Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    88s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • submitted
    15/02/2024, 05:12 UTC

General

  • Target

    3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi

  • Size

    5.8MB

  • MD5

    2999391319cda1be5dacfaf5b05062b2

  • SHA1

    c983b7dff2ea4c63f3944e639eb54d0e6b0b655f

  • SHA256

    3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e

  • SHA512

    1b9a7e5211979f37097c28122cbe99b5ec81ca3caa07944ddaba1afb2515ef3545f92bce35efa87914221016867f88b9b64c7a6a07e8e3f0cb556182047c7f27

  • SSDEEP

    49152:NpUPFUhtSTK+0THkWsN8SDYdvH5eoQDWeEHHhRgWEF9nuriG7DrFWoRRRJuGgagL:NpMnFDcEWoVoFWRGga5q

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

prodomainnameeforappru.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    WeBiMyRU

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Darkgate family
  • Detect DarkGate stealer 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3360
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4948
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5B6613AF15B0B43473CF1DE59C72BB3F
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:3928
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:516
      • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4380
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.a3x
          4⤵
          • Command and Scripting Interpreter: AutoIT
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3336
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4924
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:396

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    226.21.18.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.21.18.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.135.221.88.in-addr.arpa
    IN PTR
    Response
    232.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-232deploystaticakamaitechnologiescom
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    226.21.18.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    226.21.18.104.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    232.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    232.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

    Filesize

    1KB

    MD5

    d08c751a9d8c6794b80c2d62acb8b45e

    SHA1

    1a33e5b50afc6e6060e73f5bd4417ac370d080f0

    SHA256

    ed236bef3acda783c8085cf3756a72e8677d8f4b2fdd5d4002fc0dc3d77977d7

    SHA512

    dd701e2c460260ea50f867e2402820a66faeedca2b03741aacb2a3893df45d00339c6525bcb63c2825f811fcd9b832ddab79e4e8b1b963e5bff6f09ec1688dca

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

    Filesize

    1KB

    MD5

    bc0bd376d9c972f09fec5f2c71f7b89b

    SHA1

    6acdafbaf0c3df78fa25a96129194bfeddebb746

    SHA256

    0d2f2d28d06b39384d958aaf0e693edf6a319e48612e50737a95c1f7658763cb

    SHA512

    0b0b7329cd51c1521ffba23edf7cc828be53ef6674f8546572e146e55d487acfadb32938b8fdb8260a146055ebce56f087f9428afcc275206d5e29d9c99cc805

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

    Filesize

    540B

    MD5

    bb1c156e401a6dbd5faf59e8fae3f08a

    SHA1

    ffc06be2f5f0138bf99be74cf4fa0913f8e5262a

    SHA256

    67621c305c3037e7b44332597eb5199471cff76dbed35f4e6f66b31f340e72af

    SHA512

    c518125dd957d20932b86ddd6eab9e6866e257f36a5ca7c515e87421400aa667b37d440e7055dedb7b8b38f2a4fe3fb5fa0dec6b2fcb089b1d6cccecd17ced14

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

    Filesize

    536B

    MD5

    2c19f80ba805b5b3b28f59f2aceaf518

    SHA1

    4251d62af85a2362b50ef632f0beeb17d4d710a1

    SHA256

    6060352128864a9cb2c890970c3607716129f39310375a6445b4133378f34ddb

    SHA512

    bd93830d0e8d494008b5b6b41aaa58f2953a0ded8867b8d3362e71105de4be7c61bf6bd02a4a7a4048667997ad773b408da3e872d48bb1c6ef90e74bf3db34b8

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files.cab

    Filesize

    5.6MB

    MD5

    d339565d7c5224c45092b3aaeeb3797f

    SHA1

    c85565693714583e57fb9addb64368cc87288efa

    SHA256

    359e387871378831eb1293f41b54436abc6357733d1a573f0caff90ab1cbf07d

    SHA512

    14b3cb62aa99f53a8205783297285b38268306d4876ebdc65ab42d2c7c5613dc4b7010d3f25f2ad60747e136ff5939dca8f6a986f7161f27c0d791f4e874062b

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\CoreFoundation.dll

    Filesize

    3.6MB

    MD5

    b4677a50c291d7c5a7f9f1b80f39a37f

    SHA1

    76d183107f9a8f89f09e25149e6e3de777b25d5a

    SHA256

    c2d43d768cebcf63e8d0c3ae8ffd2cd5070e4ac656a132b63d5e7372cef69c62

    SHA512

    bb2a3bb016cca60bd5f8a33773752e8f88bae764a6497eaaccf563da8607805b5723b30135c001f2fbc20c628e75c099410d9fd09b375c3d2901b6e7f70ba356

