Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    88s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • submitted
    15/02/2024, 05:12

General

  • Target

    3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi

  • Size

    5.8MB

  • MD5

    2999391319cda1be5dacfaf5b05062b2

  • SHA1

    c983b7dff2ea4c63f3944e639eb54d0e6b0b655f

  • SHA256

    3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e

  • SHA512

    1b9a7e5211979f37097c28122cbe99b5ec81ca3caa07944ddaba1afb2515ef3545f92bce35efa87914221016867f88b9b64c7a6a07e8e3f0cb556182047c7f27

  • SSDEEP

    49152:NpUPFUhtSTK+0THkWsN8SDYdvH5eoQDWeEHHhRgWEF9nuriG7DrFWoRRRJuGgagL:NpMnFDcEWoVoFWRGga5q

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

prodomainnameeforappru.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    WeBiMyRU

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Darkgate family
  • Detect DarkGate stealer 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3360
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4948
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5B6613AF15B0B43473CF1DE59C72BB3F
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:3928
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:516
      • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4380
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.a3x
          4⤵
          • Command and Scripting Interpreter: AutoIT
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3336
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4924
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

    Filesize

    1KB

    MD5

    d08c751a9d8c6794b80c2d62acb8b45e

    SHA1

    1a33e5b50afc6e6060e73f5bd4417ac370d080f0

    SHA256

    ed236bef3acda783c8085cf3756a72e8677d8f4b2fdd5d4002fc0dc3d77977d7

    SHA512

    dd701e2c460260ea50f867e2402820a66faeedca2b03741aacb2a3893df45d00339c6525bcb63c2825f811fcd9b832ddab79e4e8b1b963e5bff6f09ec1688dca

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

    Filesize

    1KB

    MD5

    bc0bd376d9c972f09fec5f2c71f7b89b

    SHA1

    6acdafbaf0c3df78fa25a96129194bfeddebb746

    SHA256

    0d2f2d28d06b39384d958aaf0e693edf6a319e48612e50737a95c1f7658763cb

    SHA512

    0b0b7329cd51c1521ffba23edf7cc828be53ef6674f8546572e146e55d487acfadb32938b8fdb8260a146055ebce56f087f9428afcc275206d5e29d9c99cc805

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

    Filesize

    540B

    MD5

    bb1c156e401a6dbd5faf59e8fae3f08a

    SHA1

    ffc06be2f5f0138bf99be74cf4fa0913f8e5262a

    SHA256

    67621c305c3037e7b44332597eb5199471cff76dbed35f4e6f66b31f340e72af

    SHA512

    c518125dd957d20932b86ddd6eab9e6866e257f36a5ca7c515e87421400aa667b37d440e7055dedb7b8b38f2a4fe3fb5fa0dec6b2fcb089b1d6cccecd17ced14

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

    Filesize

    536B

    MD5

    2c19f80ba805b5b3b28f59f2aceaf518

    SHA1

    4251d62af85a2362b50ef632f0beeb17d4d710a1

    SHA256

    6060352128864a9cb2c890970c3607716129f39310375a6445b4133378f34ddb

    SHA512

    bd93830d0e8d494008b5b6b41aaa58f2953a0ded8867b8d3362e71105de4be7c61bf6bd02a4a7a4048667997ad773b408da3e872d48bb1c6ef90e74bf3db34b8

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files.cab

    Filesize

    5.6MB

    MD5

    d339565d7c5224c45092b3aaeeb3797f

    SHA1

    c85565693714583e57fb9addb64368cc87288efa

    SHA256

    359e387871378831eb1293f41b54436abc6357733d1a573f0caff90ab1cbf07d

    SHA512

    14b3cb62aa99f53a8205783297285b38268306d4876ebdc65ab42d2c7c5613dc4b7010d3f25f2ad60747e136ff5939dca8f6a986f7161f27c0d791f4e874062b

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\CoreFoundation.dll

    Filesize

    3.6MB

    MD5

    b4677a50c291d7c5a7f9f1b80f39a37f

    SHA1

    76d183107f9a8f89f09e25149e6e3de777b25d5a

    SHA256

    c2d43d768cebcf63e8d0c3ae8ffd2cd5070e4ac656a132b63d5e7372cef69c62

    SHA512

    bb2a3bb016cca60bd5f8a33773752e8f88bae764a6497eaaccf563da8607805b5723b30135c001f2fbc20c628e75c099410d9fd09b375c3d2901b6e7f70ba356

