Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 18:42
Static task
static1
Behavioral task
behavioral1
Sample
Tax_Document_23/IVIEWERS.dll
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
Tax_Document_23/IVIEWERS.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Tax_Document_23/Tax_Document.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Tax_Document_23/Tax_Document.exe
Resource
win10v2004-20240226-en
General
-
Target
Tax_Document_23/IVIEWERS.dll
-
Size
2.2MB
-
MD5
6fa5ccb9fd4c3ff6d0c98fd22789085a
-
SHA1
d0134291f882df3ab8742e89aad45abdd5a503a1
-
SHA256
c12db3f77c4c7d51863e7b7453ecb92145214673774724e8e07c988410d646ed
-
SHA512
6d3382b74eeb0c983c3d8438549b27bd014360a7b002e7e9e25c8eecb7ac418c5975c5a8b37fc16ca8e425f1b90aa4c22b6b6d6500e4d6ebcdee7e9bfd7fd0e0
-
SSDEEP
24576:zPIcwYtNeFBVgPFCrqiWESjoXSTPFU5gG2wjIYAFvvcFd7gQ/8BdGhhg8x2IeYSn:3tNyBVsC9zCFSdS/YBUvqQyK
Malware Config
Extracted
darkgate
seal1
193.142.146.203
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
AVUHIwtf
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
false
-
username
seal1
Signatures
-
Detect DarkGate stealer 10 IoCs
resource yara_rule behavioral1/memory/2924-2-0x0000000010000000-0x0000000010242000-memory.dmp family_darkgate_v6 behavioral1/memory/2924-12-0x0000000010000000-0x0000000010242000-memory.dmp family_darkgate_v6 behavioral1/memory/3020-11-0x0000000000090000-0x0000000000102000-memory.dmp family_darkgate_v6 behavioral1/memory/3020-13-0x0000000000090000-0x0000000000102000-memory.dmp family_darkgate_v6 behavioral1/memory/3020-15-0x0000000000090000-0x0000000000102000-memory.dmp family_darkgate_v6 behavioral1/memory/3020-17-0x0000000000090000-0x0000000000102000-memory.dmp family_darkgate_v6 behavioral1/memory/3020-19-0x0000000000090000-0x0000000000102000-memory.dmp family_darkgate_v6 behavioral1/memory/3020-20-0x0000000000090000-0x0000000000102000-memory.dmp family_darkgate_v6 behavioral1/memory/3020-21-0x0000000000090000-0x0000000000102000-memory.dmp family_darkgate_v6 behavioral1/memory/3020-23-0x0000000000090000-0x0000000000102000-memory.dmp family_darkgate_v6 -
Blocklisted process makes network request 64 IoCs
flow pid Process 2 3020 rundll32.exe 3 3020 rundll32.exe 4 3020 rundll32.exe 5 3020 rundll32.exe 6 3020 rundll32.exe 7 3020 rundll32.exe 8 3020 rundll32.exe 9 3020 rundll32.exe 10 3020 rundll32.exe 11 3020 rundll32.exe 12 3020 rundll32.exe 13 3020 rundll32.exe 14 3020 rundll32.exe 15 3020 rundll32.exe 16 3020 rundll32.exe 17 3020 rundll32.exe 18 3020 rundll32.exe 19 3020 rundll32.exe 20 3020 rundll32.exe 21 3020 rundll32.exe 22 3020 rundll32.exe 23 3020 rundll32.exe 24 3020 rundll32.exe 25 3020 rundll32.exe 26 3020 rundll32.exe 27 3020 rundll32.exe 28 3020 rundll32.exe 29 3020 rundll32.exe 30 3020 rundll32.exe 31 3020 rundll32.exe 32 3020 rundll32.exe 33 3020 rundll32.exe 34 3020 rundll32.exe 35 3020 rundll32.exe 36 3020 rundll32.exe 37 3020 rundll32.exe 38 3020 rundll32.exe 39 3020 rundll32.exe 40 3020 rundll32.exe 41 3020 rundll32.exe 42 3020 rundll32.exe 43 3020 rundll32.exe 44 3020 rundll32.exe 45 3020 rundll32.exe 46 3020 rundll32.exe 47 3020 rundll32.exe 48 3020 rundll32.exe 49 3020 rundll32.exe 50 3020 rundll32.exe 51 3020 rundll32.exe 52 3020 rundll32.exe 53 3020 rundll32.exe 54 3020 rundll32.exe 55 3020 rundll32.exe 56 3020 rundll32.exe 57 3020 rundll32.exe 58 3020 rundll32.exe 59 3020 rundll32.exe 60 3020 rundll32.exe 61 3020 rundll32.exe 62 3020 rundll32.exe 63 3020 rundll32.exe 64 3020 rundll32.exe 65 3020 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\*Chrome = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\VIVA_01.dll,EntryPoint" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2924 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3020 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 rundll32.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2924 2888 rundll32.exe 28 PID 2888 wrote to memory of 2924 2888 rundll32.exe 28 PID 2888 wrote to memory of 2924 2888 rundll32.exe 28 PID 2888 wrote to memory of 2924 2888 rundll32.exe 28 PID 2888 wrote to memory of 2924 2888 rundll32.exe 28 PID 2888 wrote to memory of 2924 2888 rundll32.exe 28 PID 2888 wrote to memory of 2924 2888 rundll32.exe 28 PID 2924 wrote to memory of 1316 2924 rundll32.exe 29 PID 2924 wrote to memory of 1316 2924 rundll32.exe 29 PID 2924 wrote to memory of 1316 2924 rundll32.exe 29 PID 2924 wrote to memory of 1316 2924 rundll32.exe 29 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 2924 wrote to memory of 3020 2924 rundll32.exe 30 PID 1316 wrote to memory of 2684 1316 cmd.exe 32 PID 1316 wrote to memory of 2684 1316 cmd.exe 32 PID 1316 wrote to memory of 2684 1316 cmd.exe 32 PID 1316 wrote to memory of 2684 1316 cmd.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Tax_Document_23\IVIEWERS.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Tax_Document_23\IVIEWERS.dll,#12⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f4⤵
- Adds Run key to start application
PID:2684
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3020
-
-