f69

    SHA256

    03bed76f17b8574d05e84b81f81c09a33b1ae1555c2caf4783e059b689879ab6

    SHA512

    0b046a6d16d22c0faa3eb729d9b74bfbc87f3cc847fd5ddfa89e573893d215841bae320f0697090b9a30778a07210929ac9c440fca884e920b369698d90a17ca

  • memory/756-361-0x00000000036D0000-0x00000000046A0000-memory.dmp

    Filesize

    15.8MB

  • memory/756-362-0x0000000004D40000-0x000000000509C000-memory.dmp

    Filesize

    3.4MB

  • memory/756-363-0x0000000004D40000-0x000000000509C000-memory.dmp

    Filesize

    3.4MB

  • memory/2996-353-0x0000000002400000-0x00000000025A0000-memory.dmp

    Filesize

    1.6MB

  • memory/2996-351-0x0000000074770000-0x0000000074B18000-memory.dmp

    Filesize

    3.7MB

  • memory/2996-347-0x0000000002400000-0x00000000025A0000-memory.dmp

    Filesize

    1.6MB