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\iTunesHelper.exe

    Filesize

    358KB

    MD5

    ed6a1c72a75dee15a6fa75873cd64975

    SHA1

    67a15ca72e3156f8be6c46391e184087e47f4a0d

    SHA256

    0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

    SHA512

    256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\sqlite3.dll

    Filesize

    1.6MB

    MD5

    ce6e163809f5e817ef0c259672f7a1cd

    SHA1

    123e2f032b2fc45d6d9fe482756243ed61137476

    SHA256

    28ead67d2352ddd11f963e8b23930905ecbaff371162dfdae5ed096f62eb3d79

    SHA512

    07766db4cf023bf059415a58a9e1384acb39260ba71587b4eadb99f84d307c0ab70f76390894ab786a6461a0c809f8e9fe435f7bf9b334a369a178c54b295229

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\msiwrapper.ini

    Filesize

    1KB

    MD5

    8aeecbf7b5c6f62f16b16bf2e094f548

    SHA1

    06c8190b197b0f76b6e03bf353a1ccc441856ada

    SHA256

    58916fbf9c9dbeeec72a2f32d7d1f7de328866c6c638be488f62a1871e92723b

    SHA512

    0607aff08519a7d55b49bbaa4df26ce469b2b28abfd4e5a71f3944c863dbedcbc13b5ed53a2e12f67f5983a8706668c289d24802ee514b7cc8094983bda936ba

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\msiwrapper.ini

    Filesize

    1KB

    MD5

    51492fc1931b0ba45a4ab6cfb0951142

    SHA1

    5d8e47662e2a26c272c0f20b4f8cdd6ce4f7f4a8

    SHA256

    7195a0c8cbda25f0178ccbd2eefb3058b611e12e76a252374c7cd3855461f933

    SHA512

    8f6e6e6afea089493b9d32d47fed5b61e22589d289c0075bc99bcdd97c38c999e0e5898ea76d99e5f6dadc9842ac618b4d0412548b6381fd5bbda0bc9ac64fe2

  • C:\Windows\Installer\MSI7242.tmp

    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

  • C:\temp\Autoit3.exe

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    23.0MB

    MD5

    9c0014f314604e535cd3ec22976385e9

    SHA1

    f7a65d49cac154d7f5fe0af523f9785b8965f08b

    SHA256

    9f3f5dd0c4969e33667f325b6dd59c56b924d9ff5410310e853c951ea44221b8

    SHA512

    4cc389ade68b839450d5b520a892e2ad0ce1d10e488da4942e3ce130403b126e5be94742dfb5cd5d0c4450ac2cc3660620e804b810408b7d5677aa5dbed5cdbe

  • \??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9fa214e9-1ae8-4049-a33d-403725184eb5}_OnDiskSnapshotProp

    Filesize

    6KB

    MD5

    c7ddeb1560af057f088c9b233cd02c93

    SHA1

    f201e5146889c0eee990dea4ad98357318756d5c

    SHA256

    1e5742d84a1e070e932dce276ef3d6ef2ee5cd1a739daecfe23e04864ecff58b

    SHA512

    8cb9fe0716cdff54b823cb7f34034ba496f0f14d72ab862fb598d2081b0f30bea67d11e623a40408863762a94fc78d49540e4b0ab4f76919dd7c09fb9c78a88d

  • \??\c:\temp\script.a3x

    Filesize

    474KB

    MD5

    6354b28ac4bc8fa465d80c3ea3893116

    SHA1

    0eea737ad0a1a0cb5c3f14279a05d1fba6c6216d

    SHA256

    9515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7

    SHA512

    6150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b

  • \??\c:\temp\test.txt

    Filesize

    76B

    MD5

    45306f5622da212035662680f1c09e0e

    SHA1

    a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb

    SHA256

    2a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e

    SHA512

    99c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0

  • memory/2560-103-0x0000000004B00000-0x0000000005AD0000-memory.dmp

    Filesize

    15.8MB

  • memory/2560-105-0x0000000006000000-0x000000000635B000-memory.dmp

    Filesize

    3.4MB

  • memory/2560-104-0x0000000006000000-0x000000000635B000-memory.dmp

    Filesize

    3.4MB

  • memory/4380-106-0x0000000065C80000-0x0000000066028000-memory.dmp

    Filesize

    3.7MB

  • memory/4380-107-0x000002966BE30000-0x000002966BFD0000-memory.dmp

    Filesize

    1.6MB

  • memory/4380-94-0x000002966BE30000-0x000002966BFD0000-memory.dmp

    Filesize

    1.6MB