Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 18:42
Static task
static1
Behavioral task
behavioral1
Sample
Tax_Document_23/IVIEWERS.dll
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
Tax_Document_23/IVIEWERS.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Tax_Document_23/Tax_Document.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Tax_Document_23/Tax_Document.exe
Resource
win10v2004-20240226-en
General
-
Target
Tax_Document_23/IVIEWERS.dll
-
Size
2.2MB
-
MD5
6fa5ccb9fd4c3ff6d0c98fd22789085a
-
SHA1
d0134291f882df3ab8742e89aad45abdd5a503a1
-
SHA256
c12db3f77c4c7d51863e7b7453ecb92145214673774724e8e07c988410d646ed
-
SHA512
6d3382b74eeb0c983c3d8438549b27bd014360a7b002e7e9e25c8eecb7ac418c5975c5a8b37fc16ca8e425f1b90aa4c22b6b6d6500e4d6ebcdee7e9bfd7fd0e0
-
SSDEEP
24576:zPIcwYtNeFBVgPFCrqiWESjoXSTPFU5gG2wjIYAFvvcFd7gQ/8BdGhhg8x2IeYSn:3tNyBVsC9zCFSdS/YBUvqQyK
Malware Config
Extracted
darkgate
seal1
193.142.146.203
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
AVUHIwtf
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
false
-
username
seal1
Signatures
-
Detect DarkGate stealer 8 IoCs
resource yara_rule behavioral2/memory/2812-4-0x0000000010000000-0x0000000010242000-memory.dmp family_darkgate_v6 behavioral2/memory/2812-6-0x0000000010000000-0x0000000010242000-memory.dmp family_darkgate_v6 behavioral2/memory/116-7-0x0000000001240000-0x00000000012B2000-memory.dmp family_darkgate_v6 behavioral2/memory/116-8-0x0000000001240000-0x00000000012B2000-memory.dmp family_darkgate_v6 behavioral2/memory/116-9-0x0000000001240000-0x00000000012B2000-memory.dmp family_darkgate_v6 behavioral2/memory/116-11-0x0000000001240000-0x00000000012B2000-memory.dmp family_darkgate_v6 behavioral2/memory/116-12-0x0000000001240000-0x00000000012B2000-memory.dmp family_darkgate_v6 behavioral2/memory/116-14-0x0000000001240000-0x00000000012B2000-memory.dmp family_darkgate_v6 -
Blocklisted process makes network request 64 IoCs
flow pid Process 21 116 rundll32.exe 22 116 rundll32.exe 23 116 rundll32.exe 24 116 rundll32.exe 25 116 rundll32.exe 26 116 rundll32.exe 29 116 rundll32.exe 37 116 rundll32.exe 41 116 rundll32.exe 43 116 rundll32.exe 44 116 rundll32.exe 45 116 rundll32.exe 46 116 rundll32.exe 47 116 rundll32.exe 48 116 rundll32.exe 49 116 rundll32.exe 50 116 rundll32.exe 51 116 rundll32.exe 52 116 rundll32.exe 53 116 rundll32.exe 54 116 rundll32.exe 55 116 rundll32.exe 56 116 rundll32.exe 57 116 rundll32.exe 58 116 rundll32.exe 59 116 rundll32.exe 60 116 rundll32.exe 61 116 rundll32.exe 62 116 rundll32.exe 63 116 rundll32.exe 65 116 rundll32.exe 66 116 rundll32.exe 67 116 rundll32.exe 68 116 rundll32.exe 69 116 rundll32.exe 70 116 rundll32.exe 71 116 rundll32.exe 72 116 rundll32.exe 73 116 rundll32.exe 74 116 rundll32.exe 75 116 rundll32.exe 76 116 rundll32.exe 77 116 rundll32.exe 78 116 rundll32.exe 79 116 rundll32.exe 80 116 rundll32.exe 81 116 rundll32.exe 83 116 rundll32.exe 85 116 rundll32.exe 86 116 rundll32.exe 87 116 rundll32.exe 88 116 rundll32.exe 89 116 rundll32.exe 90 116 rundll32.exe 91 116 rundll32.exe 93 116 rundll32.exe 94 116 rundll32.exe 95 116 rundll32.exe 96 116 rundll32.exe 97 116 rundll32.exe 98 116 rundll32.exe 99 116 rundll32.exe 100 116 rundll32.exe 101 116 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Chrome = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\VIVA_01.dll,EntryPoint" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2812 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 116 rundll32.exe 116 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 116 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3112 wrote to memory of 2812 3112 rundll32.exe 85 PID 3112 wrote to memory of 2812 3112 rundll32.exe 85 PID 3112 wrote to memory of 2812 3112 rundll32.exe 85 PID 2812 wrote to memory of 2852 2812 rundll32.exe 96 PID 2812 wrote to memory of 2852 2812 rundll32.exe 96 PID 2812 wrote to memory of 2852 2812 rundll32.exe 96 PID 2812 wrote to memory of 116 2812 rundll32.exe 97 PID 2812 wrote to memory of 116 2812 rundll32.exe 97 PID 2812 wrote to memory of 116 2812 rundll32.exe 97 PID 2812 wrote to memory of 116 2812 rundll32.exe 97 PID 2812 wrote to memory of 116 2812 rundll32.exe 97 PID 2812 wrote to memory of 116 2812 rundll32.exe 97 PID 2852 wrote to memory of 3992 2852 cmd.exe 99 PID 2852 wrote to memory of 3992 2852 cmd.exe 99 PID 2852 wrote to memory of 3992 2852 cmd.exe 99
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Tax_Document_23\IVIEWERS.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Tax_Document_23\IVIEWERS.dll,#12⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f4⤵
- Adds Run key to start application
PID:3992
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:116
-
-