Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
298s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2025, 20:44
Static task
static1
Behavioral task
behavioral1
Sample
iTunesHelper.exe
Resource
win7-20240903-en
General
-
Target
iTunesHelper.exe
-
Size
358KB
-
MD5
ed6a1c72a75dee15a6fa75873cd64975
-
SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d
-
SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda
-
SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03
-
SSDEEP
6144:TjZtNtzxEFQVLEhZbblN4W6ZDNFfEai23+FM2+zIv+98vS:ZRxMQLEhZXybF8Ut4o8a
Malware Config
Extracted
darkgate
admin888
prodomainnameeforappru.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
false
-
c2_port
443
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
WeBiMyRU
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Darkgate family
-
Detect DarkGate stealer 2 IoCs
resource yara_rule behavioral2/memory/2296-11-0x0000000005440000-0x000000000579B000-memory.dmp family_darkgate_v6 behavioral2/memory/2296-14-0x0000000005440000-0x000000000579B000-memory.dmp family_darkgate_v6 -
Command and Scripting Interpreter: AutoIT 1 TTPs 2 IoCs
Using AutoIT for possible automate script.
pid Process 2296 Autoit3.exe 2748 Autoit3.exe -
Executes dropped EXE 2 IoCs
pid Process 2296 Autoit3.exe 2748 Autoit3.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Autoit3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Autoit3.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2296 2792 iTunesHelper.exe 82 PID 2792 wrote to memory of 2296 2792 iTunesHelper.exe 82 PID 2792 wrote to memory of 2296 2792 iTunesHelper.exe 82 PID 1376 wrote to memory of 2748 1376 iTunesHelper.exe 101 PID 1376 wrote to memory of 2748 1376 iTunesHelper.exe 101 PID 1376 wrote to memory of 2748 1376 iTunesHelper.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe"C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x2⤵
- Command and Scripting Interpreter: AutoIT
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2296
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe"C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x2⤵
- Command and Scripting Interpreter: AutoIT
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD5788bdda33c8887645e07e7f5cfdd5235
SHA18aad7e56b0d5c509b3448180842300624d807a58
SHA256a0f6cf4599168455cd0f71cde473f4e5bc33abf530625b675e04b50a99b6a52f
SHA51227a568d86fffe9f1c4f07843dc68bda5e483632e22d3ef82e86351470951eb05985d9bc0b4382d63300682ea677fa0c7fd04033a2d16654e7e304dc885c7634b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
474KB
MD56354b28ac4bc8fa465d80c3ea3893116
SHA10eea737ad0a1a0cb5c3f14279a05d1fba6c6216d
SHA2569515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7
SHA5126150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b
-
Filesize
76B
MD545306f5622da212035662680f1c09e0e
SHA1a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb
SHA2562a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e
SHA51299c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0