Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 18:42

General

  • Target

    Tax_Document_23/IVIEWERS.dll

  • Size

    2.2MB

  • MD5

    6fa5ccb9fd4c3ff6d0c98fd22789085a

  • SHA1

    d0134291f882df3ab8742e89aad45abdd5a503a1

  • SHA256

    c12db3f77c4c7d51863e7b7453ecb92145214673774724e8e07c988410d646ed

  • SHA512

    6d3382b74eeb0c983c3d8438549b27bd014360a7b002e7e9e25c8eecb7ac418c5975c5a8b37fc16ca8e425f1b90aa4c22b6b6d6500e4d6ebcdee7e9bfd7fd0e0

  • SSDEEP

    24576:zPIcwYtNeFBVgPFCrqiWESjoXSTPFU5gG2wjIYAFvvcFd7gQ/8BdGhhg8x2IeYSn:3tNyBVsC9zCFSdS/YBUvqQyK

Malware Config

Extracted

Family

darkgate

Botnet

seal1

C2

193.142.146.203

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    AVUHIwtf

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    false

  • username

    seal1

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Detect DarkGate stealer 8 IoCs
  • Blocklisted process makes network request 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tax_Document_23\IVIEWERS.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tax_Document_23\IVIEWERS.dll,#1
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f
          4⤵
          • Adds Run key to start application
          PID:3992
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\SysWOW64\rundll32.exe"
        3⤵
        • Blocklisted process makes network request
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/116-3-0x00000000012C0000-0x00000000012C1000-memory.dmp

    Filesize

    4KB

  • memory/116-7-0x0000000001240000-0x00000000012B2000-memory.dmp

    Filesize

    456KB

  • memory/116-8-0x0000000001240000-0x00000000012B2000-memory.dmp

    Filesize

    456KB

  • memory/116-9-0x0000000001240000-0x00000000012B2000-memory.dmp

    Filesize

    456KB

  • memory/116-11-0x0000000001240000-0x00000000012B2000-memory.dmp

    Filesize

    456KB

  • memory/116-12-0x0000000001240000-0x00000000012B2000-memory.dmp

    Filesize

    456KB

  • memory/116-14-0x0000000001240000-0x00000000012B2000-memory.dmp

    Filesize

    456KB

  • memory/2812-0-0x0000000010000000-0x0000000010242000-memory.dmp

    Filesize

    2.3MB

  • memory/2812-1-0x0000000010000000-0x0000000010242000-memory.dmp

    Filesize

    2.3MB

  • memory/2812-2-0x0000000010000000-0x0000000010242000-memory.dmp

    Filesize

    2.3MB

  • memory/2812-4-0x0000000010000000-0x0000000010242000-memory.dmp

    Filesize

    2.3MB

  • memory/2812-6-0x0000000010000000-0x0000000010242000-memory.dmp

    Filesize

    2.3MB