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\iTunesHelper.exe

    Filesize

    358KB

    MD5

    ed6a1c72a75dee15a6fa75873cd64975

    SHA1

    67a15ca72e3156f8be6c46391e184087e47f4a0d

    SHA256

    0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

    SHA512

    256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\sqlite3.dll

    Filesize

    1.6MB

    MD5

    ce6e163809f5e817ef0c259672f7a1cd

    SHA1

    123e2f032b2fc45d6d9fe482756243ed61137476

    SHA256

    28ead67d2352ddd11f963e8b23930905ecbaff371162dfdae5ed096f62eb3d79

    SHA512

    07766db4cf023bf059415a58a9e1384acb39260ba71587b4eadb99f84d307c0ab70f76390894ab786a6461a0c809f8e9fe435f7bf9b334a369a178c54b295229

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\msiwrapper.ini

    Filesize

    1KB

    MD5

    8aeecbf7b5c6f62f16b16bf2e094f548

    SHA1

    06c8190b197b0f76b6e03bf353a1ccc441856ada

    SHA256

    58916fbf9c9dbeeec72a2f32d7d1f7de328866c6c638be488f62a1871e92723b

    SHA512

    0607aff08519a7d55b49bbaa4df26ce469b2b28abfd4e5a71f3944c863dbedcbc13b5ed53a2e12f67f5983a8706668c289d24802ee514b7cc8094983bda936ba

  • C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\msiwrapper.ini

    Filesize

    1KB

    MD5

    51492fc1931b0ba45a4ab6cfb0951142

    SHA1

    5d8e47662e2a26c272c0f20b4f8cdd6ce4f7f4a8

    SHA256

    7195a0c8cbda25f0178ccbd2eefb3058b611e12e76a252374c7cd3855461f933

    SHA512

    8f6e6e6afea089493b9d32d47fed5b61e22589d289c0075bc99bcdd97c38c999e0e5898ea76d99e5f6dadc9842ac618b4d0412548b6381fd5bbda0bc9ac64fe2

  • C:\Windows\Installer\MSI7242.tmp

    Filesize

    208KB

    MD5

    d82b3fb861129c5d71f0cd2874f97216

    SHA1

    f3fe341d79224126e950d2691d574d147102b18d

    SHA256

    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

    SHA512

    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

  • C:\temp\Autoit3.exe

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    23.0MB

    MD5

    9c0014f314604e535cd3ec22976385e9

    SHA1

    f7a65d49cac154d7f5fe0af523f9785b8965f08b

    SHA256

    9f3f5dd0c4969e33667f325b6dd59c56b924d9ff5410310e853c951ea44221b8

    SHA512

    4cc389ade68b839450d5b520a892e2ad0ce1d10e488da4942e3ce130403b126e5be94742dfb5cd5d0c4450ac2cc3660620e804b810408b7d5677aa5dbed5cdbe

  • \??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9fa214e9-1ae8-4049-a33d-403725184eb5}_OnDiskSnapshotProp

    Filesize

    6KB

    MD5

    c7ddeb1560af057f088c9b233cd02c93

    SHA1

    f201e5146889c0eee990dea4ad98357318756d5c

    SHA256

    1e5742d84a1e070e932dce276ef3d6ef2ee5cd1a739daecfe23e04864ecff58b

    SHA512

    8cb9fe0716cdff54b823cb7f34034ba496f0f14d72ab862fb598d2081b0f30bea67d11e623a40408863762a94fc78d49540e4b0ab4f76919dd7c09fb9c78a88d

  • \??\c:\temp\script.a3x

    Filesize

    474KB

    MD5

    6354b28ac4bc8fa465d80c3ea3893116

    SHA1

    0eea737ad0a1a0cb5c3f14279a05d1fba6c6216d

    SHA256

    9515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7

    SHA512

    6150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b

  • \??\c:\temp\test.txt

    Filesize

    76B

    MD5

    45306f5622da212035662680f1c09e0e

    SHA1

    a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb

    SHA256

    2a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e

    SHA512

    99c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0

  • memory/2560-103-0x0000000004B00000-0x0000000005AD0000-memory.dmp

    Filesize

    15.8MB

  • memory/2560-105-0x0000000006000000-0x000000000635B000-memory.dmp

    Filesize

    3.4MB

  • memory/2560-104-0x0000000006000000-0x000000000635B000-memory.dmp

    Filesize

    3.4MB

  • memory/4380-106-0x0000000065C80000-0x0000000066028000-memory.dmp

    Filesize

    3.7MB

  • memory/4380-107-0x000002966BE30000-0x000002966BFD0000-memory.dmp

    Filesize

    1.6MB

  • memory/4380-94-0x000002966BE30000-0x000002966BFD0000-memory.dmp

    Filesize

    1.